PTAB

IPR2015-01405

Finjan Holdings Inc v. Sophos Inc

Log In
Key Events
Petition
petition

1. Case Identification

2. Patent Overview

  • Title: Behavioral-Based Host Intrusion Prevention System
  • Brief Description: The ’218 patent discloses a hybrid malware detection system. The system performs a behavioral analysis by monitoring an executing computer process for specific behaviors ("genes"), comparing collected behaviors to predetermined malicious collections ("phenotypes"), and triggering a subsequent content analysis if the comparison indicates a sufficient confidence level of malicious activity.

3. Grounds for Unpatentability

Ground 1: Claims 1-20 are obvious over Lee and Cooley, with Spurlock or Tuvell for certain dependent claims.

  • Prior Art Relied Upon: Lee (Patent 7,809,670), Cooley (Patent 8,171,545), Spurlock (Patent 7,917,955), and Tuvell (Application # 2007/0240217).
  • Core Argument for this Ground:
    • Prior Art Mapping: Petitioner argued that Lee discloses a model-based behavioral analysis system that meets most limitations of independent claims 1 and 12. Lee’s system monitors the runtime behavior of an application, captures a series of events (the claimed "genes"), and compares this sequence to a knowledge base of representative behavior patterns (the claimed "phenotypes") to classify the application. Lee also discloses calculating "similarity distances" to rank the likelihood that an application belongs to a known malware family. Petitioner contended that Cooley, a hybrid malware detection system, discloses the missing element: triggering a content analysis based on a behavioral analysis. Cooley’s system performs a behavioral analysis and, if a process is determined to be behaving anomalously, takes corrective steps, including scanning the process for malicious code.
    • Motivation to Combine (for §103 grounds): Petitioner asserted a POSITA would combine Lee and Cooley because they address the same problem of malware detection in the same technical field. The combination would be a simple substitution of one known element (Lee's model-based behavioral analysis) for another (Cooley's statistical-based analysis) to achieve a predictable result. A POSITA would be motivated to use Lee's more sophisticated analysis, which can identify specific malware families, to trigger the content analysis taught by Cooley, thereby creating a more effective and targeted detection system.
    • Expectation of Success (for §103 grounds): A POSITA would have had a reasonable expectation of success because both Lee and Cooley describe software-based systems, and integrating Lee's behavioral analysis module into Cooley's framework would involve routine software engineering well within the skill of a POSITA.

Ground 2: Claims 1-20 are obvious over Farley and Cooley, with Spurlock or Tuvell for certain dependent claims.

  • Prior Art Relied Upon: Farley (Patent 7,089,428), Cooley (Patent 8,171,545), Spurlock (Patent 7,917,955), and Tuvell (Application # 2007/0240217).

  • Core Argument for this Ground:

    • Prior Art Mapping: This ground presented a similar argument to Ground 1 but substituted Farley for Lee as the primary behavioral analysis reference. Petitioner argued Farley discloses a dynamic, model-based behavioral analysis system that gathers "real-time raw events" (claimed "genes"), uses a "fusion engine" to group them into "mature correlation events" (claimed "phenotypes"), and can assess and rank the risk of these events. As in the first ground, Petitioner relied on Cooley to teach the step of triggering a content analysis when the behavioral analysis indicates anomalous activity.
    • Motivation to Combine (for §103 grounds): The motivation was identical to that for combining Lee and Cooley. A POSITA would have been motivated to substitute Farley's model-based behavioral analysis for Cooley’s statistical-based analysis to improve the overall detection system. This combination would allow the system to trigger a content scan based on Farley’s ranked risk assessment, a predictable improvement over Cooley’s binary determination.
    • Expectation of Success (for §103 grounds): Petitioner asserted a high expectation of success, as combining the software-based systems of Farley and Cooley would be straightforward for a POSITA.

  • Additional Grounds: Petitioner asserted that various dependent claims (2-3, 4-11, 13-14, and 15-20) were obvious over the primary combinations of Lee/Cooley or Farley/Cooley when further combined with either Spurlock or Tuvell. Spurlock was cited for teaching specific actions like stopping or pausing the executing process, while Tuvell was cited for disclosing limitations related to the types of content analysis performed.

4. Key Claim Construction Positions

  • "gene": Petitioner argued this term, not standard in the art, should be construed as "a behavior of an executing computer process." The claim language itself refers to comparing an "operation" with a "predetermined behavior, referred to as a gene," and the specification provides examples of behaviors that constitute genes.
  • "phenotype": Petitioner argued this term should be construed as "a collection of behaviors that is indicative of a type of malicious code." This construction was based on explicit definitions in the claim language and specification, which describe a phenotype as a "predetermined collection of malicious behaviors" or a "grouping of specific genes."
  • "content analysis": Petitioner proposed the broad construction of "any analysis that is directed to the content of one or more files." This was argued to be the broadest reasonable interpretation, supported by the fact that dependent claims recite specific, narrower types of content analysis.
  • "ranked": Petitioner argued this term should be given its plain and ordinary meaning of "ordered." The petition contended that the patent provides no special definition or method for ranking, so the term simply implies that the phenotypes are ordered to create increasing levels of confidence.

5. Relief Requested

  • Petitioner requests institution of an inter partes review and cancellation of claims 1-20 of the ’218 patent as unpatentable.