PTAB

IPR2015-01547

Symantec Corp v. Finjan Inc

Key Events

Petition

petition Intelligence

Title: System for Protecting a Computer from Dynamically Generated Malicious Content
Brief Description: The ’154 patent discloses a system for protecting a computer from malicious content, particularly content generated at runtime. The system intercepts function calls within content, transmits the function inputs to a separate "security computer" for inspection, and based on an indicator received back, either allows the original function to execute, executes it with a modified input, or blocks it.

Prior Art Relied Upon: Ross (Application # 2007/0113282).
Core Argument for this Ground:
- Prior Art Mapping: Petitioner argued Ross discloses every limitation of claims 1-5. Ross teaches a security system with a "hook script generator" that replaces original functions in web content with "hook functions." When a hook function is called during runtime, its inputs (e.g., parameters) are sent to a remote "decision and/or vulnerability service" (the claimed "security computer") for security assessment. The service sends back decision information (the claimed "indicator"), and the content processor then either allows or disables the original function based on this determination. Petitioner contended Ross's teachings of "runtime detection" and checking code generated "on the fly" meet the "dynamically generated" limitation.
- Key Aspects: This ground asserted that Ross describes the exact same problem-solution framework as the ’154 patent, rendering the claims anticipated.

Prior Art Relied Upon: Ross (Application # 2007/0113282).
Core Argument for this Ground:
- Prior Art Mapping: This ground primarily addressed claims 6 and 10, which require invoking the original function with a modified input variable if the original is deemed unsafe. Petitioner argued Ross teaches modifying the execution of the original function based on the security assessment, providing an example of changing a directory where a file is written. This necessarily involves modifying the directory name input. To the extent Ross does not explicitly state the modified input is received from the security computer, Petitioner asserted this would have been an obvious design choice.
- Motivation to Combine (Implicit Design Choice): A POSITA would understand that the security computer, being the entity that evaluates the input and determines it is unsafe, is the most logical source for the modified, safe input. Providing the modified input as part of the decision information sent back to the client would be a simple and predictable implementation.
- Expectation of Success: A POSITA would have a high expectation of success in having the remote decision service generate and return a modified input as part of its response.

Prior Art Relied Upon: Ross (Application # 2007/0113282), Calder (Application # 2002/0066022).
Core Argument for this Ground:
- Prior Art Mapping: This ground addressed dependent claims 9 and 12, which require modifying an input that itself includes a call to an additional function (e.g., nested or recursive hooking). Petitioner argued that while Ross teaches the primary client-server security architecture, Calder specifically teaches techniques for preventing malicious code from incorporating "new" unhooked code from unscanned sources, such as by making a memory page executable or loading a new DLL. Calder does this by re-hooking system calls found within the inputs to other hooked functions.
- Motivation to Combine: A POSITA would combine Calder’s technique for handling nested threats with Ross's system to make it more robust. This would prevent circumvention of the security system by malicious code that dynamically loads or generates further malicious functions after the initial security scan.
- Expectation of Success: Combining these known security techniques was argued to be a straightforward enhancement with predictable results.

Prior Art Relied Upon: Calder (Application # 2002/0066022), Sirer (a 1999 ACM publication titled "Design and implementation of a distributed virtual machine for networked computers").
Core Argument for this Ground:
- Prior Art Mapping: Petitioner asserted Calder teaches a comprehensive system for securing an application by using a preprocessor to rewrite program code, trapping system calls to an "interception module" running in a virtual machine (VM). This module inspects inputs and can execute the original call with modified parameters. Petitioner argued the only feature arguably not disclosed in Calder is performing this inspection on a separate, remotely located security computer. Sirer was introduced for expressly teaching a distributed virtual machine (DVM) architecture where system services like "security enforcement" are "factored out of clients and located on powerful network servers."
- Motivation to Combine: A POSITA would be motivated to combine Calder's VM-based interception system with Sirer’s DVM architecture. The motivation, as stated in Sirer, would be to reduce resource requirements on client machines, improve security through physical isolation, and increase the manageability of security policy across a network.
- Expectation of Success: Implementing Calder's security checking processes on a remote server as taught by Sirer was presented as a combination of known elements to achieve a predictable result.

"dynamically generate[d]": Petitioner proposed this term be construed as "generate[d] at run-time." This construction was argued to be supported by the specification, which equates "dynamically generated" viruses with those "generated only at run-time." This construction is central to the petition's arguments that the prior art, which focuses on runtime analysis and interception, squarely addresses the problem solved by the patent.

Petitioner requested the institution of an inter partes review and the cancellation of claims 1-12 of the ’154 patent as unpatentable.