Symantec Corp v. Finjan Inc

1. Case Identification

• Case #: IPR2015-01552
• Patent #: 7,757,289
• Filed: July 3, 2015
• Petitioner(s): Symantec Corp.
• Patent Owner(s): Finjan, Inc.
• Challenged Claims: 10-12, 15, 17, 19-24, 35, 36, 38, 39, 41, 42, 44, and 45

2. Patent Overview

• Title: Protecting a Computer from Dynamically Generated Malicious Content
• Brief Description: The ’289 patent discloses systems and methods for protecting a client computer from malicious content that is generated dynamically (at run-time). The system intercepts content at a gateway, modifies it by replacing original function calls with substitute function calls, and transmits the modified content to a client; the substitute functions send inputs to a separate security computer for inspection before allowing the original functions to be executed by the client.

3. Grounds for Unpatentability

Ground 1: Obviousness over Calder and Sirer - Claims 10-12, 15, 17, 19-24, 35, 36, 38, 39, 41, 42, 44, and 45 are obvious over Calder in view of Sirer.

• Prior Art Relied Upon: Calder (Application # 2002/0066022) and Sirer (a 1999 ACM publication titled "Design and implementation of a distributed virtual machine for networked computers").
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Calder taught nearly all limitations of the challenged claims. Calder disclosed a system for securing applications by using a pre-processor to rewrite program code, replacing system calls (original functions) with calls to an "interception module" (a substitute function) that inspects inputs for malicious activity. Petitioner contended that the only feature arguably not disclosed in Calder was performing these security checks on a separate, remotely located "security computer." Sirer was alleged to expressly teach this missing element by describing a distributed virtual machine (DVM) architecture where system services, including "security enforcement," are "factored out of clients and located on powerful network servers."
  • Motivation to Combine: A POSITA would combine Calder's local security-checking process with Sirer's DVM architecture to realize the benefits explicitly stated in Sirer. These benefits included reducing resource requirements on client machines, improving overall site security through physical isolation of the security component, and increasing the manageability of a large network without sacrificing performance. Sirer itself suggested that other security solutions employing binary re-writing and virtual machines (like Calder) would be accommodated by its distributed architecture.
  • Expectation of Success: Petitioner asserted that success would be predictable. The combination involved applying Sirer's known distributed computing architecture to Calder's known security hooking mechanism. A POSITA would have readily understood how to implement Calder's interception module on Sirer's remote security server using well-known programming techniques for distributed systems.

Ground 2: Obviousness over Ross and Calder - Claims 10-12, 15, 17, 19-24, 35, 36, 38, 39, 41, 42, 44, and 45 are obvious over Ross in view of Calder.

• Prior Art Relied Upon: Ross (Application # 2007/0113282) and Calder (Application # 2002/0066022).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner contended that Ross disclosed a system highly analogous to the ’289 patent. Ross taught a gateway-based "hook script generator" that modifies HTTP content by replacing original functions with substitute "hook functions." These hook functions send inputs (e.g., method names, parameters) to a remote "decision and/or vulnerability service" (a security computer) for assessment before allowing execution. Ross was argued to teach most claim limitations, but was supplemented by Calder's disclosure of handling recursively or nested malicious code. Specifically, Calder taught how to address dynamically generated code that appears after an initial scan, such as by intercepting calls that make a memory page executable or load a new DLL, and then re-scanning that new code for threats. This directly mapped to claim limitations requiring modification of an input that itself includes a call to a second original function.
  • Motivation to Combine: A POSITA would have been motivated to incorporate Calder's techniques for re-scanning dynamically generated code into Ross's system to enhance its security. This would prevent malicious code from bypassing Ross's initial security scan by later incorporating new, un-scanned code from sources like modified memory pages or external files. Combining the references would close a known security loophole, making Ross's system more robust.
  • Expectation of Success: The combination was presented as the straightforward application of Calder's established technique for handling nested or dynamically loaded code to improve Ross's security framework. A POSITA would have had a reasonable expectation of success in applying this secondary scanning logic to Ross's remote security service architecture to create a more comprehensive threat-detection system.

4. Key Claim Construction Positions

• Petitioner argued that based on the claim language and the specification of the ’289 patent, the term "dynamically generate[d]" should be construed to mean "generate[d] at run-time." This construction was asserted to be critical because the prior art, particularly Calder, explicitly taught techniques for handling and scanning code that is created or modified during run-time execution, allowing the prior art's teachings to map directly onto this key claim limitation.

5. Relief Requested

• Petitioner requested the institution of an inter partes review and the cancellation of claims 10-12, 15, 17, 19-24, 35, 36, 38, 39, 41, 42, 44, and 45 of Patent 7,757,289 as unpatentable.