Symantec Corp v. Finjan Inc

1. Case Identification

• Case #: IPR2015-01892
• Patent #: 8,677,494
• Filed: September 10, 2015
• Petitioner(s): Symantec Corp.
• Patent Owner(s): Finjan, Inc.
• Challenged Claims: 1, 2, 5, 6, 10, 11, 14, and 15

2. Patent Overview

• Title: System and Method for Protecting a Computer from Malicious Downloadables
• Brief Description: The ’494 patent describes a system and computer-based method for managing potentially malicious software received over a network, referred to as "Downloadables." The core claimed invention involves receiving a Downloadable, deriving "security profile data" that includes a list of suspicious computer operations it may attempt, and storing this profile data in a database.

3. Grounds for Unpatentability

Ground 1: Anticipation and Obviousness over Swimmer - Claims 1-2, 5-6, 10-11, and 14-15 are anticipated by or obvious over Swimmer.

• Prior Art Relied Upon: Swimmer (Dynamic Detection and Classification of Computer Viruses Using General Behaviour Patterns, Virus Bulletin Conference, Sep. 1995).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Swimmer discloses every element of the challenged claims. Swimmer describes a "Virus Intrusion Detection Expert System" (VIDES) that acts as a firewall for programs entering a network. This system receives incoming programs ("Downloadables") and uses an emulator to monitor their activity, thereby generating a stream of system activity data that lists the functions and operations the programs attempt to invoke. Petitioner asserted this generated data is equivalent to the claimed "security profile data." Swimmer explicitly states this activity data is recorded in a database according to a structured schema, meeting the final limitation of the independent claims.
  • Dependent Claims: For dependent claims 2 and 11 (storing a date/time), Swimmer’s audit records include "StartTime" and "EndTime" fields. For claims 6 and 15 (specific suspicious operations), Swimmer’s records of DOS system calls (e.g., INT 21h functions) inherently include calls to the operating system, file system, network system, and memory. For claims 5 and 14 ("program script"), Petitioner argued it would have been obvious to a person of ordinary skill in the art (POSITA) to apply Swimmer's system to analyze program scripts, a common form of executable code at the time.
  • Motivation to Combine (for §103 grounds): To the extent Swimmer was found not to explicitly disclose analyzing "program scripts," a POSITA would have been motivated to apply its virus detection method to this well-known type of Downloadable to improve the system's effectiveness and broaden its applicability.

Ground 2: Obviousness over Cline in view of Ji - Claims 1-2, 5-6, 10-11, and 14-15 are obvious over Cline in view of Ji.

• Prior Art Relied Upon: Cline (Patent 5,313,616) and Ji (Patent 5,623,600).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner contended that Cline taught the core analysis and storage steps of the independent claims. Cline describes a system for testing application programs using static and dynamic analyses to identify all external calls (e.g., system and library calls) made by the program. This list of external calls constitutes the claimed "security profile data." Cline explicitly teaches recording these system and procedure calls in a "log database." Ji, in turn, teaches the context of receiving and scanning incoming files and messages at a network gateway before they are transmitted to a client computer.
  • Motivation to Combine: A POSITA would combine these teachings to improve network security and efficiency. Ji establishes the benefit of scanning executables at a central gateway rather than on each individual machine. A POSITA would have been motivated to implement Cline’s more sophisticated program analysis techniques at a gateway, as taught by Ji, to verify that incoming Downloadables conform to security rules before allowing them onto the network. This combination would have been a predictable application of known technologies.
  • Expectation of Success: The combination amounted to using a known analysis technique (Cline) in a known, advantageous location (a gateway, per Ji), yielding the predictable result of a gateway scanner that analyzes program behavior.

Ground 3: Obviousness over Forrest in view of Ji - Claims 1-2, 5-6, 10-11, and 14-15 are obvious over Forrest in view of Ji.

• Prior Art Relied Upon: Forrest (A Sense of Self for Unix Processes, IEEE Symposium, 1996) and Ji (Patent 5,623,600).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Forrest taught a method of deriving a security profile and storing it in a database. Forrest's system performs "anomaly intrusion detection" by first establishing a baseline of "normal" program behavior by tracing and recording all sequences of system calls made by a program during normal operation. This baseline profile of system calls is stored in a database. The system then monitors the program for new sequences of system calls not present in the database, flagging them as potential intrusions. This list of potential operations is the claimed security profile. As in the previous ground, Ji provides the motivation to perform this scanning on incoming files at a network gateway.
  • Motivation to Combine: A POSITA would have been motivated to combine Forrest's anomaly detection with Ji's gateway scanning for the same reasons of efficiency and improved security. Applying Forrest’s behavior-based analysis to incoming Downloadables at a gateway would allow for the detection of novel or otherwise unknown malicious code based on its behavior, rather than relying on known virus signatures. This would create a more robust security checkpoint for a network.
  • Expectation of Success: A POSITA would have had a reasonable expectation of success in combining the references, as it involved applying Forrest’s known analysis method at a well-understood network location (a gateway) to analyze a known type of data (incoming executable files).

4. Key Claim Construction Positions

• "database": Petitioner argued for the broadest reasonable interpretation of "database" as simply "an organized collection of data."
  • This construction is based on the plain and ordinary meaning of the term to a POSITA and is consistent with dictionary definitions from the relevant time. Petitioner argued that the patent specification provides no special definition and that attempts by the Patent Owner in related district court litigation to add limitations, such as requiring a "database schema" or that it must "serve one or more applications," are improper attempts to read limitations into the claims to avoid prior art that discloses storing security data in formats like log files.

5. Relief Requested

• Petitioner requests institution of an inter partes review and cancellation of claims 1, 2, 5, 6, 10, 11, 14, and 15 of the ’494 patent as unpatentable.