Palo Alto Networks Inc v. Finjan Inc

1. Case Identification

• Case #: IPR2015-01979
• Patent #: 8,141,154
• Filed: September 25, 2015
• Petitioner(s): Palo Alto Networks, Inc.
• Patent Owner(s): Finjan, Inc.
• Challenged Claims: 1-8, 10, and 11

2. Patent Overview

• Title: System and Method for Inspecting Dynamically Generated Executable Code
• Brief Description: The ’154 patent relates to a computer security system for inspecting potentially malicious inputs to software functions at run-time. The asserted novelty is distributing this dynamic inspection of input variables to a remote "security computer" to protect a local computer from dynamically generated threats.

3. Grounds for Unpatentability

Ground 1: Obviousness over Khazan and Sirer - Claims 1-5 are obvious over Khazan in view of Sirer.

• Prior Art Relied Upon: Khazan (Application # 2005/0108562) and Sirer (a 1999 journal article titled “Design and Implementation of a Distributed Virtual Machine for Networked Computers”).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Khazan taught a comprehensive system for detecting malicious code that met most limitations of the independent claims. Khazan’s system performed run-time analysis by instrumenting an application with "wrapper functions" (the claimed "first function") to inspect the inputs of "target functions" (the claimed "second function") before execution. However, Khazan primarily focused on performing this analysis locally. Petitioner asserted that Sirer taught the key missing element: distributing security services, including dynamic analysis of "user-supplied arguments to system calls," from a client computer to more powerful remote network servers.
  • Motivation to Combine: A Person of Ordinary Skill in the Art (POSITA) would combine Sirer's teaching of remote security analysis with Khazan's instrumentation framework. The motivation was to gain the well-understood benefits explicitly taught by Sirer: leveraging more powerful server processors for faster analysis, centralizing security policy administration for consistency, and enhancing security through the physical isolation of the analysis computer from the client computer being protected.
  • Expectation of Success: A POSITA would have a high expectation of success. The combination represented a predictable substitution of a remote process (from Sirer) for Khazan's local one. Performing code instrumentation and analysis on a remote proxy or gateway was a known technique, and the modular nature of the software components made such a distributed architecture straightforward to implement.

Ground 2: Obviousness over Khazan, Sirer, and Ben-Natan - Claims 6-8, 10, and 11 are obvious over Khazan in view of Sirer and further in view of Ben-Natan.

• Prior Art Relied Upon: Khazan (Application # 2005/0108562), Sirer (a 1999 journal article), and Ben-Natan (Patent 7,437,362).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground built upon the Khazan/Sirer combination, which established a system for remote run-time analysis of function inputs. The key additional limitation in this set of claims was the step of calling the second function with a "modified input variable" if the original input was deemed unsafe. Petitioner argued that Ben-Natan taught this missing element. Ben-Natan described a database security system that, upon detecting an unsafe data access statement (a function with inputs), would modify its parameters (the input) to be compliant with a security policy and then allow the modified, safe statement to be executed.
  • Motivation to Combine: A POSITA, having already combined Khazan and Sirer to create a remote analysis system, would be motivated to incorporate Ben-Natan's teaching of input modification. This provided a more nuanced and flexible response to potentially malicious inputs than the binary choice of either allowing or blocking execution, as taught by Khazan. Modifying the input to permit safe (if diminished) execution was a known and desirable alternative to outright denial, allowing an application to continue functioning without compromising security.
  • Expectation of Success: A POSITA would have a reasonable expectation of success in adding this feature. Modifying unsafe inputs was one of a limited number of known techniques for handling such situations. Integrating Ben-Natan's modification logic into the remote security service of the combined Khazan/Sirer system would predictably result in the safe execution of the function with the modified input.

4. Key Claim Construction Positions

Petitioner argued that several claim terms were critical to the invalidity analysis and proposed the following constructions under the broadest reasonable interpretation standard.

• "first function": Petitioner argued for a construction of "substitute function" or "wrapper function." This was based on the ’154 patent's specification, which described intercepting software content and replacing "original function calls" with "substitute function calls" to enable security checks.
• "second function": Correspondingly, Petitioner argued for a construction of "original function." This was the function being wrapped or substituted by the "first function" and which is only invoked if its input is deemed safe.
• "transmitter" / "receiver": Petitioner asserted these terms should be construed as generic functional components for sending and receiving data, such as "a circuit or electronic device designed to send/accept electrically encoded data." This was based on the patent's lack of specific structural details for these components, relying instead on dictionary definitions and the general understanding of a POSITA regarding standard network hardware like network interface cards.

5. Relief Requested

• Petitioner requests institution of an inter partes review and cancellation of claims 1-8, 10, and 11 of Patent 8,141,154 as unpatentable.