Palo Alto Networks Inc v. Finjan Inc

1. Case Identification

• Case #: IPR2016-00151
• Patent #: 8,141,154
• Filed: November 5, 2015
• Petitioner(s): Palo Alto Networks, Inc.
• Patent Owner(s): Finjan, Inc.
• Challenged Claims: 1-12

2. Patent Overview

• Title: System and Method for Inspecting Dynamically Generated Executable Code
• Brief Description: The ’154 patent describes a system to protect a computer from malicious code contained in content received over a network. The system modifies the content to reroute function calls to an external security computer for inspection and only permits the original function to execute if the security computer indicates it is safe.

3. Grounds for Unpatentability

Ground 1: Claims 1-8 and 10-11 are obvious over Ross.

• Prior Art Relied Upon: Ross (Application # 2007/0113282).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Ross discloses all elements of the challenged claims. Ross describes a system for detecting and disabling malicious script code with three main components that directly correspond to those in the ’154 patent: a "hook script generator" (content modifier), a "script processing engine" (content processor), and a "decision service" (security computer/content inspector). Ross teaches receiving web content, using the hook script generator to replace original functions with "hooked" functions, and processing this modified content in the script processing engine. When a hooked function is invoked, it is transmitted to the decision service for analysis. The decision service determines if the code is malicious and sends an indicator back, allowing the script processing engine to either execute the original function if safe or disable it if malicious. This architecture, Petitioner asserted, maps directly to the system of independent claim 1.
  • Prior Art Mapping (Dependent and Other Independent Claims):
    • Petitioner contended Ross teaches the limitations of dependent claims 2 and 7 by disclosing that validity checks on function arguments are performed before allowing the original function call, necessarily implying a suspension of the original function's processing until the decision service responds.
    • For dependent claims 3, 5, 8, and 11, Petitioner argued that Ross’s use of JavaScript for its hook-based detection engine inherently teaches the dynamic, run-time generation of inputs, as JavaScript's purpose is to handle such dynamic content.
    • For independent claims 6 and 10, which involve modifying an input variable, Petitioner pointed to Ross’s disclosure that the "filtered script behavior" can include "modifying original functions," such as redirecting a file-write operation to a different, safer directory, which constitutes modifying an input variable.
    • The method and computer-readable medium claims (4, 5, 10, 11) were argued to be obvious for the same reasons as their corresponding apparatus claims (1-3, 6-8).

Ground 2: Claims 9 and 12 are obvious over Ross in view of Calder.

• Prior Art Relied Upon: Ross (Application # 2007/0113282) and Calder (Application # 2002/0066022).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner asserted that to the extent Ross does not explicitly disclose the specific limitations of claims 9 and 12, Calder provides the missing teachings. Claim 9 requires the "input variable includes a call to an additional function," and claim 12 further requires that the "modified input variable includes a call to a modified additional function." Petitioner argued that Calder, which secures applications by intercepting system calls, teaches these features. Calder discloses scanning code for system calls and modifying the code to route those calls to an interception module. Calder specifically addresses dynamically generated code and rewriting DLLs (dynamically linked libraries) loaded at run-time, redirecting their routines to "wrapper routines." This process, Petitioner contended, teaches an input variable (e.g., a call to make a memory page executable) that includes a call to an additional function, as well as a modified input variable (a rewritten DLL) that calls a modified function (the wrapper routine).
  • Motivation to Combine: A POSITA would combine Ross's web content inspection system with Calder's system call interception techniques to provide more robust and complete protection. It was well known that web content (like Java) contained inputs that called other functions, so a comprehensive security system would need to handle such calls, motivating the inclusion of Calder’s teachings.
  • Expectation of Success: Combining these known security techniques would have been straightforward for a POSITA, as both references address the common problem of analyzing executable code from untrusted sources by intercepting and inspecting function calls before execution.

4. Key Claim Construction Positions

• "dynamically generated": Petitioner proposed that this term, appearing in dependent claims 3, 5, 8, and 11, should be construed to mean "generate[d] at run-time." This construction was argued to be consistent with the specification, which equates dynamic generation with run-time events, such as when "viruses take advantage of features of dynamic HTML generation... to generate themselves on the fly at run time." This construction is central to Petitioner's argument that Ross’s use of JavaScript, a run-time technology, teaches this limitation.

5. Relief Requested

• Petitioner requests institution of an inter partes review and cancellation of claims 1-12 of the ’154 patent as unpatentable.