PTAB

IPR2016-00919

Symantec Corp v. Finjan Inc

Log In
Key Events
Petition
petition

1. Case Identification

2. Patent Overview

  • Title: System and Method for Inspecting Dynamically Generated Executable Code
  • Brief Description: The ’154 patent describes a computer security system for protecting against malicious code. The system intercepts function calls within downloaded content, sends the function's input variables to a remote security computer for analysis against a security policy, and only allows the function to execute if the remote computer indicates it is safe.

3. Grounds for Unpatentability

Ground 1: Claims 1-5 are obvious over Khazan in view of Sirer.

  • Prior Art Relied Upon: Khazan (Application # 2005/0108562) and Sirer (a 1999 article titled "Design and Implementation of a Distributed Virtual Machine for Networked Computers").
  • Core Argument for this Ground:
    • Prior Art Mapping: Petitioner argued that Khazan taught a system for detecting malicious code by instrumenting an application to insert a "wrapper function" (the claimed "first function") that intercepts calls to an original "target function" (the claimed "second function"). This wrapper function performs dynamic, run-time analysis on the function's input parameters to verify their safety. However, Khazan primarily disclosed performing this analysis on the local client computer. Petitioner contended that Sirer supplied the missing elements by explicitly teaching the distribution of security functions, including run-time analysis of function arguments, from a client computer to a remote, powerful network server (the claimed "security computer") using a transmitter and receiver.
    • Motivation to Combine: A POSITA would combine Sirer's remote security architecture with Khazan's code analysis system to gain the known benefits taught by Sirer. These benefits included offloading processing to a more powerful network server, centralizing security policy administration, and improving security through physical isolation of the analysis module. The combination was presented as a predictable substitution of a remote analysis component for Khazan's local one.
    • Expectation of Success: Petitioner asserted a POSITA would have a high expectation of success because combining local and remote processing modules was a well-known design choice in distributed computing, yielding predictable results.

Ground 2: Claims 6-8, 10, and 11 are obvious over Khazan in view of Sirer and further in view of Ben-Natan.

  • Prior Art Relied Upon: Khazan (Application # 2005/0108562), Sirer (a 1999 article), and Ben-Natan (Patent 7,437,362).
  • Core Argument for this Ground:
    • Prior Art Mapping: This ground built upon the Khazan/Sirer combination and addressed the additional limitation in the challenged claims requiring the system to call the second function with a "modified input variable." Petitioner argued that while Khazan and Sirer provided the framework for remote security analysis, they primarily taught a binary outcome: either allow the function to execute or block it. Ben-Natan, which relates to database security, allegedly supplied the teaching of a third option. Ben-Natan disclosed a system that, upon detecting an unsafe input (e.g., a database query that violates policy), could modify the input parameters to render them safe (e.g., by narrowing the query) before allowing execution.
    • Motivation to Combine: A POSITA would combine Ben-Natan's input modification technique with the Khazan/Sirer security framework to create a more robust and flexible system. Instead of merely blocking potentially malicious function calls, the combined system could allow them to proceed safely with modified, less harmful inputs. This represented the application of a known security response strategy to improve the functionality of the base system.
    • Expectation of Success: Petitioner argued success was predictable, as modifying unsafe inputs was one of a limited number of known techniques for handling such situations, alongside blocking execution. A POSITA would have reasonably expected that integrating this known technique into the remote security analysis framework would work as intended.

4. Key Claim Construction Positions

  • "first function" / "second function": Petitioner argued for a construction where the "first function" is the "substitute function" (commonly known as a wrapper function) and the "second function" is the "original function" that is being wrapped. This interpretation was based on the patent's specification, which described replacing "original function calls" with "substitute function calls" to perform security checks.
  • "transmitter" / "receiver": Petitioner proposed that "transmitter" should be construed as "a circuit or electronic device designed to send electrically encoded data to another location," and "receiver" as "a circuit or electronic device designed to accept data from an external communication system." These constructions were based on standard technical dictionary definitions and the functional descriptions in the specification, arguing that a POSITA would understand them as generic components for network communication.

5. Relief Requested

  • Petitioner requested that the Board institute an inter partes review of claims 1-8, 10, and 11 of Patent 8,141,154 and find each challenged claim unpatentable.