FireEye Inc v. Finjan Inc

1. Case Identification

• Case #: IPR2017-00157
• Patent #: 8,225,408
• Filed: October 28, 2016
• Petitioner(s): FireEye, Inc.
• Patent Owner(s): Finjan, Inc.
• Challenged Claims: 1-2, 8-9, 11, 23-28, 29-34

2. Patent Overview

• Title: METHOD AND SYSTEM FOR ADAPTIVE RULE-BASED CONTENT SCANNERS
• Brief Description: The ’408 patent discloses a method for protecting computers from malicious programs by scanning incoming streams of computer code. The system uses programming language-specific rules to generate a "parse tree" data structure and identifies patterns of tokens within the tree as potential exploits.

3. Grounds for Unpatentability

Ground 1: Obviousness over Chandnani and Kolawa - Claims 1, 9, 23, and 29 are obvious over Chandnani in view of Kolawa.

• Prior Art Relied Upon: Chandnani (Application # 2002/0073330) and Kolawa (Patent 5,860,011).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Chandnani taught the core limitations of the independent claims, including a multi-lingual scanner that receives a data stream, determines its programming language, and uses language-specific rules (parser and analyzer rules) to analyze the stream for viral code. However, Chandnani did not explicitly disclose using a parse tree to store and analyze the generated tokens. Kolawa, which addressed rule-based source code quality analysis, explicitly taught using a "conventional" lexical analyzer/parser to group tokens into a parse tree for subsequent analysis against a set of rules. The combination of Chandnani's multi-lingual virus scanner with Kolawa's use of a parse tree for analysis rendered the independent claims obvious.
  • Motivation to Combine: A Person of Ordinary Skill in the Art (POSITA) would combine Chandnani with Kolawa because using a parse tree was a well-known and efficient data structure for storing and analyzing tokens generated from a data stream. This structure, taught by Kolawa, would improve a system like Chandnani's by making it easier to manipulate the code and detect complex structural patterns common in malicious software, a known requirement for effective security scanners.
  • Expectation of Success: A POSITA would have a high expectation of success, as combining a known token-generating security scanner with a standard parse-tree analysis technique was a predictable implementation of a code analysis system.

Ground 2: Obviousness over Chandnani, Kolawa, and Knuth - Claims 2, 11, 24-28, and 30-34 are obvious over Chandnani in view of Kolawa and Knuth.

• Prior Art Relied Upon: Chandnani (Application # 2002/0073330), Kolawa (Patent 5,860,011), and Knuth (a 1965 publication titled "On the Translation of Languages from Left to Right").
• Core Argument for this Ground:
  • Prior Art Mapping: This ground built upon the Chandnani and Kolawa combination to address dependent claims reciting specific, well-known features of parsers. Kolawa disclosed using a parser that is "conventional in the art" to build its parse tree. Knuth, a foundational paper on parsing, provided the explicit teachings for how such a conventional parser would operate, including the use of a "shift-and-reduce algorithm" (recited in claims 2 and 11) and the basic structural relationships between parent and child nodes in a parse tree (recited in claims 24-28 and 30-34).
  • Motivation to Combine: To implement the "conventional" parser taught by Kolawa, a POSITA would naturally have turned to foundational and widely-known parsing techniques. Knuth provided the blueprint for such techniques, including the shift-and-reduce process, making it an obvious reference to consult for implementing the details of the parser in the Chandnani/Kolawa system.
  • Expectation of Success: Success was expected because Knuth simply provided the detailed, well-established mechanics for the "conventional" parser already suggested by Kolawa.

Ground 3: Obviousness over Chandnani, Kolawa, and Huang - Claim 8 is obvious over Chandnani in view of Kolawa and Huang.

• Prior Art Relied Upon: Chandnani (Application # 2002/0073330), Kolawa (Patent 5,860,011), and Huang (Patent 6,968,539).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground targeted dependent claim 8, which required the system to handle "embedded program code" written in a language different from the primary incoming stream (e.g., JavaScript within an HTML document). The base Chandnani/Kolawa combination provided the multi-language security scanner. Huang was added because it explicitly taught a system for processing web applications that contain embedded code, such as JavaScript in HTML. Huang's system determined the language type for each distinct unit of code (e.g., HTML vs. JavaScript) so it could be processed correctly.
  • Motivation to Combine: A POSITA seeking to apply the Chandnani/Kolawa security scanner to modern web content would have needed a way to parse embedded code, a ubiquitous feature of web pages. Huang taught a known method for identifying and handling such embedded code. A POSITA would combine Huang's approach with the base scanner to extend its malware detection capabilities to files containing embedded scripts.
  • Expectation of Success: The combination was predictable, as it involved applying a known security analysis technique to a different but common file structure (web pages with embedded code) using a known method for parsing that specific structure.
• Additional Grounds: Petitioner asserted additional obviousness challenges against the same claims (Grounds 4 and 5) by adding Walls (Patent 7,284,274) to the foregoing combinations. Walls was cited for its teaching of a "pipelined" approach to code analysis, which Petitioner argued provided an alternative disclosure for the "dynamically building" and "dynamically detecting" limitations of the claims.

4. Key Claim Construction Positions

• Petitioner argued for constructions consistent with those previously adopted by the Board in related IPR proceedings (IPR2015-02001). These constructions were central to mapping the "dynamic" analysis limitations onto the prior art.
• "parse tree": Construed as "a hierarchical structure of interconnected nodes built from scanned content."
• "dynamically building ... while said receiving receives the incoming stream": Construed to mean "a time period for dynamically building overlaps with a time period during which the incoming stream is being received."
• "dynamically detecting ... while said dynamically building builds the parse tree": Construed to mean "a time period for dynamically detection overlap with a time period during which the parse tree is built."

5. Arguments Regarding Discretionary Denial

• Petitioner contended that the grounds presented were not redundant with prior-instituted IPRs against the ’408 patent (the "PAN IPRs"). Petitioner asserted that this petition challenged dependent claims that were not at issue in the earlier proceedings. It was also noted that Petitioner, FireEye, Inc., was not a party to the PAN IPRs and was therefore not estopped from bringing these challenges. The petition was filed concurrently with a motion for joinder to a separate IPR (IPR2016-01441).

6. Relief Requested

• Petitioner requests institution of an inter partes review and cancellation of claims 1-2, 8-9, 11, 23-28, and 29-34 of the ’408 patent as unpatentable.