Zscaler Inc v. Symantec Corp

1. Case Identification

• Case #: IPR2017-01345
• Patent #: 7,392,543
• Filed: May 1, 2017
• Petitioner(s): Zscaler, Inc.
• Patent Owner(s): Symantec Corporation
• Challenged Claims: 1-31

2. Patent Overview

• Title: Malicious Code Detection and Signature Generation
• Brief Description: The ’543 patent discloses a computer security system for detecting malicious code on a host computer. Upon detection, the system extracts a signature or associated parameters, creates a "malicious code packet," and transmits this packet to a separate analysis center computer for further processing.

3. Grounds for Unpatentability

Ground 1: Anticipation over Arnold - Claims 1-3, 5-8, 20, 22, 26, and 29-31 are anticipated under 35 U.S.C. § 102 by Arnold.

• Prior Art Relied Upon: Arnold (Patent 5,440,723).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Arnold, which discloses an "Automatic Immune System for Computers," teaches every element of the challenged claims. Arnold's system monitors for "anomalous behavior" (detecting an attack), extracts a "signature from an undesirable software entity" (extracting a malicious code signature), and sends this information in a "distress signal" or "report" to a remote "expert" (creating and sending a malicious code packet). Petitioner contended that the key limitation added during prosecution—"extracting a specific number of bytes backwards from said caller's address"—was anticipated by Arnold's disclosure of extracting signatures from the invariant "head" portion of a self-modifying virus. Because the head is at the beginning, extracting from it inherently involves reading bytes backward from a subsequent execution point.
  • Key Aspects: Petitioner emphasized that the limitations which overcame prosecution were, in fact, disclosed in Arnold, a reference the examiner did not consider.

Ground 2: Obviousness over Arnold and Nachenberg - Claims 20 and 29 are obvious over Arnold in view of Nachenberg.

• Prior Art Relied Upon: Arnold (Patent 5,440,723) and Nachenberg '008 (Patent 6,357,008).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground specifically addressed the "attack threshold" limitation in claims 20 and 29. Petitioner argued that Arnold’s system, which raises a "level of alertness" based on suspicious activity, discloses this concept. To the extent Arnold was deemed insufficient, Nachenberg '008 explicitly taught the claimed feature. Nachenberg disclosed a method where suspicious behaviors are weighted, and an infection is indicated if the resulting measure "reaches or surpasses a threshold indicative of infection." This provided an explicit teaching of the threshold-based determination recited in the claims.
  • Motivation to Combine: A POSITA would combine Arnold and Nachenberg because both address the same problem of virus detection using similar heuristic and behavioral analysis techniques. Integrating Nachenberg's explicit thresholding mechanism into Arnold's immune system framework would have been a predictable and logical step to improve the precision of attack detection.
  • Expectation of Success: The combination involved applying a known technique (thresholding) to a known system (Arnold's) to achieve a predictable result (improved detection accuracy), leading to a high expectation of success.

Ground 3: Obviousness over Arnold and White - Claims 23-25 and 27-28 are obvious over Arnold in view of White.

• Prior Art Relied Upon: Arnold (Patent 5,440,723) and White ("Anatomy of a Commercial-Grade Immune System," June 1999).

• Core Argument for this Ground:

  • Prior Art Mapping: This ground targeted dependent claims reciting a multi-tiered analysis structure, including a "global analysis center." While Arnold taught sending data to a remote expert, White provided more specific disclosures about the architecture of the same underlying IBM Digital Immune System. White described a hierarchy where a local "administrator system" (corresponding to the claimed "local analysis center") could forward samples to a "central virus analysis center" (corresponding to the claimed "global analysis center") for further analysis. White also disclosed selecting only a few representative samples for forwarding to avoid flooding the central system, teaching the claimed limitation of determining if a maximum number of packets has been sent.
  • Motivation to Combine: A POSITA would have been highly motivated to combine the references, as they both described aspects of the same IBM commercial product. The primary inventor on the Arnold patent was also a co-author of the White paper, making the teachings integrally related.
  • Expectation of Success: Combining disclosures that describe different aspects of the same real-world system would have been straightforward, with a clear expectation of successfully creating the claimed hierarchical analysis structure.

• Additional Grounds: Petitioner asserted an additional obviousness challenge (Ground 2) for dependent claims 4, 9-19, and 21 based on Arnold in view of the general knowledge of a POSITA, arguing that implementing predictable variations like using secure channels or checking if code is "sendable" would have been obvious design choices.

4. Key Claim Construction Positions

Petitioner proposed constructions for several key terms that were central to its invalidity arguments.

• "caller's address": Petitioner proposed construing this term as "memory location of the malicious code." This construction was critical to mapping Arnold's disclosure of extracting a signature from the "head" of a virus to the claim limitation of extracting bytes "backwards from said caller's address."
• "malicious code signature": Petitioner proposed the construction "specific sequence of bytes of the malicious code." This interpretation supported the argument that Arnold's disclosure of extracting "sequences of bytes" from invariant code portions met the claim limitation.
• "attack threshold": Petitioner proposed construing this term as "a minimum level of suspicious activity associated with the received extracted malicious code packets that results in a conclusion that an attack has occurred." This broad construction allowed Petitioner to argue the limitation was met by Arnold’s "level of alertness" and explicitly by the threshold taught in Nachenberg.

5. Relief Requested

• Petitioner requested institution of an inter partes review and cancellation of claims 1-31 of Patent 7,392,543 as unpatentable.