Ao Kaspersky Lab v. Open Text Inc

1. Case Identification

• Case #: IPR2023-00895
• Patent #: 10,284,591
• Filed: April 28, 2023
• Petitioner(s): AO Kaspersky Lab
• Patent Owner(s): Webroot, Inc.
• Challenged Claims: 1-17

2. Patent Overview

• Title: Systems and Methods for Detecting and Preventing Software Exploits
• Brief Description: The ’591 patent describes systems and methods for detecting and preventing software exploits, such as those using shellcode to execute a malicious payload. The technology monitors a process's memory space by intercepting function calls, performing a "stack walk" to analyze the call stack, and conducting memory checks to identify suspicious behavior before it can cause harm.

3. Grounds for Unpatentability

Ground 1: Claims 1, 3, 4, 6, 9, 11, 12, 14, and 17 are anticipated under 35 U.S.C. §102 or obvious under 35 U.S.C. §103 over [Fratric](https://ai-lab.exparte.com/case/ptab/IPR2023-00895/doc/1007).

• Prior Art Relied Upon: Fratric (a 2012 whitepaper entitled "Runtime Prevention of Return-Oriented Programming Attacks").
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Fratric, which discloses a system called ROPGuard to prevent return-oriented programming (ROP) attacks, teaches every limitation of the independent claims. Fratric allegedly discloses monitoring a memory space by checking "critical functions" (e.g., CreateProcess, VirtualProtect) when they are called by an attacker's ROP code. Petitioner contended that Fratric’s method of injecting a DLL into the target process’s address space to perform its protective functions corresponds to the claimed "loading a component for evaluating." Further, Petitioner asserted that Fratric’s check for stack frame consistency, which involves examining return addresses on the stack, constitutes the claimed "executing stack walk processing." The petition mapped Fratric's various checks—such as verifying the stack pointer is within thread boundaries or that a return address is executable—to the claimed "memory check...to detect suspicious behavior." Fratric's pseudocode allegedly illustrates performing these checks on a frame-by-frame basis before an originating caller is reached.
  • Expectation of Success (for §103 grounds): To the extent any limitation was not explicitly disclosed, Petitioner argued a person of ordinary skill in the art (POSITA) would have a reasonable expectation of successfully implementing the claimed method based on Fratric’s disclosure, as it involved the use of known components for their conventional purposes in a predictable art.

Ground 2: Claims 2, 5, 7, 8, 10, 13, 15, and 16 are obvious under §103 over Fratric in view of [Sallam](https://ai-lab.exparte.com/case/ptab/IPR2023-00895/doc/1008).

• Prior Art Relied Upon: Fratric (the 2012 whitepaper) and Sallam (Application # 2012/0255018).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground addresses dependent claims requiring additional features like using a cache and function hooking. Petitioner argued that while Fratric provides the foundational anti-exploit framework (monitoring, stack walking, preventing execution), Sallam provides the motivation and teachings for the specific implementations in these dependent claims. Sallam teaches an anti-malware system that uses a "below-operating system security agent" to trap and evaluate low-level operations. Specifically, Petitioner contended Sallam discloses hooking functions to monitor for malicious activity (claim 5) and using a cache to evaluate memory access (claims 2, 8, 10). For example, Sallam teaches that a resource identifier may identify a cache, and a write to a particular value in that cache can trigger a security evaluation.
  • Motivation to Combine: Petitioner asserted a POSITA would combine Fratric and Sallam to address a known shortcoming in Fratric. Fratric acknowledges that its primary method of detecting ROP attacks by analyzing RETN instructions is difficult because attackers can use other methods like indirect jumps. Sallam’s teachings on hooking and cache-based monitoring provide a known solution to this problem. A POSITA would have been motivated to augment Fratric’s stack-based analysis with Sallam’s cache-based and hooking techniques to create a more robust system capable of detecting a wider variety of exploits.
  • Expectation of Success: A POSITA would have a reasonable expectation of success because the combination involves applying Sallam’s known security techniques (hooking, cache monitoring) to Fratric’s known anti-exploit system to achieve the predictable result of enhanced threat detection.

4. Key Claim Construction Positions

• Petitioner submitted that for the purposes of the inter partes review (IPR), claim terms should be given a construction consistent with a parallel district court order.
• The only term construed beyond its plain and ordinary meaning in that order was "low level use mode function," which was construed as a "user mode function that is low level with respect to its layer of abstraction."

5. Arguments Regarding Discretionary Denial

• §314(a) (Fintiv Factors): Petitioner argued against discretionary denial under Fintiv, asserting that the parallel district court litigation is in an early stage. Key factors cited were that the trial is scheduled for August 2024 (approximately 16 months from filing), fact discovery had just opened, and Petitioner is one of several defendants, meaning its specific trial would likely be even later. Petitioner also argued the merits are strong because the primary reference, Fratric, was not considered during prosecution, and it could stipulate to not pursue the same grounds in district court if the IPR is instituted.
• §325(d) & General Plastic: Petitioner argued against denial based on other petitions filed against the ’591 patent by unrelated parties (CrowdStrike and Trend Micro). It contended that under the General Plastic factors, denial is inappropriate because Kaspersky is a different petitioner, was sued separately, and is asserting different prior art combinations. Further, it argued against denial under Advanced Bionics, stating that the Examiner never considered Fratric, and the combination of Fratric and Sallam is new and not cumulative to the art of record.

6. Relief Requested

• Petitioner requests institution of an IPR and cancellation of claims 1-17 of the ’591 patent as unpatentable.