Ao Kaspersky Lab v. Open Text Inc

1. Case Identification

• Case #: IPR2023-01334
• Patent #: 8,418,250
• Filed: August 18, 2023
• Petitioner(s): AO Kaspersky Lab
• Patent Owner(s): Webroot, Inc.
• Challenged Claims: 1-30

2. Patent Overview

• Title: Classifying a Computer Object as Malware
• Brief Description: The ’250 patent discloses systems and methods for classifying computer objects as malware. The technology relies on a central base computer that receives behavioral data from a plurality of remote computers to analyze community-wide object behavior, moving beyond conventional signature-matching techniques.

3. Grounds for Unpatentability

Ground 1: Obviousness over Kester and Honig - Claims 1-2, 7-14, and 19-30 are obvious over Kester in view of Honig.

• Prior Art Relied Upon: Kester (Application # 2005/0210035) and Honig (Patent 7,225,343).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Kester taught the core framework of the challenged claims, including a base computer (application server) that receives data about an application’s behavior (network access data) from multiple remote computers (workstations). Kester’s base computer then uses this data to classify the application, including into a "malware" parent group. However, Petitioner asserted that Kester’s process for generating a behavioral "mask" (defining expected network activity) and classifying uncategorized applications relied on a human reviewer. To supply the missing element of automation, Petitioner turned to Honig, which it argued taught a system that uses fully automated, adaptive learning algorithms (e.g., an unsupervised SVM algorithm) to generate a model of normal behavior for a computer object and classify activity as malicious or normal, without human involvement.
  • Motivation to Combine: Petitioner contended a person of ordinary skill in the art (POSITA) would have been motivated to integrate Honig's automated model generation into Kester's system for several reasons. First, Kester expressly contemplated that its categorization process "can be based upon... adaptive learning systems," providing a clear suggestion to look to prior art like Honig. Second, a stated goal of Kester was to "enhance productivity of the human reviewer," and automating the mask generation and classification processes with Honig’s teachings would be a predictable and direct way to achieve this goal by reducing the reviewer's workload.
  • Expectation of Success: Petitioner asserted a POSITA would have had a reasonable expectation of success in combining the references. Honig’s disclosure of fully automated model generation using known algorithms represented a predictable improvement to Kester’s system, which was already designed to collect the necessary behavioral data and already contemplated using such learning systems.

Ground 2: Obviousness over Kester, Honig, and Kennedy - Claims 3-6 and 15-18 are obvious over Kester in view of Honig and Kennedy.

• Prior Art Relied Upon: Kester (Application # 2005/0210035), Honig (Patent 7,225,343), and Kennedy (Patent 7,594,272).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground built upon the Kester/Honig combination to further challenge claims requiring the identification of relationships between a computer object and other objects. Petitioner argued that Kester and Honig provided the base automated malware classification system as detailed in Ground 1. Kennedy was introduced to teach a specific method for identifying relationships between files to detect malicious software. Kennedy disclosed a "file set tracking module" that monitors how a suspicious file interacts with other files (e.g., creating, modifying, or reading another file) and uses heuristics based on the collective behavior of the related files to determine if the software is malicious. For example, if one object is known malware, Kennedy taught classifying a related object it created as malware as well.
  • Motivation to Combine: Petitioner argued a POSITA would have been motivated to incorporate Kennedy's file set tracking and relationship-based heuristics into the Kester/Honig system. Kester recognized the need to monitor application files to detect rogue programs. Kennedy provided a known, effective method for doing so by analyzing the behavior of different but related files. Adding this capability would predictably improve the Kester system's ability to detect sophisticated threats and would further Kester's goal of monitoring the "ongoing behavior of the application."
  • Expectation of Success: Because file set tracking was a well-known technique for malware analysis at the time, a POSITA would have reasonably expected success in configuring Kester’s workstations to include Kennedy’s tracking module and log the relevant relational data for analysis at the base computer.

4. Key Claim Construction Positions

• "automatically": Petitioner dedicated significant argument to the construction of "automatically," a term found in all independent claims. Petitioner argued that the prosecution history of the ’250 patent unequivocally established that "automatically" means "without human involvement." This definition was crucial for the applicant to overcome prior art rejections where an administrator performed manual classification. Petitioner noted that in parallel litigation, the Patent Owner had adopted a conflicting interpretation that "automatically" could encompass human involvement. For the purposes of the IPR, Petitioner requested the Board apply the clear definition from the file history.

5. Arguments Regarding Discretionary Denial

• Petitioner argued that discretionary denial would be inappropriate under both §325(d) (based on Advanced Bionics) and §314(a) (based on Fintiv).
• Advanced Bionics: Petitioner asserted that although the Kester reference was considered during prosecution, it was presented in different combinations that failed to teach the critical "automatic" generation of a mask. The petition relied on Honig, a reference never before considered by the USPTO, to supply this key limitation, making the asserted grounds materially different from those previously evaluated.
• Fintiv Factors: Petitioner argued the factors weighed in favor of institution because: (1) a stay of the parallel district court litigation was likely; (2) the Board’s Final Written Decision would issue before the likely trial date, which is complicated by multiple defendants and patents; (3) investment in the parallel proceeding was minimal as discovery was in its early stages; and (4) the petition presented a compelling case for unpatentability.

6. Relief Requested

• Petitioner requested the institution of an inter partes review, the cancellation of claims 1-30 of the ’250 patent as unpatentable, and joinder with the instituted proceeding in IPR2023-00289.