`
`
`
`
`
`Case IPR 2017-01345
`Petition for Inter Partes Review of Patent 7,392,543
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`
`
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`
`
`
`
`ZSCALER, INC.
`Petitioner
`
`v.
`
`
`
`SYMANTEC CORPORATION,
`PATENT OWNER
`
`
`
`
`
`
`Case IPR 2017-01345
`Patent No. 7,392,543
`
`
`
`
`
`
`
`
`
`
`
`1160301
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`PETITION FOR INTER PARTES REVIEW OF
`U.S. PATENT NO. 7,392,543
`UNDER 35 U.S.C. §§ 311-319 AND 37 C.F.R. § 42.100 ET SEQ.
`
`
`
`Mail Stop: Patent Board
`Patent Trial and Appeal Board
`United States Patent and Trademark Office
`P.O. Box 1450
`Alexandria, VA 22313-1450
`
`
`
`

`

`Case IPR 2017-01345
`Petition for Inter Partes Review of Patent 7,392,543
`
`
`TABLE OF CONTENTS
`
`
`I.
`
`INTRODUCTION ............................................................................................... 1
`
`II. BACKGROUND ................................................................................................. 1
`
`A. Description of the Alleged Invention of the ’543 Patent .............................. 1
`B. Person of Ordinary Skill in the Art ............................................................... 4
`C. Prosecution History ....................................................................................... 4
`III. REQUIREMENTS FOR INTER PARTES REVIEW UNDER 37 C.F.R. §
`42.104 .................................................................................................................. 7
`
`A. Grounds for Standing Under 37 C.F.R. § 42.104(a) ..................................... 7
`B. Identification of Challenge Under 37 C.F.R. § 42.104(b) ............................ 7
`1. Grounds for Challenge ............................................................................ 7
`2. How the Challenged Claims Are To Be Construed Under 37 C.F.R. §
`42.104 (b) ............................................................................................................ 8
`IV. THE CHALLENGED CLAIMS ARE UNPATENTABLE .............................14
`
`A. Ground 1: Claims 1-3, 5-8, 20, 22, 26, and 29-31 are anticipated under 35
`U.S.C. § 102 by Arnold. ..............................................................................14
`1. Claim 1 ..................................................................................................16
`2. Claim 30 ................................................................................................29
`3. Claims 2 and 7 .......................................................................................30
`4. Claims 3 and 8. ......................................................................................31
`5. Claim 5 ..................................................................................................32
`6. Claim 6 ..................................................................................................33
`7. Claim 31 ................................................................................................35
`8. Claim 20 ................................................................................................35
`9. Claim 29 ................................................................................................40
`10. Claim 22 ................................................................................................41
`11. Claim 26 ................................................................................................41
`B. Ground 2: Claims 4, 9-19, and 21 are obvious under 35 U.S.C. § 103 in
`view of Arnold and the knowledge of one of ordinary skill in the art........42
`
`
`
`i
`
`

`

`Case IPR 2017-01345
`Petition for Inter Partes Review of Patent 7,392,543
`
`
`1. Claims 4 and 9 .......................................................................................43
`2. Claim 10 ................................................................................................44
`3. Claims 11, 12, 14, and 15......................................................................46
`4. Claims 13 and 16 ...................................................................................47
`5. Claim 17 ................................................................................................48
`6. Claim 18 ................................................................................................49
`7. Claim 19 ................................................................................................49
`8. Claim 21 ................................................................................................50
`C. Ground 3: Claims 20 and 29 are obvious under 35 U.S.C. § 103 in view of
`Arnold and Nachenberg ’008. .....................................................................50
`D. Ground 4: Claims 23-25 and 27-28 are obvious under 35 U.S.C. § 103 in
`view of Arnold and White. ..........................................................................53
`V. SECONDARY CONSIDERATIONS ...............................................................55
`
`VI. THE OFFICE DID NOT PREVIOUSLY CONSIDER THE GROUNDS
`PRESENTED IN THIS PETITION ..................................................................55
`
`VII. NOTICES, STATEMENTS AND PAYMENT OF FEES UNDER 37 C.F.R.
`§ 42.8(A)(1) .......................................................................................................56
`
`A. Real Party In Interest Under 37 C.F.R. § 42.8(b)(1) ...................................56
`B. Pending Related Matters Under 37 C.F.R. § 42.8(b)(2) .............................56
`C. Lead and Back-Up Counsel Under 37 C.F.R. § 42.8(b)(3) ........................57
`D. Service Information Under 37 C.F.R. § 42.8(b)(4) .....................................57
`E. Fees Under 37 C.F.R. § 42.103 ...................................................................57
`VIII. CONCLUSION ..............................................................................................58
`
`
`
`
`
`
`
`ii
`
`

`

`Case IPR 2017-01345
`Petition for Inter Partes Review of Patent 7,392,543
`
`
`PETITIONERS’ EXHIBIT LIST
`
`
`Exhibit 1003
`
`Exhibit 1004
`Exhibit 1005
`
`Description
`Exhibit No.
`Exhibit 1001 U.S. Patent No. 7,392,543 to Szor (“the ’543 patent”)
`Exhibit 1002
`’543 patent File History excerpt, February 26, 2007 Information
`Disclosure Statement
`’543 patent File History excerpt, May 4, 2007 Non-Final
`Rejection
`’543 patent File History excerpt, June 5, 2007 Amendment
`’543 patent File History excerpt, August 20, 2007 Final
`Rejection
`Exhibit 1006
`’543 patent File History excerpt, Appeal Brief
`Exhibit 1007
`’543 patent File History excerpt, Notice of Allowability
`Exhibit 1008 U.S. Patent No. 5,440,723 to Arnold, et al. (“Arnold”)
`Exhibit 1009 U.S. Patent No. 6,357,008 to Nachenberg (“Nachenberg ’008”)
`Exhibit 1010 White et al., “Anatomy of a Commercial-Grade Immune
`System,” (June 1999) (“White”)
`Exhibit 1011 Declaration of Professor Erez Zadok, PhD in Support of Petition
`for inter partes review
`Exhibit 1012 Curriculum vitae of Professor Erez Zadok
`Exhibit 1013 Excerpt of Microsoft’s Computer Dictionary, 5th edition (2002),
`Definition of Packet
`Exhibit 1014 U.S. Patent No. 7,228,563 to Szor (“Szor ’563”)
`Exhibit 1015 U.S. Patent No. 7,287,281 to Szor (“Szor ’281”)
`Exhibit 1016 U.S. Patent No. 6,546,493 to Magdych, et al. (“Magdych”)
`Exhibit 1017 U.S. Patent No. 6,412,071 to Hollander, et al. (“Hollander”)
`Exhibit 1018 U.S. Patent App. Pub. No. 2003/0088680 (“Nachenberg ’680”)
`Exhibit 1019 U.S. Patent No. 6,611,925 to Spear, et al.
`Exhibit 1020 U.S. Patent No. 7,340,777 to Szor (“Szor ’777”)
`Exhibit 1021 U.S. Patent No. 7,093,239 to van der Made
`Exhibit 1022 U.S. Patent No. 6,016,546 to Kephart, et al.
`
`
`
`iii
`
`

`

`Case IPR 2017-01345
`Petition for Inter Partes Review of Patent 7,392,543
`
`
`Exhibit 1023 M. G. Schultz, E. Eskin, E. Zadok, and S. J. Stolfo, “Data mining
`methods for detection of new malicious executables,” In
`Proceedings of the IEEE Symposium on Security and Privacy,
`pages 38–49, Oakland, CA, May 2001
`Exhibit 1024 W. Lee, W. Fan, M. Miller, S. Stolfo, and E. Zadok, “Toward
`cost-sensitive modeling for intrusion detection and response,”
`Journal of Computer Security, 10(1–2):5–22, January 2002
`Exhibit 1025 U.S. Patent No. 7,979,907 to Shultz, et al.
`Exhibit 1026 U.S. Patent No. 7,487,544 to Shultz, et al.
`Exhibit 1027 Eugene H. Spafford, “The Internet Worm Program: An
`Analysis,” published December 8, 1988
`
`
`
`iv
`
`
`
`
`
`

`

`Case IPR 2017-01345
`Petition for Inter Partes Review of Patent 7,392,543
`
`I. INTRODUCTION
`
`Zscaler, Inc. (“Zscaler” or “Petitioner”) petitions for inter partes review of
`
`claims 1-31 of U.S. Patent No. 7,392,543 (“the ’543 patent,” Ex. 1001), and
`
`requests a finding that each claim is unpatentable. As the examiner of the
`
`application for the ’543 patent understood, the claims recite a series of well-
`
`known, prior-art techniques in the field of virus and malware detection. The
`
`applicant tried to distinguish the prior art during prosecution by adding claim
`
`limitations, but those limitations are also disclosed by the prior art. If the examiner
`
`had been able to consider the references and combinations relied on herein, none of
`
`the challenged claims would have issued.
`
`This Petition demonstrates a reasonable likelihood that Zscaler will establish
`
`invalidity of at least one (in fact, all) of the challenged claims based on the grounds
`
`and prior art references relied on below. An explanation of why each claim is
`
`unpatentable under 35 U.S.C. § 102 and/or § 103 is provided. Additional
`
`explanation and support is set forth in the Declaration of Professor Erez Zadok
`
`(“Zadok,” Ex. 1011) and other exhibits.
`
`II. BACKGROUND
`
`A. Description of the Alleged Invention of the ’543 Patent
`
`The ’543 patent issued on June 24, 2008 from U.S. Patent Application No.
`
`10/611,472, which was filed on June 30, 2003. See Ex. 1001 (’543) at 1. Patent
`
`1160301
`
`1
`
`

`

`Case IPR 2017-01345
`Petition for Inter Partes Review of Patent 7,392,543
`
`owner Symantec Corp. (“Symantec”)1 has not asserted a priority date for any claim
`
`of the ’543 patent before June 30, 2003.
`
`The ’543 patent generally relates to a computer security system that detects
`
`“malicious code” (e.g., computer viruses and worms) and then generates signatures
`
`for that malicious code. See, e.g., Ex. 1001 (’543) at Abstract, 1:60-67. When
`
`malicious code is detected, a host computer sends an “extracted malicious code
`
`packet,” including extracted “signatures” or “parameters associated with” the
`
`malicious code, to a “local analysis center” for further analysis. Id.; see also id. at
`
`Fig. 3.
`
`The Background section of the ’543 patent discusses several commercial
`
`prior art computer “immune systems” or “intrusion detection systems,” such as
`
`IBM’s Digital Immune System, Symantec’s ManHuntTM system, or the open
`
`source “snort” system. See id. at 1:11-47. The ’543 patent criticizes alleged
`
`limitations of these systems. Id. It purports to improve on the prior art by more
`
`“rapidly detect[ing] and prevent[ing]” the “spread of the malicious code.” Id. at
`
`2:7-8.
`
`The’543 patent describes and claims a number of known prior-art techniques
`
`
`1 Petitioner’s identification of Symantec as the patent owner is based on
`
`Symantec’s allegation of ownership in the District Court Litigation.
`
`1160301
`
`2
`
`

`

`Case IPR 2017-01345
`Petition for Inter Partes Review of Patent 7,392,543
`
`for detecting and reporting malicious code. As detailed herein and in the Zadok
`
`Declaration, the ’543 patent was far from the first patent or publication to describe
`
`a system that detects malicious code, extracts snippets and signatures from that
`
`code, or notifies an analysis center. By the filing date of the ’543 patent, these
`
`were standard functions of existing virus detection and security software products.
`
`Ex. 1011 (Zadok) at ¶¶ 64-88. For instance, the ’543 patent itself admits that the
`
`mechanics of creating and sending the claimed “malicious code packet” were well-
`
`known in the art and not novel:
`
`Protocols and formats for network packets are well known to
`those of skill in the art and depend, for example, on the
`particular type of network 106, and so create extracted
`malicious code packet operation 214A is not discussed further
`to avoid detracting from the principals of the invention.
`
`Ex. 1001 (’543) at 10:32-36.
`
`Independent method claims 1 and 6―and their counterpart system claims 30
`
`and 31 respectively―share limitations and differ only in whether a “malicious
`
`code signature” (claim 1) or “parameters associated with said malicious code”
`
`(claim 6) are extracted and included in the “malicious code packet.” Id. at 18:7-20,
`
`18:34-46. As explained below, the specific technique for extracting a malicious
`
`code signature, and the specific list of parameters, were added during prosecution
`
`to obtain allowance over the examiner’s rejection. But as shown below, none of
`
`the added limitations were actually novel at the time of the alleged invention,
`
`1160301
`
`3
`
`

`

`Case IPR 2017-01345
`Petition for Inter Partes Review of Patent 7,392,543
`
`because prior-art patents and publications already disclosed detecting attacks,
`
`extracting signatures or parameters from the malicious code (including the specific
`
`techniques and parameters added to the claims), creating malicious code packets,
`
`and sending them to analysis centers. See, e.g., Ex. 1011 (Zadok) at ¶¶ 68-81.
`
`B. Person of Ordinary Skill in the Art
`
`A person of ordinary skill in the art at the time of the alleged invention of
`
`the ’543 patent would have had at least a bachelor’s (four-year) degree in computer
`
`science, computer engineering, or a related field; and a few years of experience in
`
`software development, preferably related to cyber-security or information
`
`assurance. A higher level of education might make up for less experience or skill,
`
`and vice-versa. Ex. 1011 (Zadok) at ¶¶ 35-36. Such a person would have been
`
`familiar with the techniques disclosed in publications and patents related to well-
`
`known prior art such as IBM’s Digital Immune System. Id. at ¶¶ 66-88.
`
`C. Prosecution History
`
`The examiner found all of the original claim limitations in the prior art and
`
`rejected the then-pending claims as anticipated by U.S. Patent No. 6,546,493 to
`
`Magdych et al. (Ex. 1016). See Ex. 1003 (May 4, 2007 Non-Final Rejection) at 2-
`
`20. The examiner found that Magdych “clearly encompasses the claimed
`
`limitations as broadly interpreted by the examiner” for each limitation of each
`
`claim then presented. Id. For example, Magdych clearly disclosed the detecting,
`
`1160301
`
`4
`
`

`

`Case IPR 2017-01345
`Petition for Inter Partes Review of Patent 7,392,543
`
`extracting, creating, and sending steps of independent claims 1 and 27, now claims
`
`1 and 30. See id. at 3-4. It also clearly disclosed the attack threshold limitation of
`
`claims 16 and 29, now claims 20 and 29, via its discussion of “risk assessment.”
`
`Id. at 13-14.
`
`To overcome the rejection, the applicant amended each of the independent
`
`claims. See Ex. 1004 (June 5, 2007 Amendment) at 3-9. Claims 1 and 27, now
`
`claims 1 and 30, were amended to add requirements to the extracting limitation,
`
`namely “locating a caller’s address of said malicious code in a memory of said first
`
`computer system” and “extracting a specific number of bytes backwards from said
`
`caller’s address.” Id. at 3, 7. Claims 5 and 28, now claims 6 and 31, were
`
`amended to include a list of specific parameters. Id. at 3-4, 7-8. Claims 16 and 29,
`
`now claims 20 and 29, were amended to include the requirement of “delivering a
`
`signature update comprising a malicious code signature to an intrusion detection
`
`system” after the attack threshold has been determined to be exceeded. Id. at 5-6,
`
`8; see also Ex. 1011 (Zadok) at ¶¶ 91-93.
`
`These amendments eventually led to allowance. See Ex. 1011 (Zadok) at ¶¶
`
`94-96. In particular, the new “locating a caller’s address” and “extracting a
`
`specific number of bytes backward” limitations were discussed by the examiner,
`
`who believed the limitations to be satisfied by the prior art teaching of “the
`
`collection of the stack/frame involved in the area of memory associated with the
`
`1160301
`
`5
`
`

`

`Case IPR 2017-01345
`Petition for Inter Partes Review of Patent 7,392,543
`
`address of the malicious code.” Ex. 1005 (August 20, 2007 Final Rejection) at 23-
`
`24. Applicant disputed that this well-known concept was actually taught in the
`
`particular asserted reference. See Ex. 1006 (Appeal Brief ) at 14.
`
`In the final Notice of Allowance, the examiner concluded:
`
`Nowhere in the prior art is found collectively the italicized claim
`elements (i.e., the specific aspects of signature extraction of [specific
`block/bytes] malware [executable] code, relative to the calling address
`location [backwards], with the subsequent forwarding to another
`processing [computer] system), at the time of the invention, serving to
`patently distinguish the invention from said prior art.
`
`Ex. 1007 (Notice of Allowability) at 2. The examiner did not find or call out any
`
`limitations of the dependent claims to be novel in themselves over the prior art,
`
`instead merely stating that the dependent claims were “allowable by virtue of their
`
`dependencies” on the amended independent claims. Id. at 3.
`
`In summary, the examiner did not find any of the individual steps of the
`
`independent (or dependent) claims to be novel, but instead allowed the claims
`
`because of the belief that the limitations were not disclosed “collectively” with, for
`
`example, “the specific aspects of signature extraction of [specific block/bytes]
`
`malware [executable] code, relative to the calling address location [backwards].”
`
`Id. As shown below, however, the prior art not before the examiner actually
`
`disclosed all of the supposedly distinguishing limitations added by claim
`
`amendments―but that art was not considered.
`
`1160301
`
`6
`
`

`

`Case IPR 2017-01345
`Petition for Inter Partes Review of Patent 7,392,543
`
`III. REQUIREMENTS FOR INTER PARTES REVIEW UNDER 37 C.F.R.
`§ 42.104
`
`A. Grounds for Standing Under 37 C.F.R. § 42.104(a)
`
`
`
`Zscaler certifies under 37 C.F.R. § 42.104(a) that the ’543 patent is available
`
`for inter partes review, and that Zscaler is not barred or estopped from requesting
`
`inter partes review based on the grounds herein, specifically: (i) Zscaler does not
`
`own the ’543 patent; (ii) Zscaler has not filed a civil action challenging the validity
`
`of any claim of the ’543 patent, and (iii) this Petition is filed less than one year
`
`after the date that Zscaler was first served with a complaint alleging infringement
`
`of the ’543 patent.
`
`B. Identification of Challenge Under 37 C.F.R. § 42.104(b)
`
`1. Grounds for Challenge
`
`Zscaler requests inter partes review of the challenged claims in view of the
`
`references, and on the grounds described, below:
`
`a. Ground 1: Claims 1-3, 5-8, 20, 22, 26, and 29-31 are invalid as anticipated
`
`under 35 U.S.C. § 102 by U.S. Patent No. 5,440,723 to Arnold et al.
`
`(“Arnold”) (Ex. 1008).
`
`b. Ground 2: Claims 4, 9-19, and 21 are invalid as obvious under 35 U.S.C. §
`
`103 in view of Arnold and the knowledge of one of ordinary skill in the art.
`
`1160301
`
`7
`
`

`

`Case IPR 2017-01345
`Petition for Inter Partes Review of Patent 7,392,543
`
`
`c. Ground 3: Claims 20 and 29 are invalid as obvious under 35 U.S.C. § 103
`
`in view of Arnold and U.S. Patent No. 6,357,008 to Nachenberg
`
`(“Nachenberg ’008”) (Ex. 1009).
`
`d. Ground 4: Claims 23-25, and 27-28 are invalid as obvious under 35 U.S.C.
`
`§ 103 in view of Arnold and White et al., “Anatomy of a Commercial-Grade
`
`Immune System,” June 1999 (“White”) (Ex. 1010).
`
`Section IV identifies where each limitation of the challenged claims is found
`
`in the prior-art references. 37 C.F.R. § 42.104(b)(4). The exhibit numbers of the
`
`supporting evidence relied upon to support the challenges are provided above and
`
`the relevance of the evidence to the challenges raised are provided in Section IV.
`
`37 C.F.R. § 42.104(b)(5).
`
`2. How the Challenged Claims Are To Be Construed Under 37 C.F.R. § 42.104
`(b)
`
`“A claim in an unexpired patent that will not expire before a final written
`
`decision is issued shall be given its broadest reasonable construction in light of the
`
`specification of the patent in which it appears.” 37 C.F.R. § 42.100(b). Zscaler
`
`proposes the following broadest reasonable constructions for the claim terms
`
`below. The constructions are offered solely for purposes of this Petition and do not
`
`necessarily reflect appropriate claim constructions in a Markman hearing in
`
`litigation. Claim construction has yet to occur in the District Court Litigation, and
`
`to Zscaler’s knowledge the claim terms have not been previously construed.
`8
`
`1160301
`
`

`

`Case IPR 2017-01345
`Petition for Inter Partes Review of Patent 7,392,543
`
`
`a. “caller’s address”
`
`The broadest reasonable interpretation for “caller’s address” is a “memory
`
`location of the malicious code.”
`
`The ’543 patent defines “caller’s address” in the specification as including
`
`“the memory location, sometimes called the caller’s address, of the malicious
`
`code.” Ex. 1001 (’543) at 5:19-24, 5:45-50. Zscaler’s proposed construction
`
`tracks this definition verbatim. In addition to the specification, the claim language
`
`itself makes clear that the caller’s address is a memory location of the malicious
`
`code. For example, in claim 1, the caller’s address is “of said malicious code in a
`
`memory.” Id. at 18:13-14. The ’543 specification also incorporates “by reference
`
`in its entirety” an application that led to U.S. Patent No. 7,287,281 (“Szor ’281,”
`
`Ex. 1015). Ex. 1001 (’543) at 3:54-58. The incorporated application and patent
`
`contains further disclosure consistent with the proposed construction that “the
`
`Caller’s Address is an address located in the malicious code.” Ex. 1015 (Szor
`
`’281) at 7:42-47; see also Ex. 1011 (Zadok) at ¶¶ 99-105.
`
`Additionally, the ’543 specification describes an embodiment in which “the
`
`caller’s address is the memory location of the instruction or set of instructions that
`
`originated the critical operating system function call.” Ex. 1001 (’543) at 5:57-59.
`
`An example is given in the specification in which the caller’s address is the “call”
`
`instruction at location “00000174,” referred to in the example as a “sendto()”
`
`1160301
`
`9
`
`

`

`Case IPR 2017-01345
`Petition for Inter Partes Review of Patent 7,392,543
`
`instruction, and the corresponding malicious code signature is the 32 bytes of
`
`malicious code extracted from the memory locations preceding it. Id. at 9:38-10:4.
`
`In another embodiment in the specification, the caller’s address is similarly
`
`referred to as “the location of the sendto( ) API of the malicious code.” Id. at 6:9-
`
`11.
`
`A person of ordinary skill in the art would understand that, while the
`
`“caller’s address” memory location described in the ’543 patent may be at or near
`
`the beginning (or “head”) of the malicious code in memory, it may not be the very
`
`first malicious code instruction location in memory. See Ex. 1011 (Zadok) at ¶¶
`
`103-104. Whether in the front or middle of the malicious code, the “caller’s
`
`address” is the address, within the malicious code in memory, of the hooked
`
`system call instruction at which the system detects the malicious code. Id.
`
`That person of ordinary skill would therefore understand that the claim
`
`requirement of “extracting a specific number of bytes backward” from the caller’s
`
`address location could capture an extracted malicious code signature, made up of a
`
`specific sequence of bytes of the malicious code, according to the claims. For
`
`example, in the embodiment given in the ’543 patent, the 32-byte sequence of
`
`bytes of the malicious code starts at (hexadecimal) location 00000155, which is 32-
`
`bytes backwards from the caller’s address location at (hexadecimal) 00000174.
`
`See Ex. 1001 (’543) at 9:38-10:4; Ex. 1011 (Zadok) at ¶ 100. This is consistent
`
`1160301
`
`10
`
`

`

`Case IPR 2017-01345
`Petition for Inter Partes Review of Patent 7,392,543
`
`with each of the constructions proposed here.
`
`For all of these reasons, the broadest reasonable interpretation of “caller’s
`
`address” in the claims in light of the specification is a “memory location of the
`
`malicious code.”
`
`b. “malicious code signature”
`
`The broadest reasonable interpretation for “malicious code signature” is
`
`“specific sequence of bytes of the malicious code.”
`
`The proposed construction is what would be understood by a person of
`
`ordinary skill in light of the specification. Ex. 1011 (Zadok) at ¶¶ 106-109. First,
`
`the proposed construction is supported by the plain meaning of the claim language
`
`itself, which describes obtaining the malicious code signature by “extracting a
`
`specific number of bytes” back from the caller’s address “of the malicious code.”
`
`Ex. 1001 (’543) at 18:11-16 (claim 1), 18:32-33 (claim 5).
`
`The specification supports the proposed construction, explaining that the
`
`malicious code signature is made up of bytes “extracted” from the code itself,
`
`rather than being a mere identifier assigned to the code. See, e.g., Ex. 1001 (’543)
`
`at 9:25-29 (“In extract malicious code signature operation 304, the signature,
`
`sometimes called malicious code signature, of the malicious code is extracted.
`
`For example, a custom size signature from the malicious code is extracted using an
`
`extraction engine.”) (emphasis added). The specification also directly defines a
`
`1160301
`
`11
`
`

`

`Case IPR 2017-01345
`Petition for Inter Partes Review of Patent 7,392,543
`
`signature as a “specific sequence of information, e.g., bytes.” Id. at 9:29-32
`
`(emphases added); see also id. at 9:38-10:4 (example of an extracted malicious
`
`code signature that is a 32-byte sequence of the malicious code).
`
`This construction is further supported in the prosecution history. In the
`
`“Summary of Claimed Subject Matter” in the appeal brief leading to allowance, the
`
`applicant described the “malicious code signature” as follows:
`
`For example, a custom size signature from the malicious code is
`extracted using an extraction engine. In one embodiment, the
`malicious code signature is 32 bytes of the malicious code
`extracted backwards from the callers address. A signature is a
`specific sequence of information, e.g., bytes.
`
`Ex. 1006 (Appeal Brief) at 6 (emphasis in original). In sum, a “malicious code
`
`signature” is a “specific sequence of bytes of the malicious code” in the ’543
`
`patent.
`
`c. “attack threshold”
`
`The broadest reasonable interpretation for “attack threshold” is “a minimum
`
`level of suspicious activity associated with the received extracted malicious code
`
`packets that results in a conclusion that an attack has occurred.”
`
`The proposed construction is consistent with the specification, as understood
`
`by one of ordinary skill in the art. See Ex. 1011 (Zadok) at ¶¶ 110-112. The
`
`specification explicitly defines an “attack threshold” to be “a minimum threshold
`
`of suspicious activity associated with the received extracted malicious code
`
`1160301
`
`12
`
`

`

`Case IPR 2017-01345
`Petition for Inter Partes Review of Patent 7,392,543
`
`packets to results [sic] in a conclusion that an attack has occurred.” Ex. 1001
`
`(’543) at 12:66-13:2. The proposed construction tracks this given definition
`
`verbatim.
`
`The sole disclosed embodiment in the specification also is consistent with
`
`the proposed construction, providing an example of a threshold implemented as a
`
`“counter” that “is incremented each time an extracted malicious code packet is
`
`received by local analysis center computer system.” Id. at 13:3-5. That counter
`
`may be “incremented more or less” (i.e., weighted) based on different levels of
`
`suspicion associated with different malicious code packets, such that a single
`
`instance of a particular suspicious packet could exceed the attack threshold. Id. at
`
`13:5-29.
`
`d. “sendable”
`
`The broadest reasonable interpretation for “sendable” is “small enough to be
`
`sent without unacceptable network congestion.”
`
`The proposed construction is consistent with the explicit definition and
`
`disclosed embodiments in the specification, as well as the understanding of a
`
`person of ordinary skill in the art. See Ex. 1011 (Zadok) at ¶¶ 113-114. The patent
`
`specification refers to “malicious code sendable check operation 206” which is, in
`
`all disclosed embodiments, a size check. See, e.g., Ex. 1001 (’543) at 5:12-17 (“As
`
`is well known to those of skill in the art, shell code is written in a very short and
`
`1160301
`
`13
`
`

`

`Case IPR 2017-01345
`Petition for Inter Partes Review of Patent 7,392,543
`
`compact way and is therefore typically sendable”), 5:33-36 (“if the size of the
`
`malicious code is greater than 8 KB, . . . the malicious code is not sendable”), 5:40-
`
`41 (“relatively long and not sendable”). The ’543 patent defines “sendable”
`
`generally as being small enough to be sent without “unacceptable congestion” on
`
`the network. Id. at 5:37-39 (“Generally, the malicious code is not sendable if
`
`sending of the malicious code on network 106 causes unacceptable congestion.”).
`
`IV. THE CHALLENGED CLAIMS ARE UNPATENTABLE
`
`Pursuant to 37 C.F.R. §§ 42.104(b)(4) and (b)(5), Zscaler sets forth an
`
`explanation below of why the challenged claims are unpatentable under 35 U.S.C.
`
`§ 102 and/or § 103. The claim charts identify the exemplary supporting evidence
`
`relied upon to support the challenge by exhibit number and set forth the relevance
`
`of the evidence to the challenge raised, including an identification of those specific
`
`portions of the evidence that support the challenge. An Exhibit List (see 37 C.F.R.
`
`§ 42.63(e)) identifying the Declaration of Professor Erez Zadok (Ex. 1011) and
`
`other evidence supporting the petition is also included, supra, at p. iii.
`
`A. Ground 1: Claims 1-3, 5-8, 20, 22, 26, and 29-31 are anticipated under
`35 U.S.C. § 102 by Arnold.
`
`Claims 1-3, 5-8, 20, 22, 26, and 29-31 are invalid as anticipated by U.S.
`
`Patent No. 5,440,723 to Arnold, et al. (“Arnold”), entitled “Automatic Immune
`
`System for Computers and Computer Networks.” Ex. 1008 (Arnold) at 1. Arnold
`
`is prior art to the ’543 patent under pre-AIA 35 U.S.C. §§ 102(a), (b), and (e), as it
`14
`
`1160301
`
`

`

`Case IPR 2017-01345
`Petition for Inter Partes Review of Patent 7,392,543
`
`issued on August 8, 1995 from an application filed on January 19, 1993. Id.
`
`One of the objects of Arnold’s invention was to “provide methods and
`
`apparatus to automatically detect and extract a signature from an undesirable
`
`software entity, such as a computer virus or worm.” Id. at 2:34-37 (emphases
`
`added). Another object of Arnold’s invention was to “provide methods and
`
`apparatus for immunizing a computer system, and also a network of computer
`
`systems, against a subsequent infection by a previously unknown and undesirable
`
`software entity.” Id. at 2:38-42.
`
`Arnold accomplished this immunization by sending packets over the
`
`network with “all pertinent details of the viral infection, such as the set of
`
`signatures extracted thus far, so that an expert, either human or software program,
`
`can identify the problem as quickly as possible.” Id. at 20:64-68.
`
`Arnold is addressed to the same problems of malware detection and
`
`prevention as addressed in the ’543 patent. The similarities in the solutions can be
`
`seen from comparing Figure 2 of Arnold with Figure 3 of the ’543 patent, as
`
`below. Both figures clearly show the primary limitations of, for example, ’543
`
`independent claims 1 and 30, including a detection step (compare “Anomalous
`
`Behavior Detected” with “Attack?”), extraction of a malicious code signature
`
`(compare “Extract Signature From Code” with “Extract Malicious Code
`
`Signature”), as well as creation and sending of a malicious code packet (compare
`
`1160301
`
`15
`
`

`

`Case IPR 2017-01345
`Petition for Inter Partes Review of Patent 7,392,543
`
`“Inform Other Network Processors” with “Create Extracted Malicious Code
`
`Packet” and “Send Packet”):
`
`Ex. 1008 (Arnold) at Fig. 2
`
`
`
`
`
`
`
`
`
`Ex. 1001 (’543) at Fig. 3
`
`As detailed further below, Arnold’s method of malicious code signature
`
`extraction was more complex than the comparatively simplistic appro