throbber
Trials@uspto.gov
`571-272-7822
`
`
`
`
`
`
`
`
`
` Paper 15
`
`
` Entered: November 15, 2018
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`
`
`
`
`
`ZSCALER INC.,
`Petitioner,
`
`v.
`
`SYMANTEC CORPORATION,
`Patent Owner.
`____________
`
`Case IPR2018-00916
`Patent 7,360,249 B1
`____________
`
`DECISION
`Instituting Inter Partes Review
`35 U.S.C. § 314
`
`
`
`Before JEFFREY S. SMITH, BRYAN F. MOORE, and NEIL T. POWELL,
`Administrative Patent Judges.
`
`MOORE, Administrative Patent Judge.
`
`
`
`
`I. INTRODUCTION
`Zscaler Inc. (“Petitioner”) requests inter partes review of claims 1–2,
`5–9, 12–17, 20 and 22 of U.S. Patent No. 7,360,249 B1 (“the ’249 patent,”
`
`

`

`IPR2018-00916
`Patent 7,360,249 B1
`
`Ex. 1001) pursuant to 35 U.S.C. §§ 311 et seq. Paper 1 (“Pet.”). Petitioner
`relies on the testimony of Dr. Erez Zadok. Ex. 1003. Symantec Corporation
`(“Patent Owner”) filed a preliminary response. Paper 10 (“Prelim. Resp.”).
`Institution of an inter partes review is authorized by statute when “the
`information presented in the petition . . . and any response . . . shows that
`there is a reasonable likelihood that the petitioner would prevail with respect
`to at least 1 of the claims challenged in the petition.” 35 U.S.C. § 314(a);
`see 37 C.F.R. § 42.108. Upon consideration of the Petition and Preliminary
`Response, we conclude the information presented shows there is a
`reasonable likelihood that Petitioner would prevail in establishing the
`unpatentability of claims 1–2, 5–9, 12–17, 20 and 22 of the ’249 patent.
`
`A. Related Matters
`A decision in this proceeding could affect or be affected by the
`following case pending in the United States District Court for the Central
`District of California and involving the ’249 patent: Symantec Corp. and
`Symantec Ltd. v. Zscaler, Inc., Case No. 17-cv-04414 (N.D. Cal.). Pet. 3;
`Paper 5, 3.
`
`B. The ’249 patent
`The ’249 patent is directed to “computer security, and in particular, to
`detecting and blocking malicious code propagation on computer systems.”
`Ex. 1001, 1:6–8. The ’249 patent provides that “[c]omputer systems face a
`threat of attack by malicious computer code, such as worms, viruses, and
`Trojan horses.” Id., 1:12–13.
`
`
`2
`
`

`

`IPR2018-00916
`Patent 7,360,249 B1
`
`C. Illustrative Claim
`Independent claim 1, reproduced below, is illustrative of the claimed
`subject matter:
`implemented method for preventing
`1.
`A computer
`malicious code from propagating in a computer, the method
`comprising the steps of:
`
`a blocking-scanning manager detecting attempted
`malicious behavior of running code;
`responsive to
`the detection, the blocking-scanning
`manager blocking the attempted malicious behavior;
`the blocking-scanning manager generating a signature to
`identify the code that attempted the malicious behavior;
`the blocking-scanning manager detecting code identified
`by the signature, wherein detecting code identified by the
`signature comprises;
`
`the blocking-scanning manager alerting a user of the
`detection; and the blocking-scanning manager allowing the user
`to choose whether or not to block the execution of the identified
`code;
`the blocking-scanning manager overriding the user’s
`choice responsive to the user incorrectly choosing to block non-
`malicious behavior or incorrectly choosing not to block
`malicious behavior; and
`
`the blocking-scanning manager blocking the execution of
`the identified code.
`
`
`
`Ex. 1001, 11:5–27.
`
`
`
`
`
`
`
`
`
`3
`
`

`

`IPR2018-00916
`Patent 7,360,249 B1
`
`D. Asserted Grounds of Unpatentability
`Petitioner asserts that claims 1–2, 5–9, 12–17, 20, and 22 are
`unpatentable based on the following grounds:
`
`
`Reference(s)
`AppletTrap1
`
`AppletTrap and Wells2
`
`Pet. 4.
`
`Basis
`§ 103
`
`§ 103
`
`Claims challenged
`1–2, 5–9, 12, 16–17, 20,
`and 22
`13–15
`
`II. DISCUSSION
`
`Relevant Law
`A.
`Obviousness
`1.
`A claim is unpatentable under 35 U.S.C. § 103(a) if the differences
`between the claimed subject matter and the prior art are such that the subject
`matter, as a whole, would have been obvious at the time the invention was
`made to a person having ordinary skill in the art to which said subject matter
`pertains. KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 406 (2007). The
`question of obviousness is resolved on the basis of underlying factual
`determinations including (1) the scope and content of the prior art; (2) any
`differences between the claimed subject matter and the prior art; (3) the level
`of skill in the art; and (4) where in evidence, so-called secondary
`considerations, including commercial success, long-felt but unsolved needs,
`
`
`1 TREND MICRO INTERSCAN APPLETTRAP GETTING STARTED GUIDE, archived
`at Wayback machine on May 4, 2003 (“AppletTrap,” Ex. 1005).
`2 US Patent Application Pub. No. 6,338,141, filed Sep. 30, 1998, published
`Jan. 8, 2002. (“Wells,” Ex. 1007).
`
`4
`
`

`

`IPR2018-00916
`Patent 7,360,249 B1
`
`failure of others, and unexpected results. 3 Graham v. John Deere Co.,
`383 U.S. 1, 17−18 (1966) (“the Graham factors”).
`Level of Skill
`2.
`For an obviousness analysis, prior art references must be “considered
`together with the knowledge of one of ordinary skill in the pertinent art.”
`In re Paulsen, 30 F.3d 1475, 1480 (Fed. Cir. 1994) (quoting In re Samour,
`571 F.2d 559, 562 (CCPA 1978)). Moreover, “it is proper to take into
`account not only specific teachings of the reference but also the inferences
`which one skilled in the art would reasonably be expected to draw
`therefrom.” In re Preda, 401 F.2d 825, 826 (CCPA 1968). That is because
`an obviousness analysis “need not seek out precise teachings directed to the
`specific subject matter of the challenged claim, for a court can take account
`of the inferences and creative steps that a person of ordinary skill in the art
`would employ.” KSR Int'l Co. v. Teleflex Inc., 550 U.S. 398, 418 (Fed. Cir.
`2007); In re Translogic Tech., Inc., 504 F.3d 1249, 1259 (Fed. Cir. 2007).
`Petitioner asserts a person of ordinary skill in the art of the subject
`matter of the ’249 patent would have had a “Bachelor of Science degree in
`computer science, computer engineering, or a similar degree, along with at
`least 2-3 years of experience in software development, preferably related to
`cyber-security or information assurance [and a] higher level of education
`may substitute for a lesser amount of experience, and vice versa.” Pet. 14
`(citing Ex. 1003, ¶¶ 34–37). Patent Owner’s proposed level of skill does not
`differ, in any way relevant to determinations made in this decision, from
`Petitioner’s statement nor does Patent Owner argue that there is any
`
`3 Patent Owner does not put forth evidence it alleges tends to show
`secondary considerations of non-obviousness in its Preliminary Response.
`5
`
`

`

`IPR2018-00916
`Patent 7,360,249 B1
`
`significance difference between the two articulations of level of skill.
`Prelim Resp. 7–8. Thus, we adopt Petitioner’s articulation of the level of
`skill and acknowledge that the level of ordinary skill in the art is also
`reflected by the prior art of record. See Okajima v. Bourdeau, 261 F.3d
`1350, 1355 (Fed. Cir. 2001); In re GPAC Inc., 57 F.3d 1573, 1579 (Fed. Cir.
`1995); In re Oelrich, 579 F.2d 86, 91 (CCPA 1978).
`
`Claim Construction
`B.
`In an inter partes review, we construe claim terms in an unexpired
`patent according to their broadest reasonable construction in light of the
`specification of the patent in which they appear. 37 C.F.R. § 42.100(b).
`Consistent with the broadest reasonable construction, claim terms are
`presumed to have their ordinary and customary meaning as understood by a
`person of ordinary skill in the art in the context of the entire patent
`disclosure. In re Translogic Tech., 504 F.3d at 1257.
`1. “a running code blocking module, configured to block the
`attempted malicious behavior in response to positive detection” -
`claim 16
`Each limitation in the body of challenged claim 16 recites a “module”
`which is “configured to” perform a function. Under 35 U.S.C. § 112,
`paragraph 6, “[a]n element in a claim for a combination may be expressed as
`a means or step for performing a specified function without the recital of
`structure, material, or acts in support thereof, and such claim shall be
`
`6
`
`

`

`IPR2018-00916
`Patent 7,360,249 B1
`
`construed to cover the corresponding structure, material, or acts described in
`the specification and equivalents thereof.”4
`Patent Owner asserts:
`[T]he Petition includes no analysis of whether any claim term
`(e.g., running code detection module, running code blocking
`module, signature module, scanning module, identified code
`blocking module, alert module, blocking scanning manager)
`should be construed under § 112 ¶ 6. In addition, the Petition
`provides no (i) identification of any structure, material, or acts
`corresponding to any term that should be construed under § 112
`¶ 6 or (ii) structural analysis of the references demonstrating that
`the corresponding structure is present in such references . . . As
`a result of the Petition’s deficient § 112 ¶ 6 analysis, it fails to
`comply with the Board’s rules and caselaw.
`Prelim. Resp. 9–11.
`For example, claim 16 recites “a running code blocking module,
`configured to block the attempted malicious behavior in response to positive
`detection.” This phrase, containing a functional limitation, does not include
`the word “means” and thus presumptively is not a means-plus-function
`limitation under 35 U.S.C. § 112, paragraph 6. Williamson v. Citrix Online,
`LLC, 792 F.3d 1339, 1348 (Fed. Cir. 2015) (en banc). Nevertheless, that
`presumption can be overcome when the phrase does not recite sufficiently
`definite structure or recites function without sufficient structure for
`performing that function. Id. at 1349. That is the case here.
`
`
`
`
`4 Paragraphs 1–6 of § 112 were replaced with §§ 112(a)–(f) when § 4(c) of
`the Leahy-Smith America Invents Act, Pub. L. No. 112–29, 125 Stat. 284,
`329 (2011) (“AIA”) took effect on September 16, 2012. Because the patent
`application resulting in the ’249 patent was filed before the effective date of
`the AIA, we refer to the pre-AIA version of 35 U.S.C. § 112.
`7
`
`

`

`IPR2018-00916
`Patent 7,360,249 B1
`
`The term “module” is so broad that it does not sufficiently convey
`definite structure. As the Federal Circuit has stated, “[g]eneric terms such as
`‘mechanism,’ ‘element,’ ‘device,’ and other nonce words that reflect nothing
`more than verbal constructs may be used in a claim in a manner that is
`tantamount to using the word ‘means’ because they ‘typically do not connote
`sufficiently definite structure.’” Id. at 1350 (citation omitted). In this case,
`“module” is used as a generic place-holder for anything that performs the
`recited function, much as the word “means” does. Id. at 1351 (recognizing
`“the term ‘module,’ standing alone is capable of operating as a ‘nonce word’
`substitute for ‘means.’”). The words before and after “module” are “running
`code blocking” and “configured to block the attempted malicious behavior.”
`Those recitations are not structural but functional. The words are generic and
`do not impart specific structure. Rather, they would literally cover any
`structure that performs the function that follows. Furthermore, the entire
`phrase reflects the typical format of a means-plus-function element that does
`employ the word “means,” with “module” substituting for “means” and
`“configured to” substituting for “for.” See Unified Patents Inc. v. Blackbird
`Tech LLC , Case IPR2017-01525, slip op. at 8–11 (PTAB Dec. 1, 2017)
`(Paper 11) (“a plain reading of the term ‘module configured to’ in context of
`the claim language suggest the term ‘module configured to’ is analogous to
`‘means for.’”)
`Accordingly, the non-means presumption is overcome by the absence
`of sufficiently definite structure in the language used and by the fact that the
`language at issue recites function without sufficient structure for performing
`that function. We decide, preliminarily, the phrase “a running code blocking
`module, configured to block the attempted malicious behavior in response to
`
`8
`
`

`

`IPR2018-00916
`Patent 7,360,249 B1
`
`positive detection” can be construed as a means-plus-function element under
`35 U.S.C. § 112, paragraph 6. The function recited is “block[ing] the
`attempted malicious behavior in response to positive detection.” The words
`“running code blocking” are simply part of the name for the element and do
`not change the function recitation that comes after it.
`For a means-plus-function limitation, Petitioner is required to
`“identify the specific portions of the specification that describe the structure,
`material, or acts corresponding to each claimed function.” 37 C.F.R. §
`42.104(b)(3). As the Federal Circuit has noted: “structure disclosed in the
`specification is ‘corresponding’ structure only if the specification or
`prosecution history clearly links or associates that structure to the function
`recited in the claim. This duty to link or associate structure to function is the
`quid pro quo for the convenience of employing § 112, ¶ 6.” Saffran v.
`Johnson & Johnson, 712 F.3d 549, 562 (Fed. Cir. 2013) (quoting B. Braun
`Med., Inc. v. Abbott Labs., 124 F.3d 1419, 1424 (Fed. Cir. 1997)); see also
`Noah Systems, Inc. v. Intuit Inc., 675 F.3d 1302, 1312 (Fed. Cir. 2012).
`With respect to “a running code blocking module, configured to block
`the attempted malicious behavior in response to positive detection,”
`Petitioner has not identified sufficient corresponding structure described in
`the Specification of the ’249 patent for performing the recited “blocking.”
`In fact, Petitioner does not acknowledge the possibility that this claim
`language may be considered means plus function language despite the fact
`that in the Federal Circuit cases Williamson and Blackboard (discussed and
`cited below), the words “manager” and “module,” when referring to
`computer routines, were considered to indicate means plus function
`treatment and the lack of structure.
`
`9
`
`

`

`IPR2018-00916
`Patent 7,360,249 B1
`
`The “running code blocking module” relates to the “blocking-
`scanning manager” recited in the Specification. Thus, the closest Petitioner
`comes to making an identification of structure is this: “the blocking-
`scanning manager ‘blocks’ the attempted malicious behavior.” Pet. 8–9
`(citing Ex. 1001, 9:48-51).
`In its “OVERVIEW OF THE 249 PATENT” section of the Petition,
`Petitioner describes the invention in general and describes disclosure that
`may be related to corresponding structure. For example, Petitioner cites to
`Figure 6, reproduced below, which is flowchart for the “detecting and
`blocking” and element of the alleged invention.
`
`
`
`10
`
`

`

`IPR2018-00916
`Patent 7,360,249 B1
`
`The “blocking” portion of the flow chart in Figure 6 above, however,
`is represented by one box titled “Block Execution of Identified Code on
`Target or Remote Computer.” Thus, this does not represent and algorithm
`for the “blocking” element of the claims.
`Thus, at best, even assuming that Petitioner even intended to identify
`corresponding structure, Petitioner has identified the corresponding structure
`only generally as “the blocking-scanning manager.” Petitioner also points to
`Figure 1 of the Specification which recites black box representations of
`elements of the “blocking scanning manager.”
`
`
`
`As shown in Figure 1, above, the reference to “an identified code
`blocking module” suggests only a module on a computer which is too
`
`
`
`11
`
`

`

`IPR2018-00916
`Patent 7,360,249 B1
`
`generic to identify any specific structure. In Aristocrat Technologies
`Australia Pty Ltd. v. International Game Technology, 521 F.3d 1328, 1333
`(Fed. Cir. 2008) (quoting Harris Corp. v. Ericsson Inc., 417 F.3d 1241, 1249
`(Fed. Cir. 2005), the Federal Circuit stated that “the corresponding structure
`for a § 112 ¶ 6 claim for a computer-implemented function is the algorithm
`disclosed in the specification.” Id. (emphasis added). As the Federal Circuit
`explained, “a general purpose computer programmed to carry out a
`particular algorithm creates a ‘new machine’ because a general purpose
`computer ‘in effect becomes a special purpose computer once it is
`programmed to perform particular functions pursuant to instructions from
`program software.’ ” Id.; see also WMS Gaming, Inc. v. International Game
`Technology, 184 F.3d 1339, 1349 (Fed. Cir. 1999). Consequently, the
`specification must disclose enough of a specific algorithm to provide the
`necessary structure under § 112, sixth paragraph. Finisar Corp. v. DirectTV
`Grp., Inc., 523 F.3d 1323, 1340 (Fed. Cir. 2008). Allowing a computer
`programmed to perform a specialized function to be claimed without
`disclosure of the algorithm used for that programming would exhibit the
`same type of impermissible overbreadth of purely functional claims. Net
`MoneyIN, Inc. v. VeriSign, Inc., 545 F.3d 1359, 1367 (Fed. Cir. 2008).
`If special programming is required for a general-purpose computer to
`perform the corresponding claimed function, then the default rule requiring
`disclosure of an algorithm applies. It is only in the rare circumstances where
`any general-purpose computer without any special programming can
`perform the function that an algorithm need not be disclosed. Ergo
`Licensing, LLC v. CareFusion, 303, Inc., 673 F.3d 1361, 1365 (Fed. Cir.
`2012); see also Williamson, 792 F.3d at 1352 (“In cases ... involving a claim
`
`12
`
`

`

`IPR2018-00916
`Patent 7,360,249 B1
`
`limitation that is subject to § 112, para. 6 that must be implemented in a
`special purpose computer, this court has consistently required that the
`structure disclosed in the specification be more than simply a general
`purpose computer or microprocessor.... [T]he specification [must] disclose
`an algorithm for performing the claimed function.” (citations omitted) ).
`By simply pointing to “a running code blocking module” which may
`be a computer program, Petitioner has not identified the underlying
`algorithm of any such program. This is not a circumstance falling within the
`narrow exception explained in In re Katz, 639 F.3d 1303, 1316 (Fed. Cir.
`2011), where the function recited is generic and can be performed by any
`general-purpose computer without special programming, e.g., “processing,”
`“receiving,” “storing.” The specialized function here includes “blocking the
`attempted malicious behavior.” Petitioner makes no explanation as to why
`the recited function would be so basic that it could be performed by a
`general purpose computer without any special programming. Accordingly,
`it appears, in the Petition, Petitioner has not identified corresponding
`structure, described in the Specification of the ’249 patent, that causes a
`computer to perform the recited function of “blocking the attempted
`malicious behavior.”
`Nevertheless, under SAS Inst., Inc. v. Iancu, 138 S. Ct. 1348, 1359–60
`(2018) (a decision to institute under 35 U.S.C. § 314 may not institute on
`fewer than all claims challenged in the petition), we cannot deny institution
`on this basis alone. We must address the remaining claims. Claim 20 has
`similar language “program code for the blocking-scanning manager blocking
`the attempted malicious behavior in response to the detection.” Claims 1
`and 12, on the other hand, are method claims. Claims 1 and 12 do contain
`
`13
`
`

`

`IPR2018-00916
`Patent 7,360,249 B1
`
`similar limitations, i.e. “blocking-scanning manager blocking the attempted
`malicious behavior.” Nevertheless, the Federal Circuit has stated that “The
`mere fact that a method claim is drafted with language parallel to an
`apparatus claim with means-plus-function language does not mean that the
`method claim should be subject to an analysis under § 112, paragraph 6.
`Rather, each limitation of each claim must be independently reviewed to
`determine if it is subject to the requirements of § 112, paragraph 6.”
`Generation II Orthotics Inc. v. Med. Tech. Inc., 263 F.3d 1356, 1368 (Fed.
`Cir. 2001). Here the phrase “blocking-scanning manager” is similar to a
`term access control manager which the Federal Circuit asserted does not
`impart structure. Blackboard, Inc. v. Desire2Learn, Inc., 574 F.3d 1371,
`1383 (Fed. Cir. 2009) (“what the patent calls the “access control manager” is
`simply an abstraction that describes the function of controlling access to
`course materials, which is performed by some undefined component of the
`system. The ACM is essentially a black box that performs a recited
`function.”). We recognize that applying means plus function orthodoxy to
`method claims would be at the very least uncommon but not unprecedented.
`Therefore, without further briefing we decline to do so at this stage of the
`proceeding.
`We expect the parties to address the possible means plus function
`implications of each limitation of the challenged independent claims after
`institution and during this proceeding. Therefore, we do not deny institution
`based on issues related to Patent Owner’s allegation that Petitioner failed to
`1) address the issue of whether the challenged claims are means plus
`function claims, and if so 2) identify the function and corresponding
`structure.
`
`14
`
`

`

`IPR2018-00916
`Patent 7,360,249 B1
`
`C. Obviousness over AppletTrap
`1. Overview of AppletTrap
`AppletTrap is a manual prepared by Trend Micro to “introduce the main
`features of the software” of Trend Micro’s InterScan AppletTrap security
`product. Ex. 1005, 9. AppletTrap discloses “block[ing] malicious Java
`applets, HTML scripts, as well as unsecured ActiveX controls at the Internet
`Gateway—preventing them from infiltrating your network and performing
`malicious acts on client workstations.” Id. at 15.
`2. Priority Date of AppletTrap
`Petitioner asserts the AppletTrap the manual was published and publicly
`accessible at least by October 14, 2002 and no later than May 4, 2003. Pet.
`19. The ’249 patent was filed on January 13, 2004 and issued on April 15,
`2008. Ex. 1001. The ’249 patent does not claim priority to any other
`applications or patents. Id. Patent Owner does not address whether
`AppletTrap is prior art in its Preliminary Response. Petitioner presents the
`following evidence which we accept, at this stage of the proceeding, to find
`that AppletTrap is prior art:
`- “The manual was released with the InterScan AppletTrap product in
`August 2001 with a 2000-2001 copyright date. Ex. 1005, 9.” Pet. 19.
`- “The public was aware of and discussing AppletTrap in 2001. See Ex.
`1006 (a February 2001 article from Information Security discussing
`InterScan AppletTrap) at 2-3.” Id.
`- “The public accessibility of the manual on October 14, 2002 is further
`established by the Internet Archive, Wayback Machine, which
`preserved a webpage on October 14, 2002 that has a link to the
`manual. Ex. 1005, 4.” Id.
`
`15
`
`

`

`IPR2018-00916
`Patent 7,360,249 B1
`
`- “The foregoing demonstrates that the manual was publicly accessible
`by October 14, 2002 (i.e., 102(b) prior art) but in no event later than
`May 4, 2003 (i.e., 102(a) prior art).” Id. at 24.
`3. Analysis
`Petitioner asserts that claims 1–2, 5–9, 12, 16–17, 20, and 22 are
`unpatentable under 35 U.S.C. § 103 over AppletTrap (Ex. 1009). Pet. 28–
`73.
`
`The preamble of independent claim 1 recites, “[a] computer
`implemented method for preventing malicious code from propagating in a
`computer, the method comprising the steps of.” Petitioner contends
`AppletTrap discloses a computer implemented method for preventing
`malicious code from propagating in a computer. Pet. 28–30 (citing at least
`Ex. 1005, 15 (“InterScan AppletTrap blocks malicious Java applets, HTML
`scripts, as well as unsecured ActiveX controls at the Internet gateway—
`preventing them from infiltrating your network and performing malicious
`acts on client workstations.”); Ex. 1003, ¶¶ 131–138).
`Independent claim 1 further recites “a blocking-scanning manager
`detecting attempted malicious behavior of running code.” Petitioner
`contends AppletTrap discloses detecting attempted malicious behavior of
`running code thought its software at the workstation and at the server. Pet.
`30. According to Petitioner, AppletTrap’s workstation monitors applets’
`behavior and determines whether it is permitted under a security policy. If a
`behavior violates a security policy, it is flagged as malicious. Id. at 30–32
`(citing Ex. 1005, 16, 21, Figure 1.1). In particular, in Petitioner’s exemplary
`scenario, if a user downloads a Java applet “ZYX” from “example.com,”
`AppletTrap will attach a security policy that defines the boundaries of this
`
`16
`
`

`

`IPR2018-00916
`Patent 7,360,249 B1
`
`applet’s behavior, e.g., cannot create multiple thread groups. If ZYX
`attempts to create multiple thread groups, AppletTrap will identify it as
`malicious behavior. Id. at 32 (citing Ex. 1003, ¶¶ 139–147).
`Independent claim 1 further recites “responsive to the detection, the
`blocking-scanning manager blocking the attempted malicious behavior.”
`Petitioner contends “upon detecting malicious behavior, AppletTrap
`(workstation), which is part of the blocking-scanning manager, blocks such
`behavior from further execution.” Pet. 33 (citing Ex. 1005, 21, 23). Thus, in
`the exemplary scenario, “upon detection of ZYX’s attempted malicious
`behavior (e.g., attempt to create multiple thread groups), AppletTrap blocks
`that behavior.” Id. at 33 (citing Ex. 1003, ¶¶ 148–151).
`Independent claim 1 further recites “the blocking-scanning manager
`generating a signature to identify the code that attempted the malicious
`behavior.” Petitioner contends that “AppletTrap (workstation), which is
`part of the blocking-scanning manager, blocks the malicious behavior and
`reports it to AppletTrap (server) for inclusion in one or more block lists.”
`Pet. 34 (citing Ex. 1005, 21 ,23). In particular, Petitioner contends that “In
`AppletTrap, code is identified by a signature, which takes the form of a
`hash. In particular, AppletTrap (server) maintains block lists consisting of
`hash codes that are used to identify malicious code.” Id. at 34 (citing Ex.
`1005, 18, 58, 85). Petitioner contends that “[w]hile AppletTrap does not
`explicitly disclose that it generates the hash code that is included in the user-
`configurable block list, it would have been obvious to a PHOSITA to
`implement this step at AppletTrap (workstation).” Id. at 35. Petitioner
`asserts “a PHOSITA would have been motivated to generate a hash at
`AppletTrap (workstation), so that it may be included in the user-
`
`17
`
`

`

`IPR2018-00916
`Patent 7,360,249 B1
`
`configurable block lists at AppletTrap (server). Furthermore, a PHOSITA
`would have had a reasonable expectation of success as AppletTrap supports
`various hashing algorithms such as MD5 and SHA1.” Id. at 36 (citing Ex.
`1005, 94). Thus, in the exemplary scenario, “AppletTrap (workstation) has
`associated applet ZYX with malicious behavior. AppletTrap (workstation)
`generates the hash signature of applet ZYX and ‘reports back to the proxy
`server [the signature of applet ZYX] detected on client workstations for
`automatic inclusion in the user-configurable hash list.’”). Id. at 37 (quoting
`Ex. 1005, 21, citing Ex. 1003, ¶¶ 152–165).
`Independent claim 1 further recites “the blocking-scanning manager
`detecting code identified by the signature, wherein detecting code identified
`by the signature comprises.” Petitioner contends “[n]ow that AppletTrap
`(server), which is part of the blocking-scanning manager, has the (hash)
`signature of the code that attempted the malicious behavior, that code can be
`recognized by AppletTrap (server). When a user later attempts to access
`that malicious code, AppletTrap (server) compares the incoming code to all
`of its block lists.” Pet. 38 (citing Ex. 1005, 18, 85). In the exemplary
`scenario, “AppletTrap (server) uses the signature of the ZYX applet to
`identify any incoming file or data that includes this signature.” Id. at 39
`(citing Ex. 1003, ¶¶ 166–169).
`Independent claim 1 further recites “the blocking-scanning manager
`alerting a user of the detection.” Petitioner contends that “AppletTrap
`(server), which is part of the blocking-scanning manager, alerts a user of the
`detection (finding) of the malicious code.” Pet. 39. In particular, Petitioner
`contends that “Moreover, AppletTrap (server) can be configured to send
`email notifications (e.g., on hash-based detection).” Id. at 40 (citing Ex.
`
`18
`
`

`

`IPR2018-00916
`Patent 7,360,249 B1
`
`1005, 98). In the exemplary scenario, “after blocking the incoming file with
`the ZYX signature, AppletTrap displays a message to the user stating that
`“[t]he applet has been identified to violate corporate security policy and is
`blocked.” Id. (quoting Ex. 1005, 18, citing Ex. 1003 ¶¶ 170–174).
`Independent claim 1 further recites “the blocking-scanning manager
`allowing the user to choose whether or not to block the execution of the
`identified code.” Petitioner contends that AppletTrap’s server, which is part
`of the blocking-scanning manager, provides a GUI that allows a user to
`choose whether or not to block the execution of the malicious code using
`user-configurable block lists. In particular, AppletTrap’s server includes a
`user-configurable block list that permits a user to add or delete entries for the
`malicious code. Pet. 39–41 (citing Ex. 1005, 18, 85, Figs. 4-3, 6-1). In the
`exemplary scenario:
`AppletTrap (workstation) has reported the ZYX applet to
`AppletTrap (server), which has included the signature of the
`ZYX applet on the user-configurable block list. Nonetheless, a
`user can “white list” the ZYX applet by deselecting the “Enable
`immediate blocking of new entries automatically added to user’s
`hash list” or “Enabled” button. Thus, when the user later accesses
`the ZYX applet, it is not blocked at AppletTrap (server) and is
`passed through to AppletTrap (workstation). Ex. 1003, ¶¶175-
`182.
`Pet. 41.
`Independent claim 1 further recites “the blocking-scanning manager
`overriding the user’s choice responsive to the user incorrectly choosing to
`block non-malicious behavior or incorrectly choosing not to block malicious
`behavior.” Petitioner contends that “[n]otwithstanding that the user can
`‘white list’ an applet by deselecting the ‘Enable immediate blocking of new
`entries automatically added to user’s hash list’ or ‘Enabled’ button for the
`
`
`
`19
`
`

`

`IPR2018-00916
`Patent 7,360,249 B1
`
`applet in the user-configurable block list, . . . AppletTrap (server), which is
`part of the blocking-scanning manager, can override the user.” Pet. 42–47.
`In the exemplary scenario:
`malicious behavior was detected from the ZYX applet, and its
`signature was stored at the user-configurable block list. The user,
`wanting access to ZYX, opens the user-configurable block list
`and deselects the “Enable immediate blocking of new entries
`automatically added to user’s hash list” or “Enabled” button.
`AppletTrap (server) subsequently uploads the user-configurable
`block list to Trend Micro, and Trend Micro determines that ZYX
`is malicious code. The downloadable list is updated, and
`AppletTrap (server) downloads the newest downloadable list.
`The user attempts to access the ZYX applet, believing that the
`user has access to the ZYX applet because the user chose not to
`block the malicious behavior of the ZYX applet. Nonetheless,
`AppletTrap (server) overrides the user’s choice because the
`downloadable list trumps the user configurable list. The override
`is responsive to the user’s incorrect choice because without the
`user’s incorrect choice, there would be no override. See also Ex.
`1003 ¶¶ 183-193.
`Pet. 47–48.
`Based on the above contentions, on the record before us, we are
`persuaded that Petitioner has provided an articulated reasoning with some
`rational underpinning to support the legal conclusion of obviousness. See
`KSR Int’l Co. 550 U.S. 398, 418 (citing In re Kahn, 441 F.3d 977, 988 (Fed.
`Cir. 2006)). As a result, we are persuaded that the modifications to
`AppletTrap proposed by Petitioner are proper.
`At this stage in the proceeding, we are persuaded by Petitioner’s
`explanations and supporting evidence regarding independent claim 1. Based
`on the record before us, Petitioner has

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket