`571-272-7822
`
`
`
`
`
`
`
`
`
` Paper 15
`
`
` Entered: November 15, 2018
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`
`
`
`
`
`ZSCALER INC.,
`Petitioner,
`
`v.
`
`SYMANTEC CORPORATION,
`Patent Owner.
`____________
`
`Case IPR2018-00916
`Patent 7,360,249 B1
`____________
`
`DECISION
`Instituting Inter Partes Review
`35 U.S.C. § 314
`
`
`
`Before JEFFREY S. SMITH, BRYAN F. MOORE, and NEIL T. POWELL,
`Administrative Patent Judges.
`
`MOORE, Administrative Patent Judge.
`
`
`
`
`I. INTRODUCTION
`Zscaler Inc. (“Petitioner”) requests inter partes review of claims 1–2,
`5–9, 12–17, 20 and 22 of U.S. Patent No. 7,360,249 B1 (“the ’249 patent,”
`
`
`
`IPR2018-00916
`Patent 7,360,249 B1
`
`Ex. 1001) pursuant to 35 U.S.C. §§ 311 et seq. Paper 1 (“Pet.”). Petitioner
`relies on the testimony of Dr. Erez Zadok. Ex. 1003. Symantec Corporation
`(“Patent Owner”) filed a preliminary response. Paper 10 (“Prelim. Resp.”).
`Institution of an inter partes review is authorized by statute when “the
`information presented in the petition . . . and any response . . . shows that
`there is a reasonable likelihood that the petitioner would prevail with respect
`to at least 1 of the claims challenged in the petition.” 35 U.S.C. § 314(a);
`see 37 C.F.R. § 42.108. Upon consideration of the Petition and Preliminary
`Response, we conclude the information presented shows there is a
`reasonable likelihood that Petitioner would prevail in establishing the
`unpatentability of claims 1–2, 5–9, 12–17, 20 and 22 of the ’249 patent.
`
`A. Related Matters
`A decision in this proceeding could affect or be affected by the
`following case pending in the United States District Court for the Central
`District of California and involving the ’249 patent: Symantec Corp. and
`Symantec Ltd. v. Zscaler, Inc., Case No. 17-cv-04414 (N.D. Cal.). Pet. 3;
`Paper 5, 3.
`
`B. The ’249 patent
`The ’249 patent is directed to “computer security, and in particular, to
`detecting and blocking malicious code propagation on computer systems.”
`Ex. 1001, 1:6–8. The ’249 patent provides that “[c]omputer systems face a
`threat of attack by malicious computer code, such as worms, viruses, and
`Trojan horses.” Id., 1:12–13.
`
`
`2
`
`
`
`IPR2018-00916
`Patent 7,360,249 B1
`
`C. Illustrative Claim
`Independent claim 1, reproduced below, is illustrative of the claimed
`subject matter:
`implemented method for preventing
`1.
`A computer
`malicious code from propagating in a computer, the method
`comprising the steps of:
`
`a blocking-scanning manager detecting attempted
`malicious behavior of running code;
`responsive to
`the detection, the blocking-scanning
`manager blocking the attempted malicious behavior;
`the blocking-scanning manager generating a signature to
`identify the code that attempted the malicious behavior;
`the blocking-scanning manager detecting code identified
`by the signature, wherein detecting code identified by the
`signature comprises;
`
`the blocking-scanning manager alerting a user of the
`detection; and the blocking-scanning manager allowing the user
`to choose whether or not to block the execution of the identified
`code;
`the blocking-scanning manager overriding the user’s
`choice responsive to the user incorrectly choosing to block non-
`malicious behavior or incorrectly choosing not to block
`malicious behavior; and
`
`the blocking-scanning manager blocking the execution of
`the identified code.
`
`
`
`Ex. 1001, 11:5–27.
`
`
`
`
`
`
`
`
`
`3
`
`
`
`IPR2018-00916
`Patent 7,360,249 B1
`
`D. Asserted Grounds of Unpatentability
`Petitioner asserts that claims 1–2, 5–9, 12–17, 20, and 22 are
`unpatentable based on the following grounds:
`
`
`Reference(s)
`AppletTrap1
`
`AppletTrap and Wells2
`
`Pet. 4.
`
`Basis
`§ 103
`
`§ 103
`
`Claims challenged
`1–2, 5–9, 12, 16–17, 20,
`and 22
`13–15
`
`II. DISCUSSION
`
`Relevant Law
`A.
`Obviousness
`1.
`A claim is unpatentable under 35 U.S.C. § 103(a) if the differences
`between the claimed subject matter and the prior art are such that the subject
`matter, as a whole, would have been obvious at the time the invention was
`made to a person having ordinary skill in the art to which said subject matter
`pertains. KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 406 (2007). The
`question of obviousness is resolved on the basis of underlying factual
`determinations including (1) the scope and content of the prior art; (2) any
`differences between the claimed subject matter and the prior art; (3) the level
`of skill in the art; and (4) where in evidence, so-called secondary
`considerations, including commercial success, long-felt but unsolved needs,
`
`
`1 TREND MICRO INTERSCAN APPLETTRAP GETTING STARTED GUIDE, archived
`at Wayback machine on May 4, 2003 (“AppletTrap,” Ex. 1005).
`2 US Patent Application Pub. No. 6,338,141, filed Sep. 30, 1998, published
`Jan. 8, 2002. (“Wells,” Ex. 1007).
`
`4
`
`
`
`IPR2018-00916
`Patent 7,360,249 B1
`
`failure of others, and unexpected results. 3 Graham v. John Deere Co.,
`383 U.S. 1, 17−18 (1966) (“the Graham factors”).
`Level of Skill
`2.
`For an obviousness analysis, prior art references must be “considered
`together with the knowledge of one of ordinary skill in the pertinent art.”
`In re Paulsen, 30 F.3d 1475, 1480 (Fed. Cir. 1994) (quoting In re Samour,
`571 F.2d 559, 562 (CCPA 1978)). Moreover, “it is proper to take into
`account not only specific teachings of the reference but also the inferences
`which one skilled in the art would reasonably be expected to draw
`therefrom.” In re Preda, 401 F.2d 825, 826 (CCPA 1968). That is because
`an obviousness analysis “need not seek out precise teachings directed to the
`specific subject matter of the challenged claim, for a court can take account
`of the inferences and creative steps that a person of ordinary skill in the art
`would employ.” KSR Int'l Co. v. Teleflex Inc., 550 U.S. 398, 418 (Fed. Cir.
`2007); In re Translogic Tech., Inc., 504 F.3d 1249, 1259 (Fed. Cir. 2007).
`Petitioner asserts a person of ordinary skill in the art of the subject
`matter of the ’249 patent would have had a “Bachelor of Science degree in
`computer science, computer engineering, or a similar degree, along with at
`least 2-3 years of experience in software development, preferably related to
`cyber-security or information assurance [and a] higher level of education
`may substitute for a lesser amount of experience, and vice versa.” Pet. 14
`(citing Ex. 1003, ¶¶ 34–37). Patent Owner’s proposed level of skill does not
`differ, in any way relevant to determinations made in this decision, from
`Petitioner’s statement nor does Patent Owner argue that there is any
`
`3 Patent Owner does not put forth evidence it alleges tends to show
`secondary considerations of non-obviousness in its Preliminary Response.
`5
`
`
`
`IPR2018-00916
`Patent 7,360,249 B1
`
`significance difference between the two articulations of level of skill.
`Prelim Resp. 7–8. Thus, we adopt Petitioner’s articulation of the level of
`skill and acknowledge that the level of ordinary skill in the art is also
`reflected by the prior art of record. See Okajima v. Bourdeau, 261 F.3d
`1350, 1355 (Fed. Cir. 2001); In re GPAC Inc., 57 F.3d 1573, 1579 (Fed. Cir.
`1995); In re Oelrich, 579 F.2d 86, 91 (CCPA 1978).
`
`Claim Construction
`B.
`In an inter partes review, we construe claim terms in an unexpired
`patent according to their broadest reasonable construction in light of the
`specification of the patent in which they appear. 37 C.F.R. § 42.100(b).
`Consistent with the broadest reasonable construction, claim terms are
`presumed to have their ordinary and customary meaning as understood by a
`person of ordinary skill in the art in the context of the entire patent
`disclosure. In re Translogic Tech., 504 F.3d at 1257.
`1. “a running code blocking module, configured to block the
`attempted malicious behavior in response to positive detection” -
`claim 16
`Each limitation in the body of challenged claim 16 recites a “module”
`which is “configured to” perform a function. Under 35 U.S.C. § 112,
`paragraph 6, “[a]n element in a claim for a combination may be expressed as
`a means or step for performing a specified function without the recital of
`structure, material, or acts in support thereof, and such claim shall be
`
`6
`
`
`
`IPR2018-00916
`Patent 7,360,249 B1
`
`construed to cover the corresponding structure, material, or acts described in
`the specification and equivalents thereof.”4
`Patent Owner asserts:
`[T]he Petition includes no analysis of whether any claim term
`(e.g., running code detection module, running code blocking
`module, signature module, scanning module, identified code
`blocking module, alert module, blocking scanning manager)
`should be construed under § 112 ¶ 6. In addition, the Petition
`provides no (i) identification of any structure, material, or acts
`corresponding to any term that should be construed under § 112
`¶ 6 or (ii) structural analysis of the references demonstrating that
`the corresponding structure is present in such references . . . As
`a result of the Petition’s deficient § 112 ¶ 6 analysis, it fails to
`comply with the Board’s rules and caselaw.
`Prelim. Resp. 9–11.
`For example, claim 16 recites “a running code blocking module,
`configured to block the attempted malicious behavior in response to positive
`detection.” This phrase, containing a functional limitation, does not include
`the word “means” and thus presumptively is not a means-plus-function
`limitation under 35 U.S.C. § 112, paragraph 6. Williamson v. Citrix Online,
`LLC, 792 F.3d 1339, 1348 (Fed. Cir. 2015) (en banc). Nevertheless, that
`presumption can be overcome when the phrase does not recite sufficiently
`definite structure or recites function without sufficient structure for
`performing that function. Id. at 1349. That is the case here.
`
`
`
`
`4 Paragraphs 1–6 of § 112 were replaced with §§ 112(a)–(f) when § 4(c) of
`the Leahy-Smith America Invents Act, Pub. L. No. 112–29, 125 Stat. 284,
`329 (2011) (“AIA”) took effect on September 16, 2012. Because the patent
`application resulting in the ’249 patent was filed before the effective date of
`the AIA, we refer to the pre-AIA version of 35 U.S.C. § 112.
`7
`
`
`
`IPR2018-00916
`Patent 7,360,249 B1
`
`The term “module” is so broad that it does not sufficiently convey
`definite structure. As the Federal Circuit has stated, “[g]eneric terms such as
`‘mechanism,’ ‘element,’ ‘device,’ and other nonce words that reflect nothing
`more than verbal constructs may be used in a claim in a manner that is
`tantamount to using the word ‘means’ because they ‘typically do not connote
`sufficiently definite structure.’” Id. at 1350 (citation omitted). In this case,
`“module” is used as a generic place-holder for anything that performs the
`recited function, much as the word “means” does. Id. at 1351 (recognizing
`“the term ‘module,’ standing alone is capable of operating as a ‘nonce word’
`substitute for ‘means.’”). The words before and after “module” are “running
`code blocking” and “configured to block the attempted malicious behavior.”
`Those recitations are not structural but functional. The words are generic and
`do not impart specific structure. Rather, they would literally cover any
`structure that performs the function that follows. Furthermore, the entire
`phrase reflects the typical format of a means-plus-function element that does
`employ the word “means,” with “module” substituting for “means” and
`“configured to” substituting for “for.” See Unified Patents Inc. v. Blackbird
`Tech LLC , Case IPR2017-01525, slip op. at 8–11 (PTAB Dec. 1, 2017)
`(Paper 11) (“a plain reading of the term ‘module configured to’ in context of
`the claim language suggest the term ‘module configured to’ is analogous to
`‘means for.’”)
`Accordingly, the non-means presumption is overcome by the absence
`of sufficiently definite structure in the language used and by the fact that the
`language at issue recites function without sufficient structure for performing
`that function. We decide, preliminarily, the phrase “a running code blocking
`module, configured to block the attempted malicious behavior in response to
`
`8
`
`
`
`IPR2018-00916
`Patent 7,360,249 B1
`
`positive detection” can be construed as a means-plus-function element under
`35 U.S.C. § 112, paragraph 6. The function recited is “block[ing] the
`attempted malicious behavior in response to positive detection.” The words
`“running code blocking” are simply part of the name for the element and do
`not change the function recitation that comes after it.
`For a means-plus-function limitation, Petitioner is required to
`“identify the specific portions of the specification that describe the structure,
`material, or acts corresponding to each claimed function.” 37 C.F.R. §
`42.104(b)(3). As the Federal Circuit has noted: “structure disclosed in the
`specification is ‘corresponding’ structure only if the specification or
`prosecution history clearly links or associates that structure to the function
`recited in the claim. This duty to link or associate structure to function is the
`quid pro quo for the convenience of employing § 112, ¶ 6.” Saffran v.
`Johnson & Johnson, 712 F.3d 549, 562 (Fed. Cir. 2013) (quoting B. Braun
`Med., Inc. v. Abbott Labs., 124 F.3d 1419, 1424 (Fed. Cir. 1997)); see also
`Noah Systems, Inc. v. Intuit Inc., 675 F.3d 1302, 1312 (Fed. Cir. 2012).
`With respect to “a running code blocking module, configured to block
`the attempted malicious behavior in response to positive detection,”
`Petitioner has not identified sufficient corresponding structure described in
`the Specification of the ’249 patent for performing the recited “blocking.”
`In fact, Petitioner does not acknowledge the possibility that this claim
`language may be considered means plus function language despite the fact
`that in the Federal Circuit cases Williamson and Blackboard (discussed and
`cited below), the words “manager” and “module,” when referring to
`computer routines, were considered to indicate means plus function
`treatment and the lack of structure.
`
`9
`
`
`
`IPR2018-00916
`Patent 7,360,249 B1
`
`The “running code blocking module” relates to the “blocking-
`scanning manager” recited in the Specification. Thus, the closest Petitioner
`comes to making an identification of structure is this: “the blocking-
`scanning manager ‘blocks’ the attempted malicious behavior.” Pet. 8–9
`(citing Ex. 1001, 9:48-51).
`In its “OVERVIEW OF THE 249 PATENT” section of the Petition,
`Petitioner describes the invention in general and describes disclosure that
`may be related to corresponding structure. For example, Petitioner cites to
`Figure 6, reproduced below, which is flowchart for the “detecting and
`blocking” and element of the alleged invention.
`
`
`
`10
`
`
`
`IPR2018-00916
`Patent 7,360,249 B1
`
`The “blocking” portion of the flow chart in Figure 6 above, however,
`is represented by one box titled “Block Execution of Identified Code on
`Target or Remote Computer.” Thus, this does not represent and algorithm
`for the “blocking” element of the claims.
`Thus, at best, even assuming that Petitioner even intended to identify
`corresponding structure, Petitioner has identified the corresponding structure
`only generally as “the blocking-scanning manager.” Petitioner also points to
`Figure 1 of the Specification which recites black box representations of
`elements of the “blocking scanning manager.”
`
`
`
`As shown in Figure 1, above, the reference to “an identified code
`blocking module” suggests only a module on a computer which is too
`
`
`
`11
`
`
`
`IPR2018-00916
`Patent 7,360,249 B1
`
`generic to identify any specific structure. In Aristocrat Technologies
`Australia Pty Ltd. v. International Game Technology, 521 F.3d 1328, 1333
`(Fed. Cir. 2008) (quoting Harris Corp. v. Ericsson Inc., 417 F.3d 1241, 1249
`(Fed. Cir. 2005), the Federal Circuit stated that “the corresponding structure
`for a § 112 ¶ 6 claim for a computer-implemented function is the algorithm
`disclosed in the specification.” Id. (emphasis added). As the Federal Circuit
`explained, “a general purpose computer programmed to carry out a
`particular algorithm creates a ‘new machine’ because a general purpose
`computer ‘in effect becomes a special purpose computer once it is
`programmed to perform particular functions pursuant to instructions from
`program software.’ ” Id.; see also WMS Gaming, Inc. v. International Game
`Technology, 184 F.3d 1339, 1349 (Fed. Cir. 1999). Consequently, the
`specification must disclose enough of a specific algorithm to provide the
`necessary structure under § 112, sixth paragraph. Finisar Corp. v. DirectTV
`Grp., Inc., 523 F.3d 1323, 1340 (Fed. Cir. 2008). Allowing a computer
`programmed to perform a specialized function to be claimed without
`disclosure of the algorithm used for that programming would exhibit the
`same type of impermissible overbreadth of purely functional claims. Net
`MoneyIN, Inc. v. VeriSign, Inc., 545 F.3d 1359, 1367 (Fed. Cir. 2008).
`If special programming is required for a general-purpose computer to
`perform the corresponding claimed function, then the default rule requiring
`disclosure of an algorithm applies. It is only in the rare circumstances where
`any general-purpose computer without any special programming can
`perform the function that an algorithm need not be disclosed. Ergo
`Licensing, LLC v. CareFusion, 303, Inc., 673 F.3d 1361, 1365 (Fed. Cir.
`2012); see also Williamson, 792 F.3d at 1352 (“In cases ... involving a claim
`
`12
`
`
`
`IPR2018-00916
`Patent 7,360,249 B1
`
`limitation that is subject to § 112, para. 6 that must be implemented in a
`special purpose computer, this court has consistently required that the
`structure disclosed in the specification be more than simply a general
`purpose computer or microprocessor.... [T]he specification [must] disclose
`an algorithm for performing the claimed function.” (citations omitted) ).
`By simply pointing to “a running code blocking module” which may
`be a computer program, Petitioner has not identified the underlying
`algorithm of any such program. This is not a circumstance falling within the
`narrow exception explained in In re Katz, 639 F.3d 1303, 1316 (Fed. Cir.
`2011), where the function recited is generic and can be performed by any
`general-purpose computer without special programming, e.g., “processing,”
`“receiving,” “storing.” The specialized function here includes “blocking the
`attempted malicious behavior.” Petitioner makes no explanation as to why
`the recited function would be so basic that it could be performed by a
`general purpose computer without any special programming. Accordingly,
`it appears, in the Petition, Petitioner has not identified corresponding
`structure, described in the Specification of the ’249 patent, that causes a
`computer to perform the recited function of “blocking the attempted
`malicious behavior.”
`Nevertheless, under SAS Inst., Inc. v. Iancu, 138 S. Ct. 1348, 1359–60
`(2018) (a decision to institute under 35 U.S.C. § 314 may not institute on
`fewer than all claims challenged in the petition), we cannot deny institution
`on this basis alone. We must address the remaining claims. Claim 20 has
`similar language “program code for the blocking-scanning manager blocking
`the attempted malicious behavior in response to the detection.” Claims 1
`and 12, on the other hand, are method claims. Claims 1 and 12 do contain
`
`13
`
`
`
`IPR2018-00916
`Patent 7,360,249 B1
`
`similar limitations, i.e. “blocking-scanning manager blocking the attempted
`malicious behavior.” Nevertheless, the Federal Circuit has stated that “The
`mere fact that a method claim is drafted with language parallel to an
`apparatus claim with means-plus-function language does not mean that the
`method claim should be subject to an analysis under § 112, paragraph 6.
`Rather, each limitation of each claim must be independently reviewed to
`determine if it is subject to the requirements of § 112, paragraph 6.”
`Generation II Orthotics Inc. v. Med. Tech. Inc., 263 F.3d 1356, 1368 (Fed.
`Cir. 2001). Here the phrase “blocking-scanning manager” is similar to a
`term access control manager which the Federal Circuit asserted does not
`impart structure. Blackboard, Inc. v. Desire2Learn, Inc., 574 F.3d 1371,
`1383 (Fed. Cir. 2009) (“what the patent calls the “access control manager” is
`simply an abstraction that describes the function of controlling access to
`course materials, which is performed by some undefined component of the
`system. The ACM is essentially a black box that performs a recited
`function.”). We recognize that applying means plus function orthodoxy to
`method claims would be at the very least uncommon but not unprecedented.
`Therefore, without further briefing we decline to do so at this stage of the
`proceeding.
`We expect the parties to address the possible means plus function
`implications of each limitation of the challenged independent claims after
`institution and during this proceeding. Therefore, we do not deny institution
`based on issues related to Patent Owner’s allegation that Petitioner failed to
`1) address the issue of whether the challenged claims are means plus
`function claims, and if so 2) identify the function and corresponding
`structure.
`
`14
`
`
`
`IPR2018-00916
`Patent 7,360,249 B1
`
`C. Obviousness over AppletTrap
`1. Overview of AppletTrap
`AppletTrap is a manual prepared by Trend Micro to “introduce the main
`features of the software” of Trend Micro’s InterScan AppletTrap security
`product. Ex. 1005, 9. AppletTrap discloses “block[ing] malicious Java
`applets, HTML scripts, as well as unsecured ActiveX controls at the Internet
`Gateway—preventing them from infiltrating your network and performing
`malicious acts on client workstations.” Id. at 15.
`2. Priority Date of AppletTrap
`Petitioner asserts the AppletTrap the manual was published and publicly
`accessible at least by October 14, 2002 and no later than May 4, 2003. Pet.
`19. The ’249 patent was filed on January 13, 2004 and issued on April 15,
`2008. Ex. 1001. The ’249 patent does not claim priority to any other
`applications or patents. Id. Patent Owner does not address whether
`AppletTrap is prior art in its Preliminary Response. Petitioner presents the
`following evidence which we accept, at this stage of the proceeding, to find
`that AppletTrap is prior art:
`- “The manual was released with the InterScan AppletTrap product in
`August 2001 with a 2000-2001 copyright date. Ex. 1005, 9.” Pet. 19.
`- “The public was aware of and discussing AppletTrap in 2001. See Ex.
`1006 (a February 2001 article from Information Security discussing
`InterScan AppletTrap) at 2-3.” Id.
`- “The public accessibility of the manual on October 14, 2002 is further
`established by the Internet Archive, Wayback Machine, which
`preserved a webpage on October 14, 2002 that has a link to the
`manual. Ex. 1005, 4.” Id.
`
`15
`
`
`
`IPR2018-00916
`Patent 7,360,249 B1
`
`- “The foregoing demonstrates that the manual was publicly accessible
`by October 14, 2002 (i.e., 102(b) prior art) but in no event later than
`May 4, 2003 (i.e., 102(a) prior art).” Id. at 24.
`3. Analysis
`Petitioner asserts that claims 1–2, 5–9, 12, 16–17, 20, and 22 are
`unpatentable under 35 U.S.C. § 103 over AppletTrap (Ex. 1009). Pet. 28–
`73.
`
`The preamble of independent claim 1 recites, “[a] computer
`implemented method for preventing malicious code from propagating in a
`computer, the method comprising the steps of.” Petitioner contends
`AppletTrap discloses a computer implemented method for preventing
`malicious code from propagating in a computer. Pet. 28–30 (citing at least
`Ex. 1005, 15 (“InterScan AppletTrap blocks malicious Java applets, HTML
`scripts, as well as unsecured ActiveX controls at the Internet gateway—
`preventing them from infiltrating your network and performing malicious
`acts on client workstations.”); Ex. 1003, ¶¶ 131–138).
`Independent claim 1 further recites “a blocking-scanning manager
`detecting attempted malicious behavior of running code.” Petitioner
`contends AppletTrap discloses detecting attempted malicious behavior of
`running code thought its software at the workstation and at the server. Pet.
`30. According to Petitioner, AppletTrap’s workstation monitors applets’
`behavior and determines whether it is permitted under a security policy. If a
`behavior violates a security policy, it is flagged as malicious. Id. at 30–32
`(citing Ex. 1005, 16, 21, Figure 1.1). In particular, in Petitioner’s exemplary
`scenario, if a user downloads a Java applet “ZYX” from “example.com,”
`AppletTrap will attach a security policy that defines the boundaries of this
`
`16
`
`
`
`IPR2018-00916
`Patent 7,360,249 B1
`
`applet’s behavior, e.g., cannot create multiple thread groups. If ZYX
`attempts to create multiple thread groups, AppletTrap will identify it as
`malicious behavior. Id. at 32 (citing Ex. 1003, ¶¶ 139–147).
`Independent claim 1 further recites “responsive to the detection, the
`blocking-scanning manager blocking the attempted malicious behavior.”
`Petitioner contends “upon detecting malicious behavior, AppletTrap
`(workstation), which is part of the blocking-scanning manager, blocks such
`behavior from further execution.” Pet. 33 (citing Ex. 1005, 21, 23). Thus, in
`the exemplary scenario, “upon detection of ZYX’s attempted malicious
`behavior (e.g., attempt to create multiple thread groups), AppletTrap blocks
`that behavior.” Id. at 33 (citing Ex. 1003, ¶¶ 148–151).
`Independent claim 1 further recites “the blocking-scanning manager
`generating a signature to identify the code that attempted the malicious
`behavior.” Petitioner contends that “AppletTrap (workstation), which is
`part of the blocking-scanning manager, blocks the malicious behavior and
`reports it to AppletTrap (server) for inclusion in one or more block lists.”
`Pet. 34 (citing Ex. 1005, 21 ,23). In particular, Petitioner contends that “In
`AppletTrap, code is identified by a signature, which takes the form of a
`hash. In particular, AppletTrap (server) maintains block lists consisting of
`hash codes that are used to identify malicious code.” Id. at 34 (citing Ex.
`1005, 18, 58, 85). Petitioner contends that “[w]hile AppletTrap does not
`explicitly disclose that it generates the hash code that is included in the user-
`configurable block list, it would have been obvious to a PHOSITA to
`implement this step at AppletTrap (workstation).” Id. at 35. Petitioner
`asserts “a PHOSITA would have been motivated to generate a hash at
`AppletTrap (workstation), so that it may be included in the user-
`
`17
`
`
`
`IPR2018-00916
`Patent 7,360,249 B1
`
`configurable block lists at AppletTrap (server). Furthermore, a PHOSITA
`would have had a reasonable expectation of success as AppletTrap supports
`various hashing algorithms such as MD5 and SHA1.” Id. at 36 (citing Ex.
`1005, 94). Thus, in the exemplary scenario, “AppletTrap (workstation) has
`associated applet ZYX with malicious behavior. AppletTrap (workstation)
`generates the hash signature of applet ZYX and ‘reports back to the proxy
`server [the signature of applet ZYX] detected on client workstations for
`automatic inclusion in the user-configurable hash list.’”). Id. at 37 (quoting
`Ex. 1005, 21, citing Ex. 1003, ¶¶ 152–165).
`Independent claim 1 further recites “the blocking-scanning manager
`detecting code identified by the signature, wherein detecting code identified
`by the signature comprises.” Petitioner contends “[n]ow that AppletTrap
`(server), which is part of the blocking-scanning manager, has the (hash)
`signature of the code that attempted the malicious behavior, that code can be
`recognized by AppletTrap (server). When a user later attempts to access
`that malicious code, AppletTrap (server) compares the incoming code to all
`of its block lists.” Pet. 38 (citing Ex. 1005, 18, 85). In the exemplary
`scenario, “AppletTrap (server) uses the signature of the ZYX applet to
`identify any incoming file or data that includes this signature.” Id. at 39
`(citing Ex. 1003, ¶¶ 166–169).
`Independent claim 1 further recites “the blocking-scanning manager
`alerting a user of the detection.” Petitioner contends that “AppletTrap
`(server), which is part of the blocking-scanning manager, alerts a user of the
`detection (finding) of the malicious code.” Pet. 39. In particular, Petitioner
`contends that “Moreover, AppletTrap (server) can be configured to send
`email notifications (e.g., on hash-based detection).” Id. at 40 (citing Ex.
`
`18
`
`
`
`IPR2018-00916
`Patent 7,360,249 B1
`
`1005, 98). In the exemplary scenario, “after blocking the incoming file with
`the ZYX signature, AppletTrap displays a message to the user stating that
`“[t]he applet has been identified to violate corporate security policy and is
`blocked.” Id. (quoting Ex. 1005, 18, citing Ex. 1003 ¶¶ 170–174).
`Independent claim 1 further recites “the blocking-scanning manager
`allowing the user to choose whether or not to block the execution of the
`identified code.” Petitioner contends that AppletTrap’s server, which is part
`of the blocking-scanning manager, provides a GUI that allows a user to
`choose whether or not to block the execution of the malicious code using
`user-configurable block lists. In particular, AppletTrap’s server includes a
`user-configurable block list that permits a user to add or delete entries for the
`malicious code. Pet. 39–41 (citing Ex. 1005, 18, 85, Figs. 4-3, 6-1). In the
`exemplary scenario:
`AppletTrap (workstation) has reported the ZYX applet to
`AppletTrap (server), which has included the signature of the
`ZYX applet on the user-configurable block list. Nonetheless, a
`user can “white list” the ZYX applet by deselecting the “Enable
`immediate blocking of new entries automatically added to user’s
`hash list” or “Enabled” button. Thus, when the user later accesses
`the ZYX applet, it is not blocked at AppletTrap (server) and is
`passed through to AppletTrap (workstation). Ex. 1003, ¶¶175-
`182.
`Pet. 41.
`Independent claim 1 further recites “the blocking-scanning manager
`overriding the user’s choice responsive to the user incorrectly choosing to
`block non-malicious behavior or incorrectly choosing not to block malicious
`behavior.” Petitioner contends that “[n]otwithstanding that the user can
`‘white list’ an applet by deselecting the ‘Enable immediate blocking of new
`entries automatically added to user’s hash list’ or ‘Enabled’ button for the
`
`
`
`19
`
`
`
`IPR2018-00916
`Patent 7,360,249 B1
`
`applet in the user-configurable block list, . . . AppletTrap (server), which is
`part of the blocking-scanning manager, can override the user.” Pet. 42–47.
`In the exemplary scenario:
`malicious behavior was detected from the ZYX applet, and its
`signature was stored at the user-configurable block list. The user,
`wanting access to ZYX, opens the user-configurable block list
`and deselects the “Enable immediate blocking of new entries
`automatically added to user’s hash list” or “Enabled” button.
`AppletTrap (server) subsequently uploads the user-configurable
`block list to Trend Micro, and Trend Micro determines that ZYX
`is malicious code. The downloadable list is updated, and
`AppletTrap (server) downloads the newest downloadable list.
`The user attempts to access the ZYX applet, believing that the
`user has access to the ZYX applet because the user chose not to
`block the malicious behavior of the ZYX applet. Nonetheless,
`AppletTrap (server) overrides the user’s choice because the
`downloadable list trumps the user configurable list. The override
`is responsive to the user’s incorrect choice because without the
`user’s incorrect choice, there would be no override. See also Ex.
`1003 ¶¶ 183-193.
`Pet. 47–48.
`Based on the above contentions, on the record before us, we are
`persuaded that Petitioner has provided an articulated reasoning with some
`rational underpinning to support the legal conclusion of obviousness. See
`KSR Int’l Co. 550 U.S. 398, 418 (citing In re Kahn, 441 F.3d 977, 988 (Fed.
`Cir. 2006)). As a result, we are persuaded that the modifications to
`AppletTrap proposed by Petitioner are proper.
`At this stage in the proceeding, we are persuaded by Petitioner’s
`explanations and supporting evidence regarding independent claim 1. Based
`on the record before us, Petitioner has