[00:00:41] Speaker 00: Let's just wait a minute so the other side can't settle. [00:00:55] Speaker 00: Apparently all those people were not here for computer exploits. [00:00:59] Speaker 02: Changing gears a little bit, Your Honor. [00:01:03] Speaker 02: All right, I think we're good to go, Mr. Hanna. [00:01:05] Speaker 02: Please proceed. [00:01:06] Speaker 02: Thank you very much, Your Honor. [00:01:07] Speaker 02: I believe it's still morning, so good morning, Your Honors. [00:01:10] Speaker 02: May it please the Court. [00:01:12] Speaker 02: This is a rare case. [00:01:15] Speaker 02: This is a rare case in which the appellee in his response brief admitted that the board's decision cannot stand. [00:01:26] Speaker 02: Vingen has maintained through these entire proceedings that the correct construction of computer exploit is a portion of program code that are malicious. [00:01:40] Speaker 02: The board rejected that construction. [00:01:45] Speaker 02: The board adopted the examiner's construction at Appendix 2149, which he explicitly stated that malware is a computer exploit. [00:01:59] Speaker 02: He doubled down on that construction in Appendix 2441, in which the examiner states identifying malware is identifying a computer exploit. [00:02:14] Speaker 02: Now we get to the appeal. [00:02:15] Speaker 02: And in the response brief at page 15, the appellee has agreed that Fingent's construction is the correct construction. [00:02:27] Speaker 02: A computer exploit is a portion or portions of program code. [00:02:32] Speaker 00: I'm looking at page 15. [00:02:33] Speaker 00: Can you tell us what you're talking to? [00:02:35] Speaker 00: Because the heading says Fingent takes an overly narrow view of computer exploits, which suggests that they're not adopting your construction. [00:02:43] Speaker 02: So, Your Honor, if you look at [00:02:49] Speaker 02: Page 15, it says, the claim states that computer exploits are portions of program code that are malicious. [00:02:59] Speaker 02: Yes. [00:02:59] Speaker 02: It goes on and gives evidence of that saying the 305 patent specification states that portions of program code that are malicious are referred to as exploits. [00:03:07] Speaker 02: He says, given this unambiguous language in claim one and the specification, the director agrees with Finjen that computer exploits are portions of program code [00:03:18] Speaker 02: that are malicious. [00:03:21] Speaker 02: So they adopted Fingent's construction. [00:03:23] Speaker 00: Well then they said, no, but then the very next day they said, Fingent reads this agreed upon construction to further limit computer exploits to specific malicious lines of code contained in an otherwise benign program. [00:03:36] Speaker 00: So while they agreed with you at the general level, they didn't agree with the way in which you then further limited or applied that definition. [00:03:46] Speaker 02: That's what they raised in their appeal brief. [00:03:48] Speaker 02: But the board's decision is not based on that construction at all. [00:03:52] Speaker 02: Everything that the board relied upon was a very broad construction saying that malware is a computer exploit. [00:03:59] Speaker 02: And I see, Your Honors, as looking at the record, if you look at Appendix 2149, it's explicit that the examiner's construction is that malware is a computer exploit. [00:04:16] Speaker 00: —The fact that they're saying malware is a form of computer exploit doesn't mean that computer exploit can't be a portion of a code that's malicious. [00:04:28] Speaker 00: I'm confused. [00:04:31] Speaker 00: If the whole code is malicious, it can't be a computer exploit? [00:04:34] Speaker 02: —So malware can include a computer exploit, but defining something as malware does not mean that it has a computer exploit. [00:04:44] Speaker 02: And that's the critical difference between the Sandu reference. [00:04:47] Speaker 02: The Sandu reference... I don't know. [00:04:49] Speaker 00: I guess maybe I'm confused. [00:04:51] Speaker 00: I kind of think all malware is malicious and I constantly scan my computers to make sure that there's none loaded into them. [00:04:59] Speaker 00: Sure. [00:05:00] Speaker 00: So I'm perplexed, I guess. [00:05:01] Speaker 00: What am I missing? [00:05:02] Speaker 02: The difference is that the 305 is specific about computer exploits. [00:05:07] Speaker 02: It's not just malware. [00:05:08] Speaker 02: So I'll give you an example. [00:05:10] Speaker 00: No, but that would just be, but malware can be a subset of computer exploits. [00:05:16] Speaker 02: Malware can be a subset, exactly, so that's not what the examiner said. [00:05:19] Speaker 00: Sure, he said malware is a form of computer exploit. [00:05:23] Speaker 00: That means there can be other forms of computer exploits. [00:05:26] Speaker 02: So, okay. [00:05:28] Speaker 00: What am I missing? [00:05:29] Speaker 02: What you're missing is he's saying if you identify something as malware, he's saying that that's a computer exploit. [00:05:36] Speaker 02: That's incorrect. [00:05:37] Speaker 02: I think it's even clearer on if you look at 2441. [00:05:41] Speaker 02: If you look at 2441, what he says is that if you identify malware, you identify a computer exploit. [00:06:01] Speaker 02: And that is not the case. [00:06:04] Speaker 02: Identifying a computer exploit [00:06:06] Speaker 02: is narrower than identifying malware. [00:06:08] Speaker 02: And I think this is what happens, this is a good place for an example, is that if I have malware, malware says to erase all the files on my computer using the format command. [00:06:24] Speaker 02: That could be malware, that could be malicious software, it's an unwanted computer attack, that's how Sandu describes malware. [00:06:32] Speaker 02: That doesn't have to have an exploit. [00:06:36] Speaker 02: That's a legitimate command. [00:06:37] Speaker 02: Formatting your hard drive is a legitimate command. [00:06:43] Speaker 02: Sandu would recognize that as malware, but it does not have a computer exploit. [00:06:49] Speaker 02: And that's what the board bases reasoning on. [00:06:51] Speaker 02: It had to do this because if you look through Sandu, and I have multiple times, it never looks to see if the code contains an exploit. [00:07:02] Speaker 02: Ever. [00:07:03] Speaker 02: It only qualifies to see whether it is malware by matching a signature. [00:07:09] Speaker 02: It always uses the word is malware. [00:07:13] Speaker 02: And so the entire board's decision is based on this erroneous construction that the director has now said was in fact erroneous. [00:07:23] Speaker 02: So at the very least this case needs to be remanded in order for a proper analysis under the correct construction. [00:07:33] Speaker 02: And when they do that, they're not going to be able to find any computer exploits that are identified in Sandu. [00:07:39] Speaker 02: That's not the way Sandu works. [00:07:42] Speaker 02: What Sandu does is it takes an executable script, creates these routine tokens, and then compares that to a malware signature store. [00:07:52] Speaker 02: It is agnostic as to what the executable script is actually doing. [00:08:00] Speaker 02: It doesn't know whether it contains an exploit or not. [00:08:03] Speaker 02: In fact, if there was something in the malware script store in the signature that said, block this file because it matches this signature, it could block anything, whether it contained an exploit or not, because it doesn't care. [00:08:19] Speaker 02: It's completely agnostic to it. [00:08:22] Speaker 02: And that leads into [00:08:24] Speaker 02: How does the 305 patent work? [00:08:27] Speaker 00: But just to be clear, the board on page 10 of its opinion, which is at appendix page 11, says, and I think it's, does it, doesn't, does, do you really see that the board has adopted an improper construction, and if so, where? [00:08:45] Speaker 00: Where did the board adopt a construction you disagree with? [00:08:52] Speaker 02: So the board [00:08:54] Speaker 02: At Appendix 11 says we agree with the examiner that malware is a form of computer exploit when construed in light of the disclosure. [00:09:04] Speaker 02: They've explicitly adopted the examiner's construction. [00:09:08] Speaker 02: And that's not the case. [00:09:09] Speaker 02: Malware is not a form of computer exploit. [00:09:14] Speaker 02: I just gave one example of that malware is not a form of computer exploit. [00:09:21] Speaker 02: And that's why the 305 patent works the way it does. [00:09:24] Speaker 02: It contains these parser rules and these analyzer rules that looks within the content. [00:09:30] Speaker 02: That's what the claim language says. [00:09:31] Speaker 02: They're within. [00:09:32] Speaker 02: I'm going to analyze the code within the content to determine if it contains malicious code. [00:09:39] Speaker 02: Sandu doesn't do any of that. [00:09:41] Speaker 02: Sandu abstracts the executable script and then compares it to a signature. [00:09:48] Speaker 00: So you're arguing that Sandu doesn't disclose malware or that Sandu's malware doesn't have anything that is malicious? [00:10:01] Speaker 02: I'm arguing that Sandu does not identify computer exploits. [00:10:05] Speaker 00: No, that's not what I asked. [00:10:07] Speaker 00: Does Sandu disclose malware? [00:10:09] Speaker 00: Yes, it says that... Does it identify malware? [00:10:11] Speaker 00: Isn't that part of what the program is for? [00:10:14] Speaker 00: In Sandu, I mean, not in your patent. [00:10:16] Speaker 02: Sure, sure. [00:10:17] Speaker 02: So, Sandu will classify something as malware. [00:10:22] Speaker 02: So Sandu says something, this is malware because it matches a signature. [00:10:25] Speaker 00: It matches a signature of known, it matches a known malware signature. [00:10:31] Speaker 02: Right, which can or cannot, doesn't have to contain any exploits at all. [00:10:35] Speaker 02: It could be, I could put into... How do you know? [00:10:37] Speaker 00: What evidence is there in the record that a malware signature doesn't contain exploits? [00:10:43] Speaker 00: That code with the malware signature doesn't contain exploits. [00:10:49] Speaker 02: That's exactly it. [00:10:50] Speaker 02: In Sandu, it never says what's in the malware signature store. [00:10:55] Speaker 02: And it never has anything that says that a malware signature store contains exploits. [00:11:00] Speaker 02: It's completely absent. [00:11:02] Speaker 02: That's the whole point is that the examiner couldn't point to anything. [00:11:05] Speaker 02: And so that's why they had to take this broad construction to say, identifying malware is the same as... So here's the problem, I guess. [00:11:12] Speaker 00: malware seems to by the PTO have been accepted the definition of malware by the PTO seems to have been something which contains malicious code malware something which contains malicious code at a minimum okay right okay that's what i understand from this record i understand the PTO saying malware by its very nature contains malicious code so if that's sort of the plain meaning of malware and then Sandu is saying [00:11:41] Speaker 00: we have something with a malware signature. [00:11:43] Speaker 00: I understand your argument that, you know, maybe not all apples are bad. [00:11:49] Speaker 00: I mean, you know, but if something has a known malware signature, doesn't that mean the PTO is understanding as a fact finder, because they're interpreting the reference, that that means it has known malicious code? [00:12:05] Speaker 00: I mean, [00:12:06] Speaker 02: But it doesn't have to contain a computer exploit. [00:12:09] Speaker 02: That's what I'm saying. [00:12:10] Speaker 02: They applied the wrong definition. [00:12:11] Speaker 02: Now, if you want to look for the definition of malware, let's look to Sandu. [00:12:14] Speaker 02: Sandu on Appendix 2962 in paragraph 2 said, for the purposes of the present discussion, malware for the purposes of... This is an application, so it's the fifth line down. [00:12:32] Speaker 02: Which column? [00:12:33] Speaker 02: The left or the right column? [00:12:34] Speaker 02: Paragraph 2. [00:12:36] Speaker 02: Malware for purposes of the present discussion is defined as unwanted computer attack. [00:12:43] Speaker 00: Unwanted computer attack sounds malicious. [00:12:45] Speaker 00: I don't know. [00:12:46] Speaker 00: What am I missing? [00:12:47] Speaker 02: What you're missing is that the unwanted computer attack does not have to contain an exploit. [00:12:53] Speaker 02: The 305 is very specific. [00:12:54] Speaker 00: An exploit is malicious code. [00:12:57] Speaker 02: There are portions of code that are malicious. [00:13:02] Speaker 02: So you have to identify the portions of the malicious code that are malicious. [00:13:09] Speaker 02: That's what you have to do in the exploit. [00:13:12] Speaker 00: Malware... And you're saying malware could have lines of code that on their face standing alone are not malicious, even though other portions of all malware are in fact malicious? [00:13:20] Speaker 02: No, it doesn't have to contain malicious code at all. [00:13:22] Speaker 02: That's my format example. [00:13:23] Speaker 00: But that's not what Sandu says. [00:13:24] Speaker 00: Sandu says malware is unwanted computer attacks. [00:13:29] Speaker 00: That's malicious, and I think it's reasonable for the PTO to have concluded that Sandu discloses [00:13:34] Speaker 00: Malware equals unwanted computer attacks equals malicious. [00:13:37] Speaker 02: Okay, that might be in a malicious attack. [00:13:39] Speaker 02: So go back to my format example. [00:13:41] Speaker 02: Formatting your hard drive is a legitimate operation that's performed on a computer. [00:13:46] Speaker 02: That does not contain malicious code. [00:13:49] Speaker 02: That does not contain program code that's malicious. [00:13:51] Speaker 00: That's not what malware is. [00:13:54] Speaker 00: Malware is, according to Sandu, an unwanted computer attack. [00:13:58] Speaker 02: Okay, so if I have... So that's malicious. [00:14:00] Speaker 00: So malware is malicious. [00:14:02] Speaker 00: Malware can be malicious, but... That can be, is defined by Sandu to be malicious. [00:14:09] Speaker 00: I don't know anyone who would say an unwanted computer attack isn't malicious. [00:14:13] Speaker 02: I agree, Your Honor, but what we're looking at for the 305 patent is that we're diving into the weeds here, we're looking at the actual code. [00:14:21] Speaker 02: Sandu does not look at the actual code to determine if it contains malicious code. [00:14:26] Speaker 00: That's why I'm trying to get it with you, but Sandu does look to say, do you have code, which is, yes it does, directed to an unwanted computer attack because they define it as something that has a malware signature. [00:14:41] Speaker 00: And malware is defined as unwanted computer attacks. [00:14:44] Speaker 02: Sandu never looks to see if it has the code. [00:14:47] Speaker 00: Ever. [00:14:48] Speaker 00: It is totally agnostic. [00:14:49] Speaker 00: I understand that you're saying it doesn't look to see or identify which lines of code amount to [00:14:54] Speaker 00: the unwanted computer attack, but it's nonetheless saying we're identifying software that has an unwanted computer attack embedded within their software. [00:15:02] Speaker 02: It never says that. [00:15:03] Speaker 02: It only says, is malware. [00:15:05] Speaker 02: If you look through Sandu, you never see something that says it contains. [00:15:09] Speaker 02: That's what they keep saying. [00:15:11] Speaker 00: If it is malware, and malware is defined as an unwanted computer attack, and that attack can only occur through code. [00:15:16] Speaker 00: It's not like they're throwing eggs. [00:15:18] Speaker 00: I mean, I don't understand. [00:15:19] Speaker 02: Well, Your Honor, that's the difference between the computer exploit [00:15:22] Speaker 02: that's being used here. [00:15:25] Speaker 02: And I would like to get to the way that it functions is that you have to have these parser and analyzer rules that correspond to these computer exploits. [00:15:37] Speaker 02: What the director does is they point to the malware signature store for the parser rules. [00:15:43] Speaker 02: Sandu is explicit on paragraph 40 that the parser rules create the routine tokens. [00:15:53] Speaker 02: It has nothing to do with the malware signature store. [00:15:58] Speaker 02: The claims of the 305 patent are specific in that it has parser analyzed rules that correspond to computer exploits. [00:16:07] Speaker 02: If you look at paragraph 40 of Sandu, it explicitly states that you parse the content to create the routine tokens. [00:16:18] Speaker 02: You never parse anything [00:16:21] Speaker 02: to put anything in the malware signature store. [00:16:26] Speaker 02: Does that make sense? [00:16:27] Speaker 02: So what the director has had to do is point to the malware signature store as the parser rules, the analyzer rules, the computer exploits. [00:16:41] Speaker 02: That's turned Sandu on his head, because Sandu says that you parse to create these routine tokens. [00:16:47] Speaker 02: And then the routine tokens are compared to the malware signature store. [00:16:54] Speaker 02: So when they're talking about parsing, these parsing rules, they're talking about something that's in the malware signature store. [00:17:01] Speaker 02: That can't be what Sandu's about, because Sandu says explicitly [00:17:05] Speaker 02: Paragraph 40 that you do parsing to create the routine tokens. [00:17:14] Speaker 02: There's nothing in Sandu that says that these signatures are also parser rules or also analyzer rules. [00:17:23] Speaker 02: And that's the point that the dissent made at pages 16 and 17 of the dissent is that the board is pointing to the malware signature store as everything. [00:17:34] Speaker 02: the parser rules, the analyzer rules. [00:17:38] Speaker 02: There's no rules at all in Sandu. [00:17:40] Speaker 02: Sandu doesn't talk about rules at all. [00:17:42] Speaker 02: It doesn't talk about, especially doesn't talk about rules that correspond to computer exploits. [00:17:50] Speaker 02: And that's where it comes down, is that this definition is just an improper definition. [00:17:55] Speaker 02: We don't have a record to support that Sandu meets the correct definition. [00:18:00] Speaker 02: You far exceeded your time in your rebuttal time. [00:18:03] Speaker 02: Will we turn some rebuttal time over? [00:18:19] Speaker 01: May it please the court? [00:18:21] Speaker 01: I'm genuinely confused as to this argument about computer exploits that we somehow in our brief disavowed what the board or examiner did. [00:18:33] Speaker 01: I'll give you a look at what the examiner did on appendix page 2149. [00:18:38] Speaker 01: He states that the term computer exploit is defined in the patent as portions of program code that are malicious and then says that malware is a form of computer exploit. [00:18:50] Speaker 01: Exactly what we said in our brief and again on appendix page 2441 he repeats that a computer exploit is defined as portions of program code that are malicious so everything that we did. [00:19:03] Speaker 01: and said in our brief was fully consistent with what the examiner did. [00:19:06] Speaker 00: Can I ask you instead to turn, unless anyone else has questions they want to ask about that, can I ask you to turn instead to whether Sandu discloses the parser roles? [00:19:17] Speaker 01: Sure. [00:19:18] Speaker 01: So the examiner and the board found that the routine token sets in the malware signature store of Sandu are the parser rules and [00:19:30] Speaker 01: Parcer rules are defined as patterns of tokens that form syntactical constructs of program code. [00:19:39] Speaker 00: I don't think there's any dispute that... But didn't you admit in your brief that figure 8 doesn't show parser rules in malware script signatures? [00:19:47] Speaker 01: Figurate are the routine token sets of the incoming code. [00:19:52] Speaker 01: There's no figure in Sandu showing the code in the malware signature store. [00:19:58] Speaker 01: Our point was, and I think this was agreed with in the reply brief, was that the board made the reasonable inference that the routine token sets in the malware signature store would look similar to the code that's in Figurate, because that's the code that it's being compared to. [00:20:17] Speaker 01: It's just that there's no figure showing that code, but the malware signature store is going to include code that looks similar to what's in Figure 8. [00:20:27] Speaker 01: And this idea that the board is relying on the routine token sets in the malware signature store for everything, the parser rules, the analyzer rules, and the computer exploits, that comes from the claim language itself. [00:20:41] Speaker 01: It says a database of parser and analyzer rules corresponding to computer exploits. [00:20:46] Speaker 01: So it seems like all of those things are the same thing, and that's why the board is relying on the code and the malware signature store to meet those limitations. [00:20:59] Speaker 01: Are there no further questions? [00:21:03] Speaker 01: Thank you. [00:21:12] Speaker 02: I think one admission that we just got on the rebuttal there was that there is no disclosure in Sandu of what's in the malware signature store. [00:21:24] Speaker 02: And that's true, because the malware signature store does not identify computer exploits. [00:21:33] Speaker 02: With regard to the parser rules, the claim is explicit that it says, a database of parser and analyzer rules [00:21:40] Speaker 02: corresponding to computer exploits. [00:21:44] Speaker 02: When you look at Sandu at paragraph 40, what Sandu says is that it parses the incoming executable script to generate routine tokens. [00:22:00] Speaker 02: That's where Sandu does parsing. [00:22:04] Speaker 02: It has nothing to do with a [00:22:08] Speaker 02: malware signature store that's already on the system. [00:22:12] Speaker 02: But that's what the director and the board and the examiner pointed to. [00:22:16] Speaker 02: They pointed to this malware signature store that's already on the system, that has nothing to do with what Sandu describes as parsing. [00:22:26] Speaker 02: That parsing to generate the routine tokens will generate routine tokens without regard to any computer exploits at all. [00:22:35] Speaker 02: That's undisputed. [00:22:37] Speaker 02: They couldn't point to that parsing. [00:22:39] Speaker 02: That's why they changed course. [00:22:40] Speaker 02: If you looked at the, you know, in our briefing and then at the proceedings below, they changed course saying, oh, we're going to point to the parsing that in paragraph 40 for the parser rules. [00:22:53] Speaker 02: Continued to say that. [00:22:54] Speaker 02: We get one paragraph in the examiner's answer that says, okay, the parser rules can be in the malware signature store. [00:23:02] Speaker 02: And then the board harps on that. [00:23:05] Speaker 02: That's because our entire argument was that the parser rules had to correspond to computer exploits. [00:23:12] Speaker 02: So they point to the malware signature store. [00:23:14] Speaker 02: But now that they point to the malware signature store, there's no parsing. [00:23:18] Speaker 02: Because the only parsing that happens in Sandu is to generate the routine tokens. [00:23:23] Speaker 02: And that is undeniably has nothing to do with any computer exploit. [00:23:28] Speaker 02: It's a straight parsing function to generate the routine tokens.