IP Law Daily PTAB errs in construing claims of malware detection patent
Wednesday, March 28, 2018

PTAB errs in construing claims of malware detection patent

By Jody Coultas, J.D.

The U.S. Court of Appeals for the Federal Circuit found that the Patent Trial and Appeal Board’s claim construction of patent claims related to computer programs that perform runtime behavior-based detection of malicious software was incorrect and vacated its holding that the patent claims were unpatentable as obvious. The case was remanded for further proceedings consistent with the Federal Circuit’s claim construction (Sophos Limited v. Iancu, March 28, 2018, Taranto, R.).

Sophos Limited’s U.S. Patent No. 8,776,218 (the ’218 patent) relates to a computer program that monitors "an executing computer process" for "indication[s] of malicious behavior," takes "[a] plurality of malicious behavior indications observed" in the executing computer process and compares that observed collection to one or more "predetermined collection[s] of malicious behaviors" in a database of such collections, and, if there is a "match[]," conducts further analysis and causes action to be taken.

The patent describes using two kinds of databases for malware detection. Each element in one database is a predetermined malicious behavior referred to as a "gene," which may be identified in an executing computer process being monitored. Each element in the other database is a predetermined collection of such genes, each such collection referred to as a "phenotype."

A phenotype may be any combination of such behaviors—in particular, "a predetermined collection of malicious behaviors which may include a grouping of specific genes that are typically present in a type or family of malicious code." Both in the language of the independent claims, and in its explanation accompanying the amendment, Sophos made clear that it is each phenotype that is "ranked," so that matching one phenotype rather than another can provide more information about the likely malware threat of the runtime object being tested.

Finjan Holdings, Inc. challenged claims 1 through 20 of the ‘218 patent. The Board instituted inter partes review of claims 1 through 12 for obviousness over U.S. Patent No. 7,809,670 (Lee) and U.S. Patent No. 8,171,545 (Cooley), and also over U.S. Patent No. 7,089,428 (Farley) and Cooley.

Sophos appealed, arguing that the Board was wrong in its fundamental view that the predetermined phenotypes, which are stored in the database, are ranked based on how similar they are to the set of malicious behavior indications observed in a particular monitored runtime object (program). With Finjan no longer participating, the PTO’s Director has intervened.

Nothing in the claims, the specification, or the prosecution history supported the Board’s understanding that the predetermined phenotypes are ranked based on their similarity to the observed malicious behavior indications, the court held. The Board’s view calls for ranking phenotypes vis-a-vis each other. However, neither the Board’s explanation nor the Director’s defense of that explanation indicated how the claim can reasonably be understood to call for that ranking to be based on how similar phenotypes in a database are to a particular runtime object being scrutinized. The Board’s central understanding was unreasonable in light of the specification and the claim’s own statement of its objective.

Also, the court found nothing in the ’218 patent that disclosed ranking the predetermined phenotypes according to their degree of similarity to a particular set of malicious behaviors observed in a particular runtime object. Rather, the patent speaks consistently of seeking a "match" of a phenotype for the runtime object’s set of malicious-behavior indications, never of examining degrees of similarity. The Board’s notion would call for re-ranking the group of phenotypes with every new runtime object that is evaluated, yet the patent says nothing to that effect.

Finally, the court noted that the Board’s notion of ranking the phenotypes by how similar each is to a particular runtime object was detached from the essential function of the invention. The Board’s notion of similarity-based ranking eliminates the essential independent source of information for assessing the runtime object, and it leaves nothing in its place that the Board or the Director has explained would still allow the claimed invention to perform its function.

The proper construction of "are ranked" limitation is that a phenotype is ranked relative to others based in some way on its indicating known malware; the runtime object is scrutinized to see if its set of observed behaviors matches one of the phenotypes in the phenotype database; and it is the rank of a matched phenotype that determines the level of confidence that the runtime object is like a known family of malware (triggering content analysis and action). Whether the prior art disclosed the "are ranked" limitation under the proper construction must be determined on remand.

The case is No. 2017-1567.

Attorneys: Stanley Joseph Panikowski (DLA Piper LLP) for Sophos Ltd. Molly R. Silfen (U.S. Patent and Trademark Office) for Andrei Iancu.

Companies: Sophos Ltd.

MainStory: TopStory Patent TechnologyInternet FedCirNews

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More
Reading IP Law Daily on tablet

IP Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on intellectual property legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.

Free Trial Learn More