VERACODE, INC. v.
APPTHORITY, INC

Links

VERACODE, INC. v.
APPTHORITY, INC

US 5,854,924

US 7,752,609

Summary

Claims of US patent 5,854,924 and 7,752,609 in the name of Veracode were found to be patent eligible subject matter under 35 USC 101 because the claimed method exceeds mere automation of a well-known process by harnessing and improving upon the unique properties and complex capabilities of computer technologies.

Comments

  • The claimed invention is more complex than what could be done by humans and transforms the claimed invention from an abstract idea simply automated by a computer into an inventive concept.
  • The patents do not claim a monopoly over all decompiling methods, but rather focus on a specific method for generating as-complete-as possibledata and content flow models.

Broad description of the invention

The `924 Patent is a “static debugging tool . . . to detect the presence of program errors and potential errors” in the machine-code version of a piece of software without actually running the analyzed software. Veracode also owns the `609 Patent issued in 2010 but claiming priority to 2002. The `609 Patent is a “software analysis framework” that consists of a method of decompiling machine code — which humans cannot interpret — into a form “that one of a certain skill can analyze.”

Characteristic Claim

A static debugging tool for use with a computer and for debugging a binary program file without requiring the execution of the binary program file in order to detect the presence of program errors and potential program errors, the static debugging tool comprising:

an analyzer for causing die computer to statically analyze a representation of the binary program file to detect the presence of program errors or potential program errors in the representation of the binary program file without executing the binary program file, wherein the representation of the binary program file is an intermediate file; and an output arrangement for causing the computer to output an error list of the errors or potential errors detected by the analyzer.

Details

Both patents generate an intermediate file from a program’s binary code. Binary code is a machine-readable form of code that allows a computer to run a particular piece of software; it is originally written as source code by software developers and then compiled into binary form by a computer. Although binary code is not readable by humans, the intermediate file the patented technology generates is intelligible to persons of ordinary skill in the art of software development. A software developer can reverse engineer the intermediate code to reconstruct or approximate the program’s original source code.

As a threshold requirement for patent protection, the patented technology or subject matter of a patent must be patentable. 35 U.S.C. § 101. If this requirement is not satisfied, the patent is invalid. The purpose of § 101 is to ensure “that patent protection promotes, rather than impedes, scientific progress and technological innovation.” I/P Engine, Inc. v. AOL Inc., 576 F. App’x 982, 996 (Fed. Cir. 2014) (nonprecedential) (Mayer, J., concurring).

Section 101 defines patentable subject matter as “any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof.” The Supreme Court has identified three categories of unpatentable subject matter (or patent-ineligible concepts) because they fail to meet this definition: laws of nature, physical phenomena, and abstract ideas, including mental processes. In re Bilski, 545 F.3d 943, 952 (Fed. Cir. 2008) (en banc) (citing Supreme Court decisions), aff’d sub nom. Bilski v. Kappos, 561 U.S. 593 (2010). These categories are not patentable because “they are the basic tools of scientific and technological work,” Gottschalk v. Benson, 409 U.S. 63, 67 (1972), and must be available for future use by others. Inventions relying on such patent-ineligible concepts become patentable only when they apply the concept “to a new and useful end.” Funk Bros. Seed Co. v. Kalo Innoculant Co., 333 U.S. 127, 130 (1948).

The Supreme Court has recently focused its attention on the patentability requirement, particularly in the realm of abstract ideas and mathematical processes. See Alice Corp. Pty. Ltd. v. CLS Bank Int’l, 134 S. Ct. 2347 (2014); Mayo Collaborative Servs. v. Prometheus Labs., Inc., 132 S. Ct. 1289 (2012). Under Alice and Mayo, a defendant asserting that a patent covers unpatentable subject matter must satisfy a two-part test. Alice, 134 S. Ct. at 2354.

First, the defendant must show that the claims at issue are directed toward one of the patent-ineligible concepts. Id.; see Mayo, 132 S. Ct. at 1296-97. This step requires ascertaining the purpose of the claimed invention and analyzing whether that purpose is, for example, abstract. See Cal. Inst. of Tech. v. Hughes Commc’ns Inc., 59 F. Supp. 3d 974, 980 (C.D. Cal. 2014).

If the defendant satisfies this burden, it must then satisfy the second step by demonstrating that there is no “inventive concept” in the claimed matter or technology that would “transform the nature of the claim into a patent-eligible application.” Alice, 134 S. Ct. at 2354 (citing Mayo, 132 S. Ct. at 1294, 1297-98 (internal quotation marks omitted)). An “inventive concept” is one that is “sufficient to ensure that the patent in practice amounts to significantly more than a patent upon the [ineligible concept] itself.” Id. (quoting Mayo, 132 S. Ct. at 1294 (alteration in original)). Looking for an inventive concept requires consideration of “the elements of each claim both individually and as an ordered combination.” Id. (citing Mayo, 132 S. Ct. at 1297-98 (internal quotation marks omitted)). “[R]ecitation of conventional, routine, or well-understood activity will not save an abstract claim. . . . But a claim element is not conventional just because it appears in prior art.” Cal. Inst., 59 F. Supp. 3d at 980. If the ordered combination of elements, considering all of the elements together, “constitutes conventional activity, the claim is not patentable.” Id. However, even if a claim element individually is abstract (standing alone), “a series of conventional elements may together form an unconventional, patentable combination.” Id.

The `609 Patent claims a software analysis framework that consists of methods and systems of analyzing executable software code using a computer. As explained above, when a programmer writes a computer program, he or she does so in source code. That source code is not readable by computers, and as a result must be compiled into an intermediate file, which is then assembled into a binary that is readable by a computer; this final result is the executable file. Binary is not readable by humans. When the original source code is not available, decompilers and similar tools are used to translate a binary into an intermediate representation that is then readable by a programmer and can be used to determine, at least to some degree of accuracy, what the original source code for the program was.

The claimed method in the `609 Patent processes executable software code to generate “an optimized, exhaustive data flow model” and “an optimized, exhaustive control flow model.” In so doing, it decompiles the executable software code into an intermediate file form “that one of a certain skill can analyze.” This provides “a complete model of the executable software code based on the optimized data flow model and the optimized control flow model,” which “facilitate[s] analysis of the executable software code” by comparison to the intermediate file.

Appthority contends that the `609 Patent claims are directed to a computerized, automated approach to software analysis that is based on longstanding technological approaches (data flow and control flow), which were previously done by hand using human mental processes, and are therefore unpatentable. Veracode apparently concedes that the concepts of control flow and data flow analysis are abstract ideas, but instead contends that the invention is directed at much more than these concepts and contains inventive components, because the specific processes articulated in the `609 Patent claims cannot be performed by humans and contain meaningful limitations on the abstract idea underlying the patent claims.The focus in the first part of the Alice/Mayo test is on the purpose of the claimed invention, rather than its novelty. See Enfish, Inc. v. Microsoft Corp., 56 F. Supp. 3d 1167, 1170-71 (C.D. Cal. 2014). The claimed invention here involves a method of processing code to generate optimized, exhaustive data flow and control flow models. The specific features of these models — that they are optimized and exhaustive, for example — are relevant to the second part of the analysis, but not to the first, as Veracode contends.

Mathematical relationships and formulas, including algorithms, are considered abstract ideas. DDR Holdings, LLC v. Hotels.com, L.P., 773 F.3d 1245, 1256 (Fed. Cir. 2014); see Parker v. Flook, 437 U.S. 584, 585 n.1, 594-95 (1978); Gottschalk, 409 U.S. at 67. The basic concept of translating binary code into an equivalent, legible code is, in essence, an idea of mathematics implemented by a mental process. See Gottschalk, 409 U.S. at 67 (concluding that “conversion of [binary-coded decimal] numbers to pure binary numerals can be done mentally” through “ordinary arithmetic steps a human would use,” and that claim for computer to run conversion was patent-ineligible because these mathematical procedures require “no new machinery” to be carried out by computers); Cal. Inst., 59 F. Supp. 3d at 993 (“concepts of encoding and decoding are longstanding steps in the process of error correction,” and therefore claims that “explicitly recite the fundamental concepts of encoding and decoding data” are directed to abstract ideas).

Appthority has presented substantial evidence that the primary functions of the invention at issue here — control flow and data flow analysis — are longstanding, recognized building blocks of computer science. See generally Alfred V. Aho et al., Compilers: Principles, Techniques, and Tools (reprint 1988). Consistent with the policy purposes of the patent system, these basic principles are not patent-eligible. See Enfish, 56 F. Supp. 3d at 1174 (“Longstanding practices are often the building blocks of future research and development. Patents on these practices would significantly impede productive or inventive activity, to the detriment of society.”).

In addition, both parties recognize that it is possible to analyze binary code manually or mentally. “[A] method that can be performed by human thought alone is merely an abstract idea and is not patent-eligible . . . . because computational methods which can be performed entirely in the human mind are the types of methods that embody the `basic tools of scientific and technological work’ that are free to all men and reserved exclusively to none.” See CyberSource Corp. v. Retail Decisions, Inc., 654 F.3d 1366, 1372-73 (Fed. Cir. 2011) (citing Gottschalk, 409 U.S. at 67).

It is clear, then, that the claimed invention of the `609 Patent is directed at a building block of computer science and a fundamental practice in the industry, and therefore is directed at a patent-ineligible concept.

I ask next whether the patent consists exclusively of a building block concept, or whether it forms an inventive concept by offering “additional features that provide practical assurance that the process is more than a drafting effort designed to monopolize [the abstract, ineligible concept] itself.” Mayo, 132 S. Ct. at 1297; see Alice, 134 S. Ct. at 2354. To survive this inquiry, the claims must do more than employ a generic computer to perform a task that has been long-recognized. This was the thrust of Alice, in which the Supreme Court stated that a claim “directed to [an] abstract idea” does not “transform that abstract idea into a patent-eligible invention” by “merely requir[ing] generic computer implementation.'” Alice, 134 S. Ct. at 2357-58 (citing Flook, 437 U.S. at 594); see Bilski v. Kappos, 561 U.S. 610-11 (2010) (“the prohibition against patenting abstract ideas cannot be circumvented by attempting to limit the use of [the idea] to a particular technological environment”).

Indeed, the case law makes clear that a process that simply automates a known transaction and requires nothing more than a generic computer to perform conventional computer functions and activities already known in the industry is not patent-eligible. See Versata Dev. Grp., Inc. v. SAP Am., Inc., 793 F.3d 1306, 1327 (Fed. Cir. 2015) (“the presence of a general purpose computer to facilitate operations through uninventive steps does not change the fundamental character of an invention”); see also buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1351, 1355 (Fed. Cir. 2014) (claims not patent-eligible because they “are squarely about creating a contractual relationship . . . that is beyond question of ancient lineage,” and their “invocation of computers adds no inventive concept” because “[t]he computer functionality is generic”); Digitech Image Techs., LLC v. Elecs. for Imaging, Inc., 758 F.3d 1344, 1351 (Fed. Cir. 2014) (claim employing “algorithms to manipulate existing information to generate additional information” not patent-eligible); Planet Bingo, LLC v. VKGS LLC, 576 F. App’x 1005, 1006 (Fed. Cir. 2014) (nonprecedential) (computerization of bingo game not patent-eligible because claim “consists solely of mental steps which can be carried out by a human using pen and paper”); see also CyberSource, 654 F.3d at 1370 (invocation of the Internet to perform the transaction does not transform an ineligible claim into an eligible one). Even the addition of steps for implementing the abstract idea will not render the claim patent-eligible if the additional steps are routine and conventional, and therefore “add nothing of practical significance to the underlying abstract idea” or serve to limit it in some meaningful fashion. See Versata Dev., 793 F.3d at 1334; Ultramercial, Inc. v. Hulu, LLC, 772 F.3d 709, 716-17 (Fed. Cir. 2014), cert. denied sub nom. Ultramercial, LLC v. WildTangent, Inc., 135 S. Ct. 2907 (2015); see also Mayo, 132 S. Ct. at 1299 (“[w]ell-understood, routine, conventional activity,” without more, is insufficient); Enfish, 56 F. Supp. 3d at 1176-77 (additional limitations on claims must supply sufficiently inventive concepts).

Despite this limitation on patent eligibility for claims involving computer implementation of abstract ideas or known mathematical algorithms, Alice left open the possibility that a method that “purport[s] to improve the functioning of the computer itself” or “effect an improvement in any other technology or technical field” could be patent-eligible. Alice, 134 S. Ct. at 2359; see Enfish, 56 F. Supp. 3d at 1172-73; Cal. Inst., 59 F. Supp. 3d at 980.A claim for a computer-implemented process that solves a technological problem the industry faces, for example, is patentable under the Alice framework. Cf. Diamond v. Diehr, 450 U.S. 175, 177-78 (1981) (computer-implemented process that employed widely used mathematical equation to solve technological problem was patentable); Versata Dev., 793 F.3d at 1327 (claim that “solve[s] a technical problem using a technical solution” may be patentable). DDR Holdings provides an example of such a process. In that case, the Federal Circuit upheld an Internet-based claim as a patent-eligible inventive concept where the claimed solution was “necessarily rooted in computer technology in order to overcome a problem specifically arising in the realm of computer networks,” because it “amount[ed] to an inventive concept for resolving this particular Internet-centric problem” and was narrowly defined. See DDR Holdings, 773 F.3d at 1257, 1259. Judge Pfaelzer similarly concluded that a claim for a particular computer-based process survived the Alice test because it presented “a unique computing solution that addresses a unique computing problem.” Cal. Inst., 59 F. Supp. 3d at 1000.[16]

With these principles in mind, I turn to the specific language of the claims of the `609 Patent, focusing primarily on claim 1. Claim 1 consists of “[a] method for analyzing executable software code using a computer comprising a processor and a memory.” As stated above, the method includes the following elements: “processing the executable software code to generate an optimized, exhaustive data flow model including parsing the executable software code to facilitate identification of data flows for inclusion in the exhaustive data flow model,” “processing the executable software code to generate an optimized, exhaustive control flow model,” and “storing, in the memory, an intermediate representation of the executable software code that provides a complete model of the executable software code based on the optimized data flow model and the optimized control flow model, thereby facilitating analysis of the executable software code according to comparison of the intermediate representation to reference models.”

Standing alone, the method is an abstract idea. The translation of binary code and storing of an intermediate representation that can be used to analyze the underlying executable software code — in other words, decompilation — is not of ancient lineage like the contract, bank transaction, and bingo games at issue in buySAFE, Digitech, and Planet Bingo, but it is sufficiently well-established that there must be some meaningful innovative concept to render it patent-eligible. See Gottschalk, 409 U.S. at 67; Cal. Inst., 59 F. Supp. 3d at 993-94. This was illustrated by Mr. Rioux’s own testimony at trial that the process could, at least in some limited capacity, be performed manually. That this method is implemented “using a computer” is not enough to render it patentable. See Alice, 134 S. Ct. at 2358.

Appthority — seizing on Mr. Rioux’s testimony that the claimed method could be performed manually— argues that the patent does not indicate any mechanism by which the computer-implemented method improves this longstanding process rather than simply automating it. To the contrary, however, the claimed method’s focus on the generation of an optimized, exhaustive model, as these descriptors have been defined in the claim construction process, renders the claimed invention more complex than what could be done by humans and transforms the claimed invention from an abstract idea simply automated by a computer into an inventive concept.

During claim construction, I found that “optimized” meant “refined by iteration until substantially all data variables or control branches are modeled.” See Veracode, 2013 WL 5587946, at *13. An optimized model “models `substantially all data variables or control branches.'” Id. I found that “exhaustive” did not require construction because it was used in the ordinary sense of the word. See Veracode, 2013 WL 557946, at *15-16.

The evidence presented at trial and through the subsequent submissions of the parties demonstrates that the optimized and exhaustive features of the claimed method “effect an improvement” in the technical field and the preexisting technology, compared to what could be done by humans or simply by automating a manual process. See Alice, 134 S. Ct. at 2359. The evidence demonstrates that in the mid-1990’s, software security analysts had three options available for analyzing software for bugs and program errors. First, they could conduct static analysis by looking at the source code for the software, mentally building a model of it, and looking for potential security problems. This method was often incomplete because the software developer would not provide the complete source code, resulting in gaps or “blind spots” in the security analysis. Second, they could conduct a dynamic analysis by running or executing the program, trying out various inputs, and watching how the program responds. This too had major deficiencies because it was limited to the time and creativity of the security analyst inputting various commands and activities into the program. Third, they could attempt to manually decompile the binary into an intermediate representation, a task that was described by Dr. Rubin — Veracode’s expert — as impossible without the assistance of a decompiler. The available decompilers, however, were impractical and ineffective, because they lost program elements in translation and therefore did not adequately preserve the meaning of the underlying program. The result, according to Dr. Rubin, was an approximation of the program that was “very rough” and “missing a lot of information from the actual . . . program.” Even Appthority’s expert, Dr. Clark, described decompilation as akin to taking something that had been translated from English to Chinese (i.e., source code to binary) and using a different translator to translate it back to English. The consequence of these omissions was that “any bugs or program errors that there might have been in that binary may not even be represented in the high level language output that you would get from decompiling.”

It was this third method that the claimed method under the `609 Patent sought to improve upon. By employing a method that involves multiple iterations or progressive steps to achieve as comprehensive as possible models, essentially mimicking the process employed for compilation, Mr. Rioux’s decompilation method overcame numerous shortcomings of existing methods for identifying security risks in producing a more complete and accurate model of the underlying software. By including both control flow and data flow models that aim for both optimization and exhaustion, the method achieves a more accurate and more complete translation of the binary for security analysts to review than what the existing methods could provide. An optimized data flow model, Dr. Rubin testified, is built up by iteration by “going through a loop in the code in the analyzer, and modeling substantially all of the variables that write to memory and read from memory.” Similarly, an optimized control flow model “models substantially all of the control flow branches in the program.”

These achievements — that is, the process and result of producing a more complete model of the computer program being analyzed — are ones that could not be done using the technology as it existed at the time, according to the trial testimony, and that rely upon the complex functions of the patented computer system. The claimed method performs steps that a human mind can take only so far; it thus continues the iterative process further toward completion than a human mind could, and than the existing technology could. Cf. Enfish, 56 F. Supp. 3d at 1181 (program that “recites a modern, computer-specific concept to solve the modern, computer-specific problem of scarce memory” would be patentable because “it is addressed to an inventive computing concept”). If the invention merely improved the speed and accuracy of a particular task through computer implementation, that would not be enough to generate a patent-eligible concept. See Intellectual Ventures I LLC v. Capital One Bank (USA), 792 F.3d 1363, 1368, 1370 (Fed. Cir. 2015); OIP Techs., Inc. v. Amazon.com, Inc., 788 F.3d 1359, 1363 (Fed. Cir. 2015); Enfish, 56 F. Supp. 3d at 1181. But the claimed method exceeds mere automation of a well-known process by harnessing and improving upon the unique properties and complex capacities of computer technology. The claimed method both improved the speed and accuracy of the process and produced a largely complete result through optimization and exhaustion that was unobtainable using existing methods.

The `609 Patent claims share important characteristics with those at issue in DDR Holdings. In that case, the Federal Circuit observed that the claims at issue did “not recite an invention as technologically complex as an improved, particularized method of digital data compression,” but they also did not “recite a commonplace business method aimed at processing business information, applying a known business process to the particular technological environment of the Internet, or creating or altering contractual relations using generic computer functions and conventional network operations, such as the claims in Alice, Ultramercial, buySAFE, Accenture, and Bancorp.DDR Holdings, 773 F.3d at 1259; see Bancorp Servs., L.L.C. v. Sun Life Assurance Co. of Can. (U.S.), 687 F.3d 1266, 1278 (Fed. Cir. 2012). Rather, the claims were directed to more than an abstract concept because they included “additional features” that specified how certain Internet-based interactions would be “manipulated to yield a desired result.” Id. at 1259. As the Federal Circuit later observed, “[t]he patent at issue in DDR provided an Internet-based solution to solve a problem unique to the Internet that (1) did not foreclose other ways of solving the problem, and (2) recited a specific series of steps that resulted in a departure from the routine and conventional sequence of events after the click of a hyperlink advertisement.” Intellectual Ventures, 792 F.3d at 1371 (citing DDR Holdings, 773 F.3d at 1256-57, 1259).

Here, the `609 Patent claims do not claim a monopoly over all decompiling methods, but rather focus on a specific method for generating as-complete-as-possible data and control flow models in the form of an intermediate representation that can be used to identify flaws in the executable software code. In so doing, the `609 Patent does not claim the broad concept of an intermediate representation, but rather a narrower manifestation of it, by articulating an iterative process that had previously been unavailable to programmers and security risk analysts that addressed the problem of analyzing illegible binary code. As in DDR Holdings, 773 F.3d at 1258, the claims here are directed to a “solution [that] is necessarily rooted in computer technology in order to overcome a problem specifically arising in the realm of computer[s].” Cf. Versata Dev., 793 F.3d at 1334 (claim that “involve[s] arranging a hierarchy of organizational and product groups,” storing, retrieving, and sorting pricing information, “eliminating less restrictive pricing information, and determining the price” does not impose “sufficient additional limitations to transform” “basic conceptual framework for organizing information” into something inventive and is not patent-eligible); Digitech, 758 F.3d at 1349-50 (claim that “recites a process of taking two data sets” that are “generated by taking existing information,” and “combining them into a single data set, the device profile,” and does not add any additional limitations, simply employs mathematical algorithms to manipulate existing information to generate additional information” and is not patent-eligible); Bascom Research, LLC v. LinkedIn, Inc., 77 F. Supp. 3d 940, 950-954 (N.D. Cal. 2015) (analogizing to Digitech, observing that “[e]stablishing relationships between document objects and making these relationships accessible is not meaningfully different from classifying and organizing data,” and therefore concluding that claims at issue were not patent-eligible because they did not include any additional features other than computer implementation).

In sum: the fact of having to translate from one language (source code) to another (binary) is in many respects unique to the world of software and computers. The claimed method, by offering an iterative process for achieving an optimized and as-near-to-exhaustive modeling of the underlying software as possible to enable a more complete security analysis to be conducted than could be performed through basic automation of human processes, presents “a unique computing solution that addresses a unique computing problem.” Cal. Inst., 59 F. Supp. 3d at 1000; see Enfish, 56 F. Supp. 3d at 1181. For the reasons more fully set forth above, I find and conclude that Claims 1, 13, and 14 of the `609 Patent are patent-eligible under § 101.

Click here for a list of US court approved software patent examples

Leave a Reply

Your email address will not be published. Required fields are marked *