`571-272-7822
`
`
`Paper No. 28
`Entered: May 6, 2015
`
`
`
`RECORD OF ORAL HEARING
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`- - - - - -
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`- - - - - -
`
`FINJAN, INC.,
`
`Petitioner,
`
`v.
`
`FIREEYE, INC.,
`
`Patent Owner.
`
`- - - - - - -
`
`Cases IPR2014-00344 and IPR2014-00492
`
`U.S. Patents 8,291,499 and 8,171,553
`
`Technology Center 2400
`
`- - - - - - -
`
`Oral Hearing Held on Tuesday, March 31, 2015
`
`- - - - - - -
`
`
`
`Before: BRYAN F. MOORE, LYNNE E. PETTIGREW, and
`
`FRANCES L. IPPOLITO (via video link), Administrative Patent Judges.
`
`
`
`
`
`The above-entitled matter came on for hearing on Tuesday, March 31,
`
`2015, at 2:00 p.m., in Hearing Room A, taken at the U.S. Patent and
`
`Trademark Office, 600 Dulany Street, Alexandria, Virginia.
`
`
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`APPEARANCES:
`
`
`
`ON BEHALF OF THE PETITIONER:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`JAMES HANNAH, ESQ.
`MICHAEL LEE, ESQ.
`Kramer Levin Naftalis & Frankel LLP
`990 Marsh Road
`Menlo Park, California 94025-1949
`650-752-1700
`
`Phil Hartstein, President & CEO
`Julie Y. Mar-Spinola, Chief IP Officer
`Finjan, Inc.
`
`
`
`ON BEHALF OF THE PATENT OWNER:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`DAVID L. McCOMBS, ESQ.
`THOMAS KING, ESQ.
`Haynes and Boone, LLP
`2323 Victory Avenue
`Suite 700
`Dallas, Texas 75219
`214-651-5000
`
`Gary Ross, Director of Patents
`FireEye, Inc.
`
`2
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`P R O C E E D I N G S
`
`(2:00 p. m.)
`
`JUDGE M OORE: Please be se ated. Good
`
`morning. I ' m Jud ge Br y an Moore. With me on the bench is
`
`Judge Lynne Petti grew, and to my l eft appearing b y video is
`
`Judge Ippolito.
`
`We are here this morning for the o ral argu ment on
`
`two inter pa rtes r eviews, IPR2014 - 00344 and 2014 -00492.
`
`According to Judge Ippolito's trial order, ea ch
`
`part y will have o ne hour of total ti me to present arg u ment. A
`
`part y ma y allot ti me between the t wo cases as it wis hes.
`
`Finjan be ars the ulti mate burden of proof that
`
`FireEye 's clai ms at issue within th ese revie ws is un patentable.
`
`Finjan wi ll then, therefore, begin b y pr esenting its case
`
`regarding the cha llenged clai ms an d grounds for whi ch the
`
`Board instituted the proceedings.
`
`FireEye will then respond to Finja n's argu ment.
`
`Finjan ma y r eserv e ti me to respond to argu ments pre sented b y
`
`FireEye .
`
`Just as a note, I ' m not sure if ther e will be
`
`objections to mat erial being -- a rgu ments that are new or
`
`be yond the scope of the original pe tition. If there ar e such
`
`argu ments, please hold objection u ntil the end of the other
`
`side's presentation an d bring those issues up after .
`
`So with that , we will begin with Fi njan.
`
`
`
`3
`
`
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`MR. HANNAH: Thank you , Your Honor. We have
`
`paper copies of the presentation. Would that be hel pful for
`
`Your Honors?
`
`JUDGE M OORE: Sure , that's fine.
`
`MR. HANNAH: Ma y I approa ch?
`
`JUDGE M OORE: Sure .
`
`Actuall y before we begin, just for t he record , if
`
`you could identify yourself and who is with you and we will
`
`also have the oth er side identif y th e mselves .
`
`MR. HANNAH: Absolutely. Thank you, Your
`
`Honor. M y na me is Ja mes Hann ah. I ' m fro m the la w fir m of
`
`Kra me r Levin Na ftalis & F rankel. With me is my c olleague,
`
`Michael Lee , also fro m Kra mer Lev in.
`
`In the back we ha ve two Finjan rep resentatives.
`
`Mr. Phil Hartstei n is the P resident and C EO of Finjan, and we
`
`have Julie Mar -S p inola, who is the Chief IP Officer of Finjan.
`
`JUDGE M OORE: Thank you. And just for the
`
`record, Fire Eye .
`
`MR. McC OMBS: Yes , Your Honor . I' m David
`
`McCo mbs and I ' m with Ha ynes and Boone. With me is my
`
`colleague, To m King. We are here on behalf of Fire E ye.
`
`Also joining us is Ga r y Ross, the Director of
`
`Patents for Fire Eye .
`
`JUDGE M OORE: Proce ed.
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`
`
`4
`
`
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`MR. HANNAH: Thank you , Your Honors. Ma y it
`
`please the Court . Finjan brought this petition against Fire Eye.
`
`And as Your Hon ors note, this is t he oral hea r ing fo r case
`
`2014-00344 involving 8,291,499, a nd case 2014 -00492 for
`
`Patent Nu mbe r 8 , 171,553.
`
`I would like to re serve 15 minutes for rebuttal of
`
`my ti me and so I will cut my prese ntation off at 45 minutes for
`
`that rebuttal.
`
`Finjan, b y wa y of background , is a co mpan y
`
`founded in 1996 to protect against Internet -borne se curit y
`
`threats. Toda y Fi njan is a publicl y -traded NASDAQ co mpan y,
`
`also focusing on research and develop ment. It is cur rentl y
`
`developing and will be releasing in the springti me a mobile
`
`securit y product f or Internet -based securit y.
`
`It also focuses a l ot of its ef fort in ter ms of
`
`investing in technology co mp anies and the like, also in the
`
`securit y spac e.
`
`I will tr y to enu merate the slides as I go through
`
`pursuant to the order. I hope th at h elps Your Honors.
`
`JUDGE M OORE: Oka y. I have be en infor med that
`
`there ma y b e so me background noise which is i mp eding Judge
`
`Ippolito. So I do n't know if it is p ossible to turn or bring your
`
`mic slightly close r to you. That mi ght be helpful.
`
`MR. HANNAH: I s that better, Your Honor?
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`
`
`5
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`JUDGE I PP OLITO: Yes, it is bett er. There is
`
`so mething, like a fan in the ba ckground, but I can h ear you if
`
`you ar e closer to the mi c.
`
`MR. HANNAH: Oka y. I will tr y t o keep closer to
`
`the mi c. Does th at work b etter?
`
`JUDGE I PP OLITO: That 's much better. There is
`
`no longer an y noise.
`
`MR. HANNAH: Oka y. Gre at. Th ank you. So
`
`these two cases i nvolve interrelated patents, the '499 patent
`
`and the '553. The technology, gene rall y based, is intrusion
`
`detection and pre vention.
`
`Intrusion detection was well known in the
`
`2004-2005 ti me f ra me. The ea rliest priorit y date of these two
`
`patents dates to a provisional in June of 2004. Gene rall y,
`
`intrusion detection, prevention, det ection and preven tion,
`
`relates to various network thr eats t hat are prolific o n the
`
`Internet and focu ses on wor m char acteristics.
`
`Wo r ms, as Your Honors are a ware , a re malicious
`
`progra ms that the mselves don't infect other files but are
`
`malicious in their own right and so the y will go th rough and
`
`tr y to infect net works b y diff erent propagation techniques.
`
`And so there ar e wa ys in order to detect against the se
`
`propagation techniques and detect t he m in various s yste ms.
`
`The '499 and the ' 553 patent share a co mmon
`
`specification. Th e clai m scope is a lso ver y si mila r b etween
`
`
`
`6
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`the two patents, s o mu ch so that a t er minal disclai me r was
`
`filed due to the cl oseness of the cla i m scope.
`
`And as you look t hrough the prosecution history of
`
`both the '499 and the '553 patent, we see that the sole reaso n
`
`for allowabilit y was flagging data for repla y in an anal ysis
`
`environ ment, and we will be talking a lot about that today.
`
`This is clai m 1 f r o m the -- I ' m on slide 4. On slide
`
`4 I' m showing cla i m 1 f ro m the '499 patent. It is a
`
`representative cla i m of other -- the clai ms that are at issue in
`
`this IPR. Additional clai ms have so me additional limitations,
`
`which we will get into specificall y, but we will start with
`
`clai m 1.
`
`And here we se e t hat clai m 1 broadl y covers a tap
`
`configured to copy net work data fr o m a co mmunicat ion
`
`network and a co ntroller. Those a re the t wo main e le ments o f
`
`the clai m.
`
`The controller ha s a nu mber of ste ps that are
`
`involved with it. First is receiving the cop y of the n etwork
`
`data fro m the tap , and then co mpar e the cop y of the network
`
`data to at l east on e polic y to look f or chara cteristics of a
`
`co mputer wor m.
`
`The controller is also configured to flag at least a
`
`portion of the copy of the net work data for repla y in an
`
`anal ysis environment based on the deter mination, a nd then i t
`
`repla ys the trans mission of the suspicious flagged network
`
`
`
`7
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`data copied fro m the co mmunication network to a de stination
`
`device.
`
`Now, notabl y, mo st of these li mitat ions are
`
`uncontested. The se ele ments recite well -known I DS s yste ms
`
`that wer e in the p rior art , especi ally in the 2004 ti me fr a me ,
`
`but even in the e a rl y 2000s and late 1990s. Spe cifica lly, the
`
`tap is well known and uncontested, and a nu mbe r of the
`
`ele ments of the c ontroller are well known and unco ntested in
`
`this case.
`
`Turning to slide 5, her e is the perso n of ordinar y
`
`skill in the art. And often this sta ndard gets overlooked but it
`
`is i mportant in this case. He re the re is no dispute with regard
`
`to one person of ordinar y skill in t he art, and it is a higher
`
`burden than is nor mall y the c ase.
`
`It is not a person in co mputer scien ce or generall y
`
`in the co mputer s cience field . Thi s is specificall y s o meone
`
`with a co mpute r s cience degre e or co mputer network ing degree
`
`and specific expe rience in co mpute r networking or c o mputer
`
`securit y.
`
`That pers on of or dinar y skill is going to understand
`
`how to put netwo rks together, put devices on netwo rks,
`
`configure networ ks, configure dev ices on networks.
`
`The alte rnate is a person with six o r more years of
`
`relevant experien ce, again, in a specific fi eld, co m p uter
`
`networking and c o mputer se curit y. It is not a gener al standard
`
`
`
`8
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`in co mputer scien ce. And so this p erson with six or more
`
`years industr y ex perience is going to know how to c onfigure
`
`these t ypes of de vices, and it is i mportant in this ca se.
`
`As Your Honors a re a war e for the ' 344 patent, the
`
`order that granted the trial in this c ase granted it for a nu mbe r
`
`of ref erences . An d the pri mar y ref erences he re are Kaeo,
`
`Venezia , Dunlap, Chen and Liljenst a m. This is slide 6 that I' m
`
`showing up on the scre en r ight now. And the clai ms that have
`
`been instituted is 1 through 4, 6 thr ough 8, 19 through 25, 27
`
`through 29 of the '499 patent.
`
`The Board has also instituted trial and decided for
`
`the '553 patent, a gain, using the sa me five ref erence s
`
`essentially. We will talk about th ose refe rences in detail
`
`today. But , again , for the record , o n slide 7 it shows that the
`
`instituted claims are 1 , 3 through 8, 12 through 14, 1 6 through
`
`20, and 22 through 30 of the '553 patent.
`
`Now, the Board c orrectl y deter min ed that the
`
`clai ms at issue ar e unpatentable. And here I just turned to
`
`slide 8 for the rec ord. The evidenc e of the re cord supports the
`
`Board's decision. In f act, there is overwhel ming evidence that
`
`the '499 and the ' 553 patent is invalid in this case fo r the
`
`instituted claims .
`
`In the P etitioner's petition, in our p etition there is
`
`nu merous citations to the evidence and there a re specific
`
`citations to motivations to co mbine ref erences .
`
`
`
`9
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`JUDGE I PP OLITO: Counsel, this is a point of
`
`clarification.
`
`MR. HANNAH: Yes.
`
`JUDGE I PP OLITO: For the decisi on to institute
`
`we had at that time a preli minar y record, so to the extent that
`
`the slide is ref err ing to a deter min ation, that was no t a final
`
`deter mination. That was onl y at th e preli minar y sta ge. I just
`
`wanted to mak e t hat clarification f or the r ecord.
`
`MR. HANNAH: That's correct , Yo ur Honor. It
`
`was a preli minar y deter mination, for the record, and wh y we'r e
`
`standing here toda y. Thank you.
`
`As I was sa ying, t he evidence of the re cord
`
`supports the Board's decision. In t he Patent Owner's response
`
`there is a large a mount of attorne y argu ment but the re is not a
`
`large a mount of a ctual evidence in this case, and tha t is ke y
`
`because attorne y argu ment cannot substitute for evi dence.
`
`In contrast, Finja n sets forth citati ons, direct
`
`citations to the e vidence which a r e the r efer ences i n this case
`
`and specific r easons to co mbine those ref erences in s upport of
`
`its position.
`
`FireEye in its r esponse largel y ign ores the Boa rd's
`
`decision and the cited evidence . I n fact, for motiva tions to
`
`co mbine it will a ddress ma ybe one reason for r easons to
`
`co mbine, ignoring the other t wo f r o m the Petitioner and even
`
`the Board. This a lone is dispositive of the issue.
`
`
`
`10
`
`
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`Finall y, Fire Eye's reasoning contra dicts the legal
`
`standard for clai m construction and the obviousness standards.
`
`FireEye is atte mp ting to i mport li mitations into the clai ms
`
`which ar e not the re and is using an i mp roper standar d for
`
`obviousness, not considering the full scope of KSR , which is
`
`required in orde r to make a deter mi nation of obviousness.
`
`So I would like t o start with the b ackground, a
`
`brief background of the r eferenc es before we dive into the
`
`individual clai ms . Kaeo is a 745 -p age book discussing various
`
`aspects of net wor k securit y.
`
`It is b y and la rge the foundation of the knowledge
`
`of one of skill in the art in this cas e. It is a Cisco g uide for
`
`designing and securing a network infrastructure, and it
`
`describes a va riety of securit y options, including intrusion
`
`detection s yste ms .
`
`Kaeo is large l y - - is co mpletel y, I should say,
`
`undisputed in terms of what it teac hes and the li mita tions that
`
`it teaches. Kaeo is not addressed by Fire Eye in this matte r for
`
`a nu mbe r of the li mitations.
`
`The next refe renc e that we will be discussing today
`
`is the Ve nezia ref erence. Venezia describes the Net Detector
`
`product. The Net Detector product is a robust s yste m which
`
`captures, records and repla ys intrusion packets that a re co ming
`
`into a network and repla ys those. It has the repla y capability
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`
`
`11
`
`
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`and it is also ab le to look at exa ctly what an attacke r is tr ying
`
`to do in ter ms of intruding into a n etwork.
`
`Liljensta m is the next refer ence tha t we will be
`
`discussing. It is a rese arch pape r discussing the
`
`DIB:S/ TR AF EN i ntrusion detection s yste m. In this paper it
`
`talks about how I CMP packets are detected, stored into and
`
`converted into tcdu mp and then re pla yed, whe re algorith ms a re
`
`applied in order t o detect whether characteristics of a wor m
`
`are pr esent within the netwo rk.
`
`We also will be t alking about the Chen ref e rence .
`
`The Chen re feren ce is a r esearch paper describing a variet y of
`
`uses for virtual machines. Chen is ver y explicit in te r ms of its
`
`intrusion detection capabilities, in that it talks about a clone
`
`ma chine and how you can for ward s uspicious packets to that
`
`clone machine to observe the behavior of the clone i n order to
`
`make a securit y d ecision.
`
`Wh at is notable a bout the Chen ref erence is that it
`
`contains the exact sa me exa mples t hat are contained within the
`
`'499 specification and the '553 spec ification , which makes it a
`
`ver y explicit and on -point referenc e.
`
`Finall y is the Du nlap refer ence. The Dunlap
`
`referenc e has so me association wit h the Chen refe re nce in that
`
`it contains so me of the si milar authors and people that are
`
`working on the R eVirt s yste m.
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`
`
`12
`
`
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`Dunlap is coverin g the Re Virt s yst e m, which is an
`
`intrusion detection s yste m that allows for the repla y of certain
`
`events that are oc curring, including the network pac kets that
`
`are co ming across into the virtual ma chine.
`
`There is a brief s u mma r y of the po sitions that are
`
`tr ying to f ra me the argu ments her e for discussion and for
`
`presentation. And the three main a rgu ments c an be boiled
`
`down to slide 14, which is being sh own on the sc reen , and
`
`that's "flagging f or repla y." That' s the first gene ral su mmar y
`
`of a position. "Id entif y unauthorized activit y." And the third
`
`is the "virtual ma chines" li mitations.
`
`And we will be ta king each of those in order unless
`
`there ar e questions fro m Your Hon ors and I would b e happ y to
`
`answer those out of order.
`
`Starting with the flagging for repla y li mitation,
`
`this is addressed in the briefing. This is the sole arg u ment for
`
`a nu mbe r of the c lai ms . Again , thi s is shown on slide 15.
`
`There is no additional challenge fo r ce rtain depende nt clai ms ,
`
`including 2 through 4 or 6 through 8 of the '499 pat ent or 3
`
`through 7 of the ' 553 patent.
`
`Looking at the cl ai ms , we see that Finjan has
`
`petitioned and the Board has ac cep ted preli mina ril y Kaeo and
`
`Venezia and Kaeo and Liljensta m f or all of the ele ments of
`
`this clai m.
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`
`
`13
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`The on l y one that is contested is th is flagging the
`
`at least a portion of the cop y of the network data for repla y in
`
`an anal ysis environ ment. And we will be addressing
`
`Kaeo/Venezia or Kaeo/Lil jensta m f or this ele ment.
`
`JUDGE M OORE: Oka y. M y under standing is
`
`Venezia teaches r econstruction and repla y.
`
`MR. HANNAH: Correct.
`
`JUDGE M OORE: So could you for the P anel tell
`
`us which ar e you rel ying on? Are you rel ying on th e repla y
`
`functionality or r econstruction?
`
`MR. HANNAH: So I think we are rel ying on both,
`
`Your Honor. I f we turn to this slide in particular . I ' m looking
`
`at slide 28. I skipped forwa rd a little bit. It has a screen shot
`
`of Vene zia and ta lks about the reco nstruction of the attack.
`
`And here , as you can see , the repla y of the attack
`
`is the r econstruct ion of the attack . And this specific all y tells
`
`you about the co mpr o mised se rver that is being anal yzed in
`
`this situation to see about these t wo files that a re be ing pulled,
`
`being pulled to it. So there is -- an d there is a re min der.
`
`There is n o dispute regarding the f act that Venezia t eaches
`
`repla y for a tr ansmission to a destination device.
`
`The onl y disputed, under dispute is whether it fl ags
`
`for repla y in an a nal ysis environ ment. And clearl y Venezia
`
`does this. The wa y that Venezia does th is is that it actuall y
`
`will look for an a ttack pattern using Snort.
`
`
`
`14
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`Snort will then be gin recording the event, du mping
`
`those packets into a database , and then that event ca n be
`
`repla yed so that you can either reco nstruct the attack or look
`
`to see what th e ef fect on the netwo rk is in order to d eter mine
`
`and look for char acteristics of a wor m or an infiltra tion in the
`
`network.
`
`JUDGE M OORE: All right. So I just want to
`
`make sure we 're c lear on the record . I think you said repla y
`
`and reconstruction are the sa me . The y are talked ab out
`
`separatel y.
`
`So ma ybe you co uld talk a little d eeper about the
`
`difference , if an y, bet ween those t wo as you se e tha t relating
`
`to your argu ments.
`
`MR. HANNAH: Sure. So I will back up and just
`
`go over how I bel ieve how Venezi a does work .
`
`So an atta ck co mes into Venezi a a nd Snort will
`
`look for it to see if it matches a signature, for instance, of an
`
`attack. That will trigger to restart recording the eve nt which
`
`is going to be involved in that atta ck.
`
`And this is all cle arl y set forth in Venezia . I can
`
`give you citations to it if that is hel pful.
`
`Once that is du mped into a databa se, for instance,
`
`it can be indexed and put into a dat abase, you c an r e pla y the
`
`intrusion, as it sa ys right her e on t he Vene zia refe re nce, in
`
`ord er to see what is happening. An d what it specific all y sa ys
`
`
`
`15
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`here, it is able to reconstruct the at tack,
`
`ke ystroke -b y-ke ystroke, packet -b y-packet, and deter mine the
`
`exact co mmands i ssued by the attac ker.
`
`So b y repla ying t hat attack you ar e able to se e
`
`exactl y what the attacker is t r ying to do in order to infiltrate
`
`the network.
`
`Does that answer your question, Your Honor?
`
`JUDGE I PP OLITO: I have a follow -up question to
`
`that.
`
`MR. HANNAH: Please.
`
`JUDGE I PP OLITO: I think the issue is tha t in
`
`Venezia there are two dif ferent des criptions of how stored or
`
`recorded packets of data c an be pre sented again.
`
`So one aspect , as you mentioned, is the
`
`reconstruction that is described in the first figure on that first
`
`page, but also the re is a r epla y feat ure, as it is descri bed, in
`
`connection with, I think it is the AIM session that's on the
`
`second page.
`
`And there , ther e i s actuall y, in the referenc e itself ,
`
`it refe rs to it as a repla y feature that can be used, as opposed
`
`to a re construction --
`
`MR. HANNAH: Correct.
`
`JUDGE I PP OLITO: -- fe ature.
`
`MR. HANNAH: Correct. So on th e second page,
`
`Your Honor, I bel ieve you are talking about the third colu mn
`
`
`
`16
`
`
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`which sa ys that a nother option is to repla y the sessi on just as
`
`it is recorded . Is that wh at you a re refer ring to?
`
`JUDGE I PP OLITO: Yes. And so a follow -up
`
`question to that is, in the ref erenc e itself ther e see ms to be a
`
`distinction betwe en the two . And the question is how does
`
`that distinction between the repla y and the reconstruct ion in
`
`Venezia describe d relate to your a rgu ment or the clai m?
`
`MR. HANNAH: Sure. So let me t urn back to the
`
`clai ms itself. So as we know, the c lai ms require flag ging at
`
`least a portion of the network data for repla y in an a nal ysis
`
`environ ment. An d th en it also r equires repla y of the
`
`suspicious flagged network data co pied fro m the
`
`co mmunication n etwork to a destination device.
`
`So Venezia is quite robust in that, if you can set up
`
`a polic y to be able to detect an atta ck and start recor ding that
`
`attack , du mping i nto a database for later anal ysis of the attack
`
`or reconstruction of the attack . However , you c an al so use
`
`Venezia to repla y the session that happened at all. So these
`
`are just various o ptions of the Ven ezia r efer ence.
`
`And so with regar ds sp ecificall y to the clai ms, to
`
`answer your question, I believe the flagging of the s uspicious
`
`network data for l ater r econstruction is the identif yin g because
`
`flagging, as the B oard has construe d and the parties have
`
`agreed, flagging is identif y. So yo u are identif ying a portion
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`
`
`17
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`of that as suspici ous for later repl a y in so me t ype o f anal ysis
`
`environ ment.
`
`But then also it h as the capabilit y of repla ying the
`
`trans mission just as it was r ecorde d. So it has both of those
`
`capabilities.
`
`JUDGE I PP OLITO: I guess the fo llow -on question
`
`to that is, what is the distinction between the re construction
`
`and the repla y in Venezia and how does that relate to the
`
`repla y that's in th e li mitation?
`
`MR. HANNAH: Let me just mak e sure that I ' m
`
`clear. So the repl a y i n the tr ans mis sion in the suspicious
`
`flagged data is no t at issue in te r ms of both parties h ave
`
`conceded that tha t is taught b y Ven ezia. So I believe you are
`
`talking about the flagging of the portion for repla y i n an
`
`anal ysis environment . Is that a fa ir chara cterizatio n, Your
`
`Honor?
`
`JUDGE I PP OLITO: Well , what I' m tr ying to
`
`understand is, is t here a construction of repla y that you are
`
`proposing or have taken that allo ws repla y recited in the
`
`clai ms to cover both reconstruction and repla y in Vene zia,
`
`because there appears to be a differ ence in the ref ere nce itself
`
`between the two ter ms and ho w tha t feature is prese nted in the
`
`referenc e?
`
`MR. HANNAH: I agree , and I believe that the
`
`referenc e is t each ing both, essentially. I f we look at slide 27,
`
`
`
`18
`
`
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`for instance, if yo u look at the left - hand side it talks about
`
`how you can reco nstruct the attack ke ystroke -b y-ke ystroke,
`
`packet -b y-packet , to deter mine the exact co mmand issued b y
`
`the attacker . So I think that is part of the flagging f or repla y
`
`in an an al ysis environ ment li mitati on specificall y.
`
`Now, it also has t he capabilit y o f r epla ying the
`
`session just as it was recorded, as it sa ys on the righ t -hand
`
`side. It talks abo ut how it not onl y detects but also r ecords
`
`and repla ys those intrusions. So th e detection occur s and then
`
`you have the re cording, which can be flagging or ide ntifying
`
`so me suspicious traffic , and then you can repla y tho se
`
`intrusions.
`
`And I believe you can, well, I know you can r epla y
`
`those intrusions in a nu mber of dif ferent wa ys, depe nding on
`
`how you want to use the tool. But specificall y for th e clai ms ,
`
`being able to set t he polic y and deter mine an attack and the
`
`event that is occu rring and then storing those packets for
`
`repla y in an anal ysis environ ment i n order to reconstruct the
`
`attack, that's mee ting the flagging li mitation, fl agging for
`
`repla y li mitation.
`
`And then repla yin g the trans mission to a
`
`destination device could be repla yi ng the session as it occurs
`
`or it could be the other repla y funct ionality that Venezia
`
`discuss es.
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`
`
`19
`
`
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`JUDGE P ETTIGR EW: I have another follow -up
`
`question and it might be the sa me question, so bear with us.
`
`Are you sa ying th at the r econstruction in Venezia
`
`is what corresponds to the flagging in the clai m or is that too
`
`si mplistic?
`
`MR. HANNAH: I w ouldn't sa y it is too si mplistic,
`
`but essentially ye s. The flagging is construed as ide ntifying.
`
`So as long as you , the ref erence te aches to identif y suspicious
`
`packets for repla y, that is going to be part of the
`
`reconstruction of the attack. So yo u hav e to identif y the
`
`packets.
`
`And specificall y on Venezia , i f yo u look at page 1 ,
`
`it sa ys Net Detect or stores ever y p a cket fro m h eader to pa yload
`
`in an indexed database. This not only per mits an ad ministrator
`
`to be notified wh en an attack has o ccurred but a lso t o
`
`reconstruct the at tack.
`
`So the wa y that Venezia works is t hat you c an set
`
`policy b y looking, for instance, Sn ort looking at various attack
`
`signatures, and that will begin the r ecording of an event. And
`
`that's when the fl agging occurs.
`
`And then once yo u record all of those packets in
`
`that event and put those in a databa se, you can do a nu mber of
`
`things with those packets, including reconstructing the attack.
`
`Does that answer your question?
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`
`
`20
`
`
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`JUDGE P ETTIGR EW: I think that helps, yes. Let
`
`me see if I can us e your language a gain.
`
`MR. HANNAH: Sure.
`
`JUDGE P ETTIGR EW: You said --
`
`MR. HANNAH: Would it help if I put the clai ms
`
`up?
`
`JUDGE P ETTIGR EW: I have the c lai ms in front of
`
`me . Actuall y, we ll, I think it is mo re helpful to have the
`
`referen c e up ther e.
`
`MR. HANNAH: Oka y. Gre at.
`
`JUDGE P ETTIGR EW: The clai m s a ys flagging for
`
`repla y in an anal ysis environ ment. So you are sa ying
`
`identifying the intrusion in the ref erence for reconstruction is
`
`the flagging?
`
`MR. HANNAH: So specificall y th e flagging is
`
`done, in one exa mple , Snort will l ook at a stre a m of packets
`
`and will identif y whether an attack has occurr ed. And this is
`
`on the second page when it talks ab out Snort identif ying an
`
`attack.
`
`Once it is deter mi ned that a signature mat ches, fo r
`
`instance, in one e xa mple , Venezia , the Net Detector , will start
`
`recording that ev ent, re cording that suspicious -- those
`
`suspicious packets as an event and storing those in a database.
`
`That's the flagging. That's the ide ntifying for repla y.
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`
`
`21
`
`
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`And then o nce yo u have those stor ed in a database
`
`you can do a vari et y of things with those packets, including
`
`reconstructing the m. So that is th e flagging for rep la y in the
`
`anal ysis environment .
`
`JUDGE P ETTIGR EW: All right. Thank you.
`
`JUDGE I PP OLITO: I have a separ ate question, the
`
`sa me li mitation.
`
`MR. HANNAH: Oka y.
`
`JUDGE I PP OLITO: What is the a nal ysis
`
`environ ment?