throbber
Trials@uspto.gov
`571-272-7822
`
`
`Paper No. 28
`Entered: May 6, 2015
`
`
`
`RECORD OF ORAL HEARING
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`- - - - - -
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`- - - - - -
`
`FINJAN, INC.,
`
`Petitioner,
`
`v.
`
`FIREEYE, INC.,
`
`Patent Owner.
`
`- - - - - - -
`
`Cases IPR2014-00344 and IPR2014-00492
`
`U.S. Patents 8,291,499 and 8,171,553
`
`Technology Center 2400
`
`- - - - - - -
`
`Oral Hearing Held on Tuesday, March 31, 2015
`
`- - - - - - -
`
`
`
`Before: BRYAN F. MOORE, LYNNE E. PETTIGREW, and
`
`FRANCES L. IPPOLITO (via video link), Administrative Patent Judges.
`
`
`
`
`
`The above-entitled matter came on for hearing on Tuesday, March 31,
`
`2015, at 2:00 p.m., in Hearing Room A, taken at the U.S. Patent and
`
`Trademark Office, 600 Dulany Street, Alexandria, Virginia.
`
`

`

`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`APPEARANCES:
`
`
`
`ON BEHALF OF THE PETITIONER:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`JAMES HANNAH, ESQ.
`MICHAEL LEE, ESQ.
`Kramer Levin Naftalis & Frankel LLP
`990 Marsh Road
`Menlo Park, California 94025-1949
`650-752-1700
`
`Phil Hartstein, President & CEO
`Julie Y. Mar-Spinola, Chief IP Officer
`Finjan, Inc.
`
`
`
`ON BEHALF OF THE PATENT OWNER:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`DAVID L. McCOMBS, ESQ.
`THOMAS KING, ESQ.
`Haynes and Boone, LLP
`2323 Victory Avenue
`Suite 700
`Dallas, Texas 75219
`214-651-5000
`
`Gary Ross, Director of Patents
`FireEye, Inc.
`
`2
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`P R O C E E D I N G S
`
`(2:00 p. m.)
`
`JUDGE M OORE: Please be se ated. Good
`
`morning. I ' m Jud ge Br y an Moore. With me on the bench is
`
`Judge Lynne Petti grew, and to my l eft appearing b y video is
`
`Judge Ippolito.
`
`We are here this morning for the o ral argu ment on
`
`two inter pa rtes r eviews, IPR2014 - 00344 and 2014 -00492.
`
`According to Judge Ippolito's trial order, ea ch
`
`part y will have o ne hour of total ti me to present arg u ment. A
`
`part y ma y allot ti me between the t wo cases as it wis hes.
`
`Finjan be ars the ulti mate burden of proof that
`
`FireEye 's clai ms at issue within th ese revie ws is un patentable.
`
`Finjan wi ll then, therefore, begin b y pr esenting its case
`
`regarding the cha llenged clai ms an d grounds for whi ch the
`
`Board instituted the proceedings.
`
`FireEye will then respond to Finja n's argu ment.
`
`Finjan ma y r eserv e ti me to respond to argu ments pre sented b y
`
`FireEye .
`
`Just as a note, I ' m not sure if ther e will be
`
`objections to mat erial being -- a rgu ments that are new or
`
`be yond the scope of the original pe tition. If there ar e such
`
`argu ments, please hold objection u ntil the end of the other
`
`side's presentation an d bring those issues up after .
`
`So with that , we will begin with Fi njan.
`
`
`
`3
`
`

`

`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`MR. HANNAH: Thank you , Your Honor. We have
`
`paper copies of the presentation. Would that be hel pful for
`
`Your Honors?
`
`JUDGE M OORE: Sure , that's fine.
`
`MR. HANNAH: Ma y I approa ch?
`
`JUDGE M OORE: Sure .
`
`Actuall y before we begin, just for t he record , if
`
`you could identify yourself and who is with you and we will
`
`also have the oth er side identif y th e mselves .
`
`MR. HANNAH: Absolutely. Thank you, Your
`
`Honor. M y na me is Ja mes Hann ah. I ' m fro m the la w fir m of
`
`Kra me r Levin Na ftalis & F rankel. With me is my c olleague,
`
`Michael Lee , also fro m Kra mer Lev in.
`
`In the back we ha ve two Finjan rep resentatives.
`
`Mr. Phil Hartstei n is the P resident and C EO of Finjan, and we
`
`have Julie Mar -S p inola, who is the Chief IP Officer of Finjan.
`
`JUDGE M OORE: Thank you. And just for the
`
`record, Fire Eye .
`
`MR. McC OMBS: Yes , Your Honor . I' m David
`
`McCo mbs and I ' m with Ha ynes and Boone. With me is my
`
`colleague, To m King. We are here on behalf of Fire E ye.
`
`Also joining us is Ga r y Ross, the Director of
`
`Patents for Fire Eye .
`
`JUDGE M OORE: Proce ed.
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`
`
`4
`
`

`

`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`MR. HANNAH: Thank you , Your Honors. Ma y it
`
`please the Court . Finjan brought this petition against Fire Eye.
`
`And as Your Hon ors note, this is t he oral hea r ing fo r case
`
`2014-00344 involving 8,291,499, a nd case 2014 -00492 for
`
`Patent Nu mbe r 8 , 171,553.
`
`I would like to re serve 15 minutes for rebuttal of
`
`my ti me and so I will cut my prese ntation off at 45 minutes for
`
`that rebuttal.
`
`Finjan, b y wa y of background , is a co mpan y
`
`founded in 1996 to protect against Internet -borne se curit y
`
`threats. Toda y Fi njan is a publicl y -traded NASDAQ co mpan y,
`
`also focusing on research and develop ment. It is cur rentl y
`
`developing and will be releasing in the springti me a mobile
`
`securit y product f or Internet -based securit y.
`
`It also focuses a l ot of its ef fort in ter ms of
`
`investing in technology co mp anies and the like, also in the
`
`securit y spac e.
`
`I will tr y to enu merate the slides as I go through
`
`pursuant to the order. I hope th at h elps Your Honors.
`
`JUDGE M OORE: Oka y. I have be en infor med that
`
`there ma y b e so me background noise which is i mp eding Judge
`
`Ippolito. So I do n't know if it is p ossible to turn or bring your
`
`mic slightly close r to you. That mi ght be helpful.
`
`MR. HANNAH: I s that better, Your Honor?
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`
`
`5
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`JUDGE I PP OLITO: Yes, it is bett er. There is
`
`so mething, like a fan in the ba ckground, but I can h ear you if
`
`you ar e closer to the mi c.
`
`MR. HANNAH: Oka y. I will tr y t o keep closer to
`
`the mi c. Does th at work b etter?
`
`JUDGE I PP OLITO: That 's much better. There is
`
`no longer an y noise.
`
`MR. HANNAH: Oka y. Gre at. Th ank you. So
`
`these two cases i nvolve interrelated patents, the '499 patent
`
`and the '553. The technology, gene rall y based, is intrusion
`
`detection and pre vention.
`
`Intrusion detection was well known in the
`
`2004-2005 ti me f ra me. The ea rliest priorit y date of these two
`
`patents dates to a provisional in June of 2004. Gene rall y,
`
`intrusion detection, prevention, det ection and preven tion,
`
`relates to various network thr eats t hat are prolific o n the
`
`Internet and focu ses on wor m char acteristics.
`
`Wo r ms, as Your Honors are a ware , a re malicious
`
`progra ms that the mselves don't infect other files but are
`
`malicious in their own right and so the y will go th rough and
`
`tr y to infect net works b y diff erent propagation techniques.
`
`And so there ar e wa ys in order to detect against the se
`
`propagation techniques and detect t he m in various s yste ms.
`
`The '499 and the ' 553 patent share a co mmon
`
`specification. Th e clai m scope is a lso ver y si mila r b etween
`
`
`
`6
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`the two patents, s o mu ch so that a t er minal disclai me r was
`
`filed due to the cl oseness of the cla i m scope.
`
`And as you look t hrough the prosecution history of
`
`both the '499 and the '553 patent, we see that the sole reaso n
`
`for allowabilit y was flagging data for repla y in an anal ysis
`
`environ ment, and we will be talking a lot about that today.
`
`This is clai m 1 f r o m the -- I ' m on slide 4. On slide
`
`4 I' m showing cla i m 1 f ro m the '499 patent. It is a
`
`representative cla i m of other -- the clai ms that are at issue in
`
`this IPR. Additional clai ms have so me additional limitations,
`
`which we will get into specificall y, but we will start with
`
`clai m 1.
`
`And here we se e t hat clai m 1 broadl y covers a tap
`
`configured to copy net work data fr o m a co mmunicat ion
`
`network and a co ntroller. Those a re the t wo main e le ments o f
`
`the clai m.
`
`The controller ha s a nu mber of ste ps that are
`
`involved with it. First is receiving the cop y of the n etwork
`
`data fro m the tap , and then co mpar e the cop y of the network
`
`data to at l east on e polic y to look f or chara cteristics of a
`
`co mputer wor m.
`
`The controller is also configured to flag at least a
`
`portion of the copy of the net work data for repla y in an
`
`anal ysis environment based on the deter mination, a nd then i t
`
`repla ys the trans mission of the suspicious flagged network
`
`
`
`7
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`data copied fro m the co mmunication network to a de stination
`
`device.
`
`Now, notabl y, mo st of these li mitat ions are
`
`uncontested. The se ele ments recite well -known I DS s yste ms
`
`that wer e in the p rior art , especi ally in the 2004 ti me fr a me ,
`
`but even in the e a rl y 2000s and late 1990s. Spe cifica lly, the
`
`tap is well known and uncontested, and a nu mbe r of the
`
`ele ments of the c ontroller are well known and unco ntested in
`
`this case.
`
`Turning to slide 5, her e is the perso n of ordinar y
`
`skill in the art. And often this sta ndard gets overlooked but it
`
`is i mportant in this case. He re the re is no dispute with regard
`
`to one person of ordinar y skill in t he art, and it is a higher
`
`burden than is nor mall y the c ase.
`
`It is not a person in co mputer scien ce or generall y
`
`in the co mputer s cience field . Thi s is specificall y s o meone
`
`with a co mpute r s cience degre e or co mputer network ing degree
`
`and specific expe rience in co mpute r networking or c o mputer
`
`securit y.
`
`That pers on of or dinar y skill is going to understand
`
`how to put netwo rks together, put devices on netwo rks,
`
`configure networ ks, configure dev ices on networks.
`
`The alte rnate is a person with six o r more years of
`
`relevant experien ce, again, in a specific fi eld, co m p uter
`
`networking and c o mputer se curit y. It is not a gener al standard
`
`
`
`8
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`in co mputer scien ce. And so this p erson with six or more
`
`years industr y ex perience is going to know how to c onfigure
`
`these t ypes of de vices, and it is i mportant in this ca se.
`
`As Your Honors a re a war e for the ' 344 patent, the
`
`order that granted the trial in this c ase granted it for a nu mbe r
`
`of ref erences . An d the pri mar y ref erences he re are Kaeo,
`
`Venezia , Dunlap, Chen and Liljenst a m. This is slide 6 that I' m
`
`showing up on the scre en r ight now. And the clai ms that have
`
`been instituted is 1 through 4, 6 thr ough 8, 19 through 25, 27
`
`through 29 of the '499 patent.
`
`The Board has also instituted trial and decided for
`
`the '553 patent, a gain, using the sa me five ref erence s
`
`essentially. We will talk about th ose refe rences in detail
`
`today. But , again , for the record , o n slide 7 it shows that the
`
`instituted claims are 1 , 3 through 8, 12 through 14, 1 6 through
`
`20, and 22 through 30 of the '553 patent.
`
`Now, the Board c orrectl y deter min ed that the
`
`clai ms at issue ar e unpatentable. And here I just turned to
`
`slide 8 for the rec ord. The evidenc e of the re cord supports the
`
`Board's decision. In f act, there is overwhel ming evidence that
`
`the '499 and the ' 553 patent is invalid in this case fo r the
`
`instituted claims .
`
`In the P etitioner's petition, in our p etition there is
`
`nu merous citations to the evidence and there a re specific
`
`citations to motivations to co mbine ref erences .
`
`
`
`9
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`JUDGE I PP OLITO: Counsel, this is a point of
`
`clarification.
`
`MR. HANNAH: Yes.
`
`JUDGE I PP OLITO: For the decisi on to institute
`
`we had at that time a preli minar y record, so to the extent that
`
`the slide is ref err ing to a deter min ation, that was no t a final
`
`deter mination. That was onl y at th e preli minar y sta ge. I just
`
`wanted to mak e t hat clarification f or the r ecord.
`
`MR. HANNAH: That's correct , Yo ur Honor. It
`
`was a preli minar y deter mination, for the record, and wh y we'r e
`
`standing here toda y. Thank you.
`
`As I was sa ying, t he evidence of the re cord
`
`supports the Board's decision. In t he Patent Owner's response
`
`there is a large a mount of attorne y argu ment but the re is not a
`
`large a mount of a ctual evidence in this case, and tha t is ke y
`
`because attorne y argu ment cannot substitute for evi dence.
`
`In contrast, Finja n sets forth citati ons, direct
`
`citations to the e vidence which a r e the r efer ences i n this case
`
`and specific r easons to co mbine those ref erences in s upport of
`
`its position.
`
`FireEye in its r esponse largel y ign ores the Boa rd's
`
`decision and the cited evidence . I n fact, for motiva tions to
`
`co mbine it will a ddress ma ybe one reason for r easons to
`
`co mbine, ignoring the other t wo f r o m the Petitioner and even
`
`the Board. This a lone is dispositive of the issue.
`
`
`
`10
`
`

`

`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`Finall y, Fire Eye's reasoning contra dicts the legal
`
`standard for clai m construction and the obviousness standards.
`
`FireEye is atte mp ting to i mport li mitations into the clai ms
`
`which ar e not the re and is using an i mp roper standar d for
`
`obviousness, not considering the full scope of KSR , which is
`
`required in orde r to make a deter mi nation of obviousness.
`
`So I would like t o start with the b ackground, a
`
`brief background of the r eferenc es before we dive into the
`
`individual clai ms . Kaeo is a 745 -p age book discussing various
`
`aspects of net wor k securit y.
`
`It is b y and la rge the foundation of the knowledge
`
`of one of skill in the art in this cas e. It is a Cisco g uide for
`
`designing and securing a network infrastructure, and it
`
`describes a va riety of securit y options, including intrusion
`
`detection s yste ms .
`
`Kaeo is large l y - - is co mpletel y, I should say,
`
`undisputed in terms of what it teac hes and the li mita tions that
`
`it teaches. Kaeo is not addressed by Fire Eye in this matte r for
`
`a nu mbe r of the li mitations.
`
`The next refe renc e that we will be discussing today
`
`is the Ve nezia ref erence. Venezia describes the Net Detector
`
`product. The Net Detector product is a robust s yste m which
`
`captures, records and repla ys intrusion packets that a re co ming
`
`into a network and repla ys those. It has the repla y capability
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`
`
`11
`
`

`

`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`and it is also ab le to look at exa ctly what an attacke r is tr ying
`
`to do in ter ms of intruding into a n etwork.
`
`Liljensta m is the next refer ence tha t we will be
`
`discussing. It is a rese arch pape r discussing the
`
`DIB:S/ TR AF EN i ntrusion detection s yste m. In this paper it
`
`talks about how I CMP packets are detected, stored into and
`
`converted into tcdu mp and then re pla yed, whe re algorith ms a re
`
`applied in order t o detect whether characteristics of a wor m
`
`are pr esent within the netwo rk.
`
`We also will be t alking about the Chen ref e rence .
`
`The Chen re feren ce is a r esearch paper describing a variet y of
`
`uses for virtual machines. Chen is ver y explicit in te r ms of its
`
`intrusion detection capabilities, in that it talks about a clone
`
`ma chine and how you can for ward s uspicious packets to that
`
`clone machine to observe the behavior of the clone i n order to
`
`make a securit y d ecision.
`
`Wh at is notable a bout the Chen ref erence is that it
`
`contains the exact sa me exa mples t hat are contained within the
`
`'499 specification and the '553 spec ification , which makes it a
`
`ver y explicit and on -point referenc e.
`
`Finall y is the Du nlap refer ence. The Dunlap
`
`referenc e has so me association wit h the Chen refe re nce in that
`
`it contains so me of the si milar authors and people that are
`
`working on the R eVirt s yste m.
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`
`
`12
`
`

`

`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`Dunlap is coverin g the Re Virt s yst e m, which is an
`
`intrusion detection s yste m that allows for the repla y of certain
`
`events that are oc curring, including the network pac kets that
`
`are co ming across into the virtual ma chine.
`
`There is a brief s u mma r y of the po sitions that are
`
`tr ying to f ra me the argu ments her e for discussion and for
`
`presentation. And the three main a rgu ments c an be boiled
`
`down to slide 14, which is being sh own on the sc reen , and
`
`that's "flagging f or repla y." That' s the first gene ral su mmar y
`
`of a position. "Id entif y unauthorized activit y." And the third
`
`is the "virtual ma chines" li mitations.
`
`And we will be ta king each of those in order unless
`
`there ar e questions fro m Your Hon ors and I would b e happ y to
`
`answer those out of order.
`
`Starting with the flagging for repla y li mitation,
`
`this is addressed in the briefing. This is the sole arg u ment for
`
`a nu mbe r of the c lai ms . Again , thi s is shown on slide 15.
`
`There is no additional challenge fo r ce rtain depende nt clai ms ,
`
`including 2 through 4 or 6 through 8 of the '499 pat ent or 3
`
`through 7 of the ' 553 patent.
`
`Looking at the cl ai ms , we see that Finjan has
`
`petitioned and the Board has ac cep ted preli mina ril y Kaeo and
`
`Venezia and Kaeo and Liljensta m f or all of the ele ments of
`
`this clai m.
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`
`
`13
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`The on l y one that is contested is th is flagging the
`
`at least a portion of the cop y of the network data for repla y in
`
`an anal ysis environ ment. And we will be addressing
`
`Kaeo/Venezia or Kaeo/Lil jensta m f or this ele ment.
`
`JUDGE M OORE: Oka y. M y under standing is
`
`Venezia teaches r econstruction and repla y.
`
`MR. HANNAH: Correct.
`
`JUDGE M OORE: So could you for the P anel tell
`
`us which ar e you rel ying on? Are you rel ying on th e repla y
`
`functionality or r econstruction?
`
`MR. HANNAH: So I think we are rel ying on both,
`
`Your Honor. I f we turn to this slide in particular . I ' m looking
`
`at slide 28. I skipped forwa rd a little bit. It has a screen shot
`
`of Vene zia and ta lks about the reco nstruction of the attack.
`
`And here , as you can see , the repla y of the attack
`
`is the r econstruct ion of the attack . And this specific all y tells
`
`you about the co mpr o mised se rver that is being anal yzed in
`
`this situation to see about these t wo files that a re be ing pulled,
`
`being pulled to it. So there is -- an d there is a re min der.
`
`There is n o dispute regarding the f act that Venezia t eaches
`
`repla y for a tr ansmission to a destination device.
`
`The onl y disputed, under dispute is whether it fl ags
`
`for repla y in an a nal ysis environ ment. And clearl y Venezia
`
`does this. The wa y that Venezia does th is is that it actuall y
`
`will look for an a ttack pattern using Snort.
`
`
`
`14
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`Snort will then be gin recording the event, du mping
`
`those packets into a database , and then that event ca n be
`
`repla yed so that you can either reco nstruct the attack or look
`
`to see what th e ef fect on the netwo rk is in order to d eter mine
`
`and look for char acteristics of a wor m or an infiltra tion in the
`
`network.
`
`JUDGE M OORE: All right. So I just want to
`
`make sure we 're c lear on the record . I think you said repla y
`
`and reconstruction are the sa me . The y are talked ab out
`
`separatel y.
`
`So ma ybe you co uld talk a little d eeper about the
`
`difference , if an y, bet ween those t wo as you se e tha t relating
`
`to your argu ments.
`
`MR. HANNAH: Sure. So I will back up and just
`
`go over how I bel ieve how Venezi a does work .
`
`So an atta ck co mes into Venezi a a nd Snort will
`
`look for it to see if it matches a signature, for instance, of an
`
`attack. That will trigger to restart recording the eve nt which
`
`is going to be involved in that atta ck.
`
`And this is all cle arl y set forth in Venezia . I can
`
`give you citations to it if that is hel pful.
`
`Once that is du mped into a databa se, for instance,
`
`it can be indexed and put into a dat abase, you c an r e pla y the
`
`intrusion, as it sa ys right her e on t he Vene zia refe re nce, in
`
`ord er to see what is happening. An d what it specific all y sa ys
`
`
`
`15
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`here, it is able to reconstruct the at tack,
`
`ke ystroke -b y-ke ystroke, packet -b y-packet, and deter mine the
`
`exact co mmands i ssued by the attac ker.
`
`So b y repla ying t hat attack you ar e able to se e
`
`exactl y what the attacker is t r ying to do in order to infiltrate
`
`the network.
`
`Does that answer your question, Your Honor?
`
`JUDGE I PP OLITO: I have a follow -up question to
`
`that.
`
`MR. HANNAH: Please.
`
`JUDGE I PP OLITO: I think the issue is tha t in
`
`Venezia there are two dif ferent des criptions of how stored or
`
`recorded packets of data c an be pre sented again.
`
`So one aspect , as you mentioned, is the
`
`reconstruction that is described in the first figure on that first
`
`page, but also the re is a r epla y feat ure, as it is descri bed, in
`
`connection with, I think it is the AIM session that's on the
`
`second page.
`
`And there , ther e i s actuall y, in the referenc e itself ,
`
`it refe rs to it as a repla y feature that can be used, as opposed
`
`to a re construction --
`
`MR. HANNAH: Correct.
`
`JUDGE I PP OLITO: -- fe ature.
`
`MR. HANNAH: Correct. So on th e second page,
`
`Your Honor, I bel ieve you are talking about the third colu mn
`
`
`
`16
`
`

`

`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`which sa ys that a nother option is to repla y the sessi on just as
`
`it is recorded . Is that wh at you a re refer ring to?
`
`JUDGE I PP OLITO: Yes. And so a follow -up
`
`question to that is, in the ref erenc e itself ther e see ms to be a
`
`distinction betwe en the two . And the question is how does
`
`that distinction between the repla y and the reconstruct ion in
`
`Venezia describe d relate to your a rgu ment or the clai m?
`
`MR. HANNAH: Sure. So let me t urn back to the
`
`clai ms itself. So as we know, the c lai ms require flag ging at
`
`least a portion of the network data for repla y in an a nal ysis
`
`environ ment. An d th en it also r equires repla y of the
`
`suspicious flagged network data co pied fro m the
`
`co mmunication n etwork to a destination device.
`
`So Venezia is quite robust in that, if you can set up
`
`a polic y to be able to detect an atta ck and start recor ding that
`
`attack , du mping i nto a database for later anal ysis of the attack
`
`or reconstruction of the attack . However , you c an al so use
`
`Venezia to repla y the session that happened at all. So these
`
`are just various o ptions of the Ven ezia r efer ence.
`
`And so with regar ds sp ecificall y to the clai ms, to
`
`answer your question, I believe the flagging of the s uspicious
`
`network data for l ater r econstruction is the identif yin g because
`
`flagging, as the B oard has construe d and the parties have
`
`agreed, flagging is identif y. So yo u are identif ying a portion
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`
`
`17
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`of that as suspici ous for later repl a y in so me t ype o f anal ysis
`
`environ ment.
`
`But then also it h as the capabilit y of repla ying the
`
`trans mission just as it was r ecorde d. So it has both of those
`
`capabilities.
`
`JUDGE I PP OLITO: I guess the fo llow -on question
`
`to that is, what is the distinction between the re construction
`
`and the repla y in Venezia and how does that relate to the
`
`repla y that's in th e li mitation?
`
`MR. HANNAH: Let me just mak e sure that I ' m
`
`clear. So the repl a y i n the tr ans mis sion in the suspicious
`
`flagged data is no t at issue in te r ms of both parties h ave
`
`conceded that tha t is taught b y Ven ezia. So I believe you are
`
`talking about the flagging of the portion for repla y i n an
`
`anal ysis environment . Is that a fa ir chara cterizatio n, Your
`
`Honor?
`
`JUDGE I PP OLITO: Well , what I' m tr ying to
`
`understand is, is t here a construction of repla y that you are
`
`proposing or have taken that allo ws repla y recited in the
`
`clai ms to cover both reconstruction and repla y in Vene zia,
`
`because there appears to be a differ ence in the ref ere nce itself
`
`between the two ter ms and ho w tha t feature is prese nted in the
`
`referenc e?
`
`MR. HANNAH: I agree , and I believe that the
`
`referenc e is t each ing both, essentially. I f we look at slide 27,
`
`
`
`18
`
`

`

`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`for instance, if yo u look at the left - hand side it talks about
`
`how you can reco nstruct the attack ke ystroke -b y-ke ystroke,
`
`packet -b y-packet , to deter mine the exact co mmand issued b y
`
`the attacker . So I think that is part of the flagging f or repla y
`
`in an an al ysis environ ment li mitati on specificall y.
`
`Now, it also has t he capabilit y o f r epla ying the
`
`session just as it was recorded, as it sa ys on the righ t -hand
`
`side. It talks abo ut how it not onl y detects but also r ecords
`
`and repla ys those intrusions. So th e detection occur s and then
`
`you have the re cording, which can be flagging or ide ntifying
`
`so me suspicious traffic , and then you can repla y tho se
`
`intrusions.
`
`And I believe you can, well, I know you can r epla y
`
`those intrusions in a nu mber of dif ferent wa ys, depe nding on
`
`how you want to use the tool. But specificall y for th e clai ms ,
`
`being able to set t he polic y and deter mine an attack and the
`
`event that is occu rring and then storing those packets for
`
`repla y in an anal ysis environ ment i n order to reconstruct the
`
`attack, that's mee ting the flagging li mitation, fl agging for
`
`repla y li mitation.
`
`And then repla yin g the trans mission to a
`
`destination device could be repla yi ng the session as it occurs
`
`or it could be the other repla y funct ionality that Venezia
`
`discuss es.
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`
`
`19
`
`

`

`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`JUDGE P ETTIGR EW: I have another follow -up
`
`question and it might be the sa me question, so bear with us.
`
`Are you sa ying th at the r econstruction in Venezia
`
`is what corresponds to the flagging in the clai m or is that too
`
`si mplistic?
`
`MR. HANNAH: I w ouldn't sa y it is too si mplistic,
`
`but essentially ye s. The flagging is construed as ide ntifying.
`
`So as long as you , the ref erence te aches to identif y suspicious
`
`packets for repla y, that is going to be part of the
`
`reconstruction of the attack. So yo u hav e to identif y the
`
`packets.
`
`And specificall y on Venezia , i f yo u look at page 1 ,
`
`it sa ys Net Detect or stores ever y p a cket fro m h eader to pa yload
`
`in an indexed database. This not only per mits an ad ministrator
`
`to be notified wh en an attack has o ccurred but a lso t o
`
`reconstruct the at tack.
`
`So the wa y that Venezia works is t hat you c an set
`
`policy b y looking, for instance, Sn ort looking at various attack
`
`signatures, and that will begin the r ecording of an event. And
`
`that's when the fl agging occurs.
`
`And then once yo u record all of those packets in
`
`that event and put those in a databa se, you can do a nu mber of
`
`things with those packets, including reconstructing the attack.
`
`Does that answer your question?
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`
`
`20
`
`

`

`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`JUDGE P ETTIGR EW: I think that helps, yes. Let
`
`me see if I can us e your language a gain.
`
`MR. HANNAH: Sure.
`
`JUDGE P ETTIGR EW: You said --
`
`MR. HANNAH: Would it help if I put the clai ms
`
`up?
`
`JUDGE P ETTIGR EW: I have the c lai ms in front of
`
`me . Actuall y, we ll, I think it is mo re helpful to have the
`
`referen c e up ther e.
`
`MR. HANNAH: Oka y. Gre at.
`
`JUDGE P ETTIGR EW: The clai m s a ys flagging for
`
`repla y in an anal ysis environ ment. So you are sa ying
`
`identifying the intrusion in the ref erence for reconstruction is
`
`the flagging?
`
`MR. HANNAH: So specificall y th e flagging is
`
`done, in one exa mple , Snort will l ook at a stre a m of packets
`
`and will identif y whether an attack has occurr ed. And this is
`
`on the second page when it talks ab out Snort identif ying an
`
`attack.
`
`Once it is deter mi ned that a signature mat ches, fo r
`
`instance, in one e xa mple , Venezia , the Net Detector , will start
`
`recording that ev ent, re cording that suspicious -- those
`
`suspicious packets as an event and storing those in a database.
`
`That's the flagging. That's the ide ntifying for repla y.
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`
`
`21
`
`

`

`Cases IPR2014-00344 and IPR2014-00492
`U.S. Patents 8,291,499 and 8,171,553
`
`
`And then o nce yo u have those stor ed in a database
`
`you can do a vari et y of things with those packets, including
`
`reconstructing the m. So that is th e flagging for rep la y in the
`
`anal ysis environment .
`
`JUDGE P ETTIGR EW: All right. Thank you.
`
`JUDGE I PP OLITO: I have a separ ate question, the
`
`sa me li mitation.
`
`MR. HANNAH: Oka y.
`
`JUDGE I PP OLITO: What is the a nal ysis
`
`environ ment?

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket