Trials@uspto.gov
`571-272-7822
`
`
`
`
`Paper 29
`Entered: July 10, 2015
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`FINJAN, INC.,
`Petitioner,
`
`v.
`
`FIREEYE, INC.,
`Patent Owner.
`____________
`
`Case IPR2014-00492
`Patent 8,171,553 B2
`
`
`
`Before BRYAN F. MOORE, LYNNE E. PETTIGREW, and
`FRANCES L. IPPOLITO, Administrative Patent Judges.
`
`IPPOLITO, Administrative Patent Judge.
`
`FINAL WRITTEN DECISION
`Inter Partes Review
`35 U.S.C. § 318(a) and 37 C.F.R. § 42.73
`
`
`571-272-7822
`
`
`
`
`Paper 29
`Entered: July 10, 2015
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`FINJAN, INC.,
`Petitioner,
`
`v.
`
`FIREEYE, INC.,
`Patent Owner.
`____________
`
`Case IPR2014-00492
`Patent 8,171,553 B2
`
`
`
`Before BRYAN F. MOORE, LYNNE E. PETTIGREW, and
`FRANCES L. IPPOLITO, Administrative Patent Judges.
`
`IPPOLITO, Administrative Patent Judge.
`
`FINAL WRITTEN DECISION
`Inter Partes Review
`35 U.S.C. § 318(a) and 37 C.F.R. § 42.73
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`
`
`I. INTRODUCTION
`Finjan, Inc. filed a Corrected Petition (“Pet.”) on March 21, 2014,
`requesting an inter partes review of claims 1–30 of U.S. Patent No.
`8,171,553 B2 (“the ’553 patent”). Paper 4. Patent Owner FireEye, Inc. filed
`a Preliminary Response (“Prelim. Resp.”) to the Petition. Paper 7. On
`July 25, 2014, we instituted an inter partes review of claims 1, 3–8, 12–14,
`16–20, and 22–30 on the following grounds of unpatentability alleged in the
`Petition (Paper 8, “Dec.”):
`A. Claims 1, 5, 7, 17, 22, and 25–27 are unpatentable under 35 U.S.C.
`§ 103 over Kaeo1 and Venezia2;
`B. Claims 6, 8, 12–14, 16, 18, and 19 are unpatentable under
`35 U.S.C. § 103 over Kaeo, Venezia, and Chen3;
`C. Claims 1, 3–5, 7, 17, and 22–28 are unpatentable under 35 U.S.C.
`§ 103 over Kaeo and Liljenstam4; and
`D. Claims 18, 20, 29, and 30 are unpatentable under 35 U.S.C. § 103
`over Kaeo, Liljenstam, and Dunlap5.
`
`
`1 Merike Kaeo, Designing Network Security, Cisco Press (2nd ed. Nov.
`2003) (Ex. 1006, “Kaeo”).
`2 Paul Venezia, NetDetector Captures Intrusions, InfoWorld Issue 27 (July
`14, 2003) (Ex.1005, “Venezia”).
`3 Peter M. Chen and Brian D. Noble, When Virtual Is Better Than Real,
`Department of Electrical Engineering and Computer Science, University of
`Michigan (May 21, 2001) (Ex. 1009, “Chen”).
`4 Michael Liljenstam et al., Simulating Realistic Network Worm Traffic for
`Worm Warning System Design and Testing, Institute for Security
`Technology studies, Dartmouth College (Oct. 27, 2003) (Ex. 1007,
`“Liljenstam”).
`5 George W. Dunlap et al., ReVirt: Enabling Intrusion Analysis through
`Virtual-Machine Logging and Replay, Proceeding of the 5th Symposium on
`2
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`After institution of trial, Patent Owner filed a Patent Owner Response
`(“PO Resp.,” Paper 20) and Petitioner filed a Reply thereto (“Reply,” Paper
`23). An oral argument was held on March 31, 2015. The transcript of the
`oral hearing has been entered into the record. Paper 28, “Tr.”
`We have jurisdiction under 35 U.S.C. § 6(c). This Final Written
`Decision is issued pursuant to 35 U.S.C. § 318(a) and 37 C.F.R. § 42.73.
`Petitioner has shown, by a preponderance of the evidence, that claims
`1, 3–7, 17, 18, 20, and 22–30 of the ’553 patent are unpatentable. Petitioner
`has not shown, by a preponderance of the evidence, that claims 8, 12–14, 16,
`and 19 are unpatentable.
`
`A. Related Proceedings
`Petitioner indicates that the parties are involved in a related
`proceeding, Finjan, Inc. v. FireEye, Inc., No. 4:13-cv-03133-SBA, filed in
`the United States District Court for the Northern District of California.
`Paper 6, 1.
`The parties also are involved in Case IPR2014-00344, directed to U.S.
`Patent No. 8,291,499 B2 (“the ’499 patent”), which shares a common
`disclosure with the ’553 patent.
`B. The ’553 Patent
`The ’553 patent describes an authorized activity capture or detection
`system that analyzes copied network data with a heuristic to determine if the
`copied network data has the characteristics of a computer worm. See
`Ex. 1001, Claim 1. If the compared network data has a characteristic of a
`computer worm, the system flags the compared network data for replay in an
`analysis environment. Id.
`
`Operating Systems Design and Implementation, USENIX Association (Dec.
`911, 2002) (Ex. 1008, “Dunlap”).
`
`3
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`Figure 7 of the ’553 patent is reproduced below.
`
`
`Figure 7 depicts an embodiment of an unauthorized activity detection system
`described in the ’553 patent. Unauthorized activity detection system 700
`includes source device 705, destination device 710, and tap 715, each of
`which is coupled to communication network 720. Id. at 26:21–26. Tap 715
`is further coupled to controller 725. Id. at 26:25–26. In operation, tap 715
`monitors network data and provides a copy of the network data to controller
`725. Id. at 26:35–37.
`Figure 7 also shows controller 725, which “can be any digital device
`or software that receives network data from the tap 715.” Ex. 1001, 27:1–2.
`“In some embodiments, controller 725 is contained within computer worm
`sensor 105.” Id. at 27:2–4. Controller 725 also may be contained within
`separate traffic analysis device 135 or may be a stand-alone digital device.
`Id. at 27:4–6. Controller 725 can comprise virtual machine pool 745,
`analysis environment 750, heuristic module 730, and policy engine 755. Id.
`
`4
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`at 27:6–9. “[V]irtual machine pool 745 is configured to store virtual
`machines [and] . . . can be any storage capable of storing software.” Id. at
`28:51–52. Additionally, “analysis environment 750 simulates transmission
`of the network data between the source device 705 and the destination
`device 710 to analyze the effects of the network data upon the destination
`device 710.” Id. at 28:59–62. Heuristic module 730 can receive copied
`network data from tap 715 and apply heuristic and/or probability analysis to
`determine if the network data contains suspicious activity. Id. at 27:12–15.
`C. Illustrative Claim
`Of the challenged claims, claims 1, 8, 17, and 28 are independent.
`Claim 1, reproduced below, is illustrative of the subject matter of the ’553
`patent:
`1. An unauthorized activity capture system comprising:
`a
`tap configured
`to copy network data from a
`communication network; and
`a controller coupled to the tap and configured to receive
`the copy of the network data from the tap, analyze the copy of
`the network data with a heuristic to determine if the copy of the
`network data has one or more characteristics of a computer
`worm, flag at least a portion of the copy of the network data as
`suspicious by flagging the at least a portion of the copy of the
`network data for replay in an analysis environment based upon
`the heuristic determination that the at least a portion of the
`analyzed copy of
`the network data has one or more
`characteristics of a computer worm, and replay transmission of
`the suspicious, flagged network data copied from
`the
`communication network to a destination device.
`Ex. 1001, 31:6032:8.
`
`II. ANALYSIS
`A. Claim Construction
`During a review before the Patent Trial and Appeal Board (“Board”),
`
`5
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`we construe claims in an unexpired patent in accordance with the broadest
`reasonable interpretation in light of the specification of the patent in which
`they appear. 37 C.F.R. § 42.100(b); see In re Cuozzo Speed Techs., LLC,
`778 F.3d 1271, 1278–82 (Fed. Cir. 2015) (“Congress implicitly adopted the
`broadest reasonable interpretation standard in enacting the AIA,” and “the
`standard was properly adopted by PTO regulation.”); see Office Patent Trial
`Practice Guide, 77 Fed. Reg. 48,756, 48,766 (Aug. 14, 2012). Under the
`broadest reasonable interpretation standard, claim terms are given their
`“ordinary and customary meaning” as would be understood by one of
`ordinary skill in the art in the context of the entire disclosure. In re
`Translogic Tech., Inc., 504 F.3d 1249, 1257 (Fed. Cir. 2007). An inventor
`may rebut that presumption by providing a definition of the term in the
`Specification with “reasonable clarity, deliberateness, and precision.” In re
`Paulsen, 30 F.3d 1475, 1480 (Fed. Cir. 1994). In the absence of such a
`definition, limitations are not to be read from the Specification into the
`claims. In re Van Geuns, 988 F.2d 1181, 1184 (Fed. Cir. 1993).
`1. flag or flagging (Claims 1, 8, 17, and 28)
`For the purposes of our Decision to Institute, we determined that the
`broadest reasonable interpretation of the terms “flag” and “flagging” is
`“identify” and “identifying.” Dec. 6–7 (adopting our analysis in the
`Decision to Institute (Paper 17) for the same term at issue in IPR2014-
`00344, in which the ’499 patent shares the same disclosure as the ’553
`patent). Neither party disputes this interpretation. Pet. 5; PO Resp. 12.
`Based on the complete record now before us, we discern no reason to change
`this interpretation; thus, we adopt our previous analysis and interpret “flag”
`and “flagging” to mean “identify” and “identifying,” respectively.
`2. virtual machine pool (claims 6, 14, and 19)
`6
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`In the Decision instituting trial, we construed “virtual machine pool”
`to include “any storage capable of storing one or more virtual machines.”
`Dec. 6–7. Patent Owner contests this construction and argues that the
`“notion that ‘any storage’ is a virtual machine pool would mean that any
`hard drive is a virtual machine pool regardless of whether it stores potential
`virtual machines.” PO Resp. 12 n.1.
`We do not agree with Patent Owner’s arguments. Our construction in
`the Decision to Institute does not include “any storage,” as Patent Owner
`suggests, but “storage capable of storing one or more virtual machines.”
`Dec. 6–7 (referring to our discussion of “virtual machine pool” in the
`Decision to Institute (Paper 17) for IPR2014-00344). This construction is
`consistent with the Specification, which states that “virtual machine pool
`745 can be any storage capable of storing software” and “virtual machine
`pool 745 is configured to store virtual machines.” Ex. 1001, 28:50–52.
`Thus, under the broadest reasonable interpretation, we construe
`“virtual machine pool” to mean “any storage capable of storing one or more
`virtual machines.”
`3. analysis environment (claims 1, 8, 17, and 28)
`In the Decision to Institute, we determined, based on the preliminary
`record, that the term “analysis environment” means “an environment in
`which analysis of the effect of the network data upon a destination device is
`performed.” Dec. 6–7.
`In Patent Owner’s Response, Patent Owner disagrees with our
`construction because it “permits an analysis environment to be a passive
`location or one in which a human being performs analysis.” PO Resp. 13.
`Patent Owner asserts that a person of ordinary skill in the art would not
`consider an “analysis environment” to be an environment where analysis is
`7
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`performed by either the analysis environment or some other actor. Id. at 14.
`Patent Owner adds that the “analysis environment” is described throughout
`the ’553 patent as an actor rather than merely a passive component enabling
`actions by others. Id. at 14–15 (citing Ex. 1001, 29:24–25, 30:3, 30:8,
`31:17–19).
`Although the ’553 patent provides examples where analysis
`environment 750 “determines,” “simulates,” “can react,” or “replays,” as
`noted by Patent Owner in the cited sections above (Ex. 1001, 29:24–25,
`30:3–4, 30:8, 31:17–19), the Specification also indicates these descriptions
`of analysis environment 750 are non-limiting examples that disclose “some
`embodiments” or “one embodiment.” Ex. 1001, 29:22–23, 29:36–37,
`30:65–67. This disclosure in the Specification is consistent with the
`language of the challenged claims, which do not require explicitly that the
`analysis environment actively perform any action. For example, claim 1
`requires that the recited controller “flag at least a portion of the copy of the
`network data as suspicious by flagging the at least a portion of the copy of
`the network data for replay in an analysis environment.” (Emphasis added).
`In claim 1, the analysis environment provides a location for replay, which
`does not require that the network data is replayed by the analysis
`environment. Further, looking back to the Specification, the ’553 patent
`provides that “in accordance with one embodiment of the present
`invention . . . the analysis environment 750 replays transmission of the
`network data.” Ex. 1001, 30:65–66, 31:17–18 (emphasis added). This
`disclosure along with the express language of claim 1 indicates that, in the
`context of the ’553 patent, a distinction exists between an analysis
`environment that provides a location for replaying data versus an analysis
`environment that itself performs replay.
`8
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`Thus, we do not find that the recited “analysis environment” requires
`that the environment perform the analysis. Although claims are interpreted
`in light of the specification, limitations from the specification are not read
`into the claims. In re Van Geuns, 988 F.2d 1181, 1184 (Fed. Cir. 1993).
`The claim language does not require or mention the analysis environment
`performing an analysis. Moreover, even assuming Patent Owner is correct
`that the ’553 patent only describes the analysis environment as actively
`performing analysis, claims generally are not limited to any particular
`embodiment disclosed in the specification, even where only a single
`embodiment is disclosed. Innova/Pure Water, Inc. v. Safari Water Filtration
`Sys., Inc., 381 F.3d 1111, 1117 (Fed. Cir. 2004); see, e.g., Silicon Graphics,
`Inc. v. ATI Techs., Inc., 607 F.3d 784, 792 (Fed. Cir. 2010) (“A construing
`court’s reliance on the specification must not go so far as to import
`limitations into claims from examples or embodiments appearing only in a
`patent’s written description . . . unless the specification makes clear that the
`patentee . . . intends for the claims and the embodiments in the specification
`to be strictly coextensive.” (internal quotation marks omitted)).
`Accordingly, we construe “analysis environment” to mean “an
`environment in which analysis of the effect of the network data upon a
`destination device is performed.” See Dec. 6.
`4. virtual switch (claim 20)
`In the Decision to Institute, we determined that under the broadest
`reasonable interpretation, the term “virtual switch” means “software that is
`configured to mimic the performance of a switch.” Dec. 6. The parties do
`not dispute this construction. PO Resp. 12; Reply 2–5. Based on the
`complete record now before us, we discern no reason to change this
`
`9
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`construction; we adopt our previous analysis for this non-disputed claim
`term.
`
`5. replay transmission of the suspicious, flagged network data copied
`from the communication network to a destination device (claim 1);
`
`replaying transmission of the flagged at least a portion of the
`analyzed copied network data which was copied from the
`communication network to a destination device to identify
`unauthorized activity based on playback of the flagged suspicious
`at least a portion of the analyzed copy of the network data (claim
`17);
`
`replay transmission of the flagged suspicious at least a portion of
`the analyzed copied network data copied from the network to a
`destination device (claim 28)
`
`In distinguishing the challenged claims over the asserted prior art,
`Patent Owner argued at the oral hearing that the replay/replaying phrases
`(shown above) recited in independent claims 1, 17, and 28 require replay of
`data to a destination device.
`JUDGE IPPOLITO: Before you do, I would just like to
`go back to my original question about the claim construction
`that you are proposing for the replaying step. I just want to get
`on the record what exactly are you using for support for that
`claim construction that the replaying is done to a destination
`device as opposed to replaying transmission that originally was
`to a destination device.
`
`MR. McCOMBS: Your Honors, the only discussion in
`the entire specification of the patent is, when there is a
`replaying transmission, that it is done to a virtual machine. And
`that’s described in the specification at column 29, line 36
`through 42, and then at column 29, line 56 through 60.
`
`What is happening is the replaying, it is a simulation of a
`transmission where it is a virtual machine that is simulating the
`destination device. That’s the only time that there is any
`replaying done in the patent in an analysis environment to a
`10
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`destination device, which is a virtual machine that is simulating
`the original destination device.
`
`replaying
`is not a discussion of actually
`There
`transmission back out onto the communications network to
`some original destination. That is never described in the patent.
`
`Tr. 48:3–24.
`
`We understand Patent Owner’s reading of these claim phrases to be
`that replaying the transmission of data requires replaying the transmission to
`a destination device such as a virtual machine. However, we do not agree
`that this is the broadest reasonable interpretation of these phrases. For
`example, claim 1 recites “replay transmission of . . . data copied from the
`communication network to a destination device.” The term “replay” appears
`logically and grammatically to apply to the term “transmission,” which
`immediately follows “replay.” Further, the term “transmission” is modified
`by the following phrase “of the suspicious, flagged network data,” which
`describes the “transmission” as a transmission of suspicious, flagged
`network data. Claim 1 further describes the “data” as “copied from the
`communication network to a destination device.” Thus, we read the phrase
`“copied from the communication network to a destination device” as
`applying to “data,” and not requiring that “replay” occurs to a destination
`device. Similarly, we read the corresponding language in claim 28 as
`applying the phrase “copied from the network to a destination device” to the
`“copied network data” and not to “replay transmission.” Additionally, for
`claim 17, we read the claim language “which was copied from the
`communication network to a destination device” to apply to “copied network
`data” and not to “replaying transmission.”
`
`11
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`Our reading of the claim language is consistent with the disclosure of
`the ’553 patent. The ’553 patent uses the term “destination device” to
`describe original destination device 710 that receives the transmission of
`data from Source Device 705 via Communication Network 720. Ex. 1001,
`26:18–43, 29:56–60, Figs. 7, 10. Further, the sections of the ’553 patent
`cited by the Patent Owner do not support Patent Owner’s proposed
`interpretation of these phrases. Column 29, lines 36 through 42 do not refer
`to a destination device. Column 29, lines 56 through 60 disclose that virtual
`machine 815 simulates destination device 710. In other words, the ’553
`patent does not teach that virtual machine 815 is “a destination device,”
`instead it teaches that a virtual machine may simulate or mimic the original
`destination device. Id. at 29:56–60, Fig. 10. Additionally, we note that to
`the extent Patent Owner contends the recited replay phrases require replay to
`a virtual machine, the claim language does not recite a virtual machine.
`6. Other Claim Terms
`
`Patent Owner further proposes constructions for claim terms
`“determine” and “determination.” PO Resp. 15–16. Nonetheless, based on
`the evidence of record, these terms do not require express construction for
`the purposes of this Decision.
`B. Claims 1, 5, 7, 17, 22, and 25–27 – Obviousness over Kaeo (Ex. 1006)
`and Venezia (Ex. 1005)
`Petitioner argues that claims 1, 5, 7, 17, 22, and 25–27 are
`unpatentable under 35 U.S.C. § 103(a) over Kaeo and Venezia. Pet. 20–60.
`As explained in further detail below, having considered the arguments and
`evidence presented, we are persuaded that Petitioner has shown, by a
`preponderance of the evidence, that claims 1, 5, 7, 17, and 25–27 are
`unpatentable over Kaeo and Venezia. We are not persuaded of the same for
`
`12
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`claim 22.
`1. Relevant Legal Principles
`A claim is unpatentable under 35 U.S.C. § 103(a) if the differences
`between the claimed subject matter and the prior art are such that the subject
`matter, as a whole, would have been obvious at the time the invention was
`made to a person having ordinary skill in the art to which said subject matter
`pertains. KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 406 (2007). The
`question of obviousness is resolved on the basis of underlying factual
`determinations including (1) the scope and content of the prior art; (2) any
`differences between the claimed subject matter and the prior art; (3) the level
`of skill in the art; and, (4) where in evidence, so-called secondary
`considerations, including commercial success, long-felt but unsolved needs,
`failure of others, and unexpected results. Graham v. John Deere,
`383 U.S. 1, 1718 (1966) (“the Graham factors”). The level of ordinary
`skill in the art usually is evidenced by the references themselves.
`See Okajima v. Bourdeau, 261 F.3d 1350, 1355 (Fed. Cir. 2001);
`In re GPAC Inc., 57 F.3d 1573, 1579 (Fed. Cir. 1995); In re Oelrich,
`579 F.2d 86, 91 (CCPA 1978).
`For an obviousness analysis, prior art references “must be ‘considered
`together with the knowledge of one of ordinary skill in the pertinent art.’”
`In re Paulsen, 30 F.3d 1475, 1480 (Fed. Cir. 1994) (quoting In re Samour,
`571 F.2d 559, 562 (CCPA 1978)). Moreover, “it is proper to take into
`account not only specific teachings of the reference but also the inferences
`which one skilled in the art would reasonably be expected to draw
`therefrom.” In re Preda, 401 F.2d 825, 826 (CCPA 1968). That is because
`an obviousness analysis “need not seek out precise teachings directed to the
`specific subject matter of the challenged claim, for a court can take account
`13
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`of the inferences and creative steps that a person of ordinary skill in the art
`would employ.” KSR, 550 U.S. at 418; see In re Translogic Tech., Inc.,
`504 F.3d at 1259.
`2. Level of Ordinary Skill in the Art
`The parties agree that a person of ordinary skill in the art would have
`the following education and/or experience: a recent degree in a field such as
`computer science or computer networking and two or more years of
`experience in the computer networking or computer security industry. PO
`Resp. 16–17; Ex. 1003 ¶ 33. “Alternatively, in lieu of recent formal
`education, a person of ordinary skill in the art would have had six or more
`years of relevant experience in the computer networking or computer
`security industry.” PO Resp. 16–17. This level of ordinary skill in the art is
`consistent with the ordinary skill reflected in the prior art of record, which is
`directed to computer networking and computer security systems. For
`example, Venezia and Kaeo both disclose intrusion-detection-systems. Ex.
`1005; Ex. 1006.
`With this level of ordinary skill in mind, we now turn to the analysis
`of the differences between the asserted prior art references and the subject
`matter recited in the claims-at-issue.
`3. Summary of Venezia (Ex. 1005)
`Venezia discloses the performance of NetDetector, an intrusion-
`detection-system (“IDS”). Ex. 1005, 1. Venezia states that “[r]ather than
`simply capturing the packet headers of monitored data streams, and
`examining them for possible attacks, the NetDetector stores every packet,
`from header to payload, in an indexed database.” Id. Venezia adds that
`NetDetector notifies an administrator of an attack and allows the
`administrator to playback or “reconstruct the attack, keystroke by keystroke,
`14
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`packet by packet.” Id. Venezia further indicates that NetDetector relies on
`Snort, an open source IDS, for intrusion detection. Id. at 2. Snort is
`described as being able to “monitor all traffic or a selected segment (based
`on filtering rules) on any given interface.” Id. Venezia also states that “it’s
`possible to select a specific time frame or capture and reprocess that traffic
`stream through the IDS engine.” Id. Venezia explains that once an attack or
`signature has been identified, every packet comprising that event is
`available. Id.
`4. Summary of Kaeo (Ex. 1006)
`Kaeo describes various design options for network security, including
`intrusion detection systems based on statistical analysis and rule-based
`methods. Ex. 1006, 361. Kaeo indicates that the rule-based analysis method
`“uses rules that characterize known security attack scenarios and raise an
`alarm if observed activity matches any of its encoded rules.” Id. “This
`analysis can also detect intruders who exhibit specific patterns of behavior
`known to be suspicious or in violation of site security policy.” Id. Kaeo
`adds that most rule-based systems are user configurable so that the user can
`define her own rules based on her own corporate environment. Id. Kaeo
`also describes network intrusion detection systems with cable taps that serve
`as “[p]assive Ethernet taps . . . where ‘copies’ of the frames are sent to a
`second switch dedicated to IDS sensors.” Id. at 362, Fig. 8-2. Additionally,
`Kaeo teaches that “honey pots” are locations to send suspected traffic
`to/from an attack. Id. at 363. The data then can be collectively analyzed to
`mitigate some possible attacks. Id.
`
`15
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`5. Analysis
`a. Claims 1 and 17
`Petitioner contends that Kaeo and Venezia teach or suggest all the
`limitations of claims 1, 5, 7, 17, 22, and 25–27. Pet. 20–59. We have
`reviewed the Petition, the Patent Owner’s Response, and Petitioner’s Reply,
`as well as the evidence discussed in each of those papers, and are persuaded
`that Petitioner has shown, by a preponderance of the evidence, that claims 1
`and 17 would have been obvious based on Kaeo and Venezia. Our
`discussion below focuses on the limitations of independent claim 1, which
`are illustrative and largely overlap with limitations recited in independent
`claim 17. However, to the extent the limitations of independent claim 17
`require separate treatment, those limitations are discussed separately below.
`Additionally, dependent claims 5, 7, 22, and 25–27 are discussed in a
`following section.
`Claim 1 recites “a tap configured to copy network data from a
`communication network” and “a controller coupled to the tap and configured
`to receive the copy of the network data from the tap.” Petitioner asserts that
`Kaeo’s disclosure of cable taps or a SPAN/mirror port coupled to a network
`intrusion detection system meets these limitations. Pet. 30–32. We find
`Petitioner has shown sufficiently that Kaeo teaches these limitations.
`Claim 1 further recites a controller that is configured to “analyze the
`copy of the network data with a heuristic to determine if the copy of the
`network data has one or more characteristics of a computer worm.” We are
`persuaded by Petitioner’s assertion that Kaeo’s disclosure of a network
`intrusion detection system that performs IDS rule-based analysis and
`statistical analysis satisfies this limitation. Pet. 33–35.
`Additionally, claim 1 requires that the controller is configured to
`16
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`flag at least a portion of the copy of the network data as
`suspicious by flagging the at least a portion of the copy of the
`network data for replay in an analysis environment based upon
`the heuristic determination that the at least a portion of the
`analyzed copy of
`the network data has one or more
`characteristics of a computer worm, and replay transmission of
`the suspicious, flagged network data copied from
`the
`communication network to a destination device.
`
`For these limitations, Petitioner asserts that Venezia’s NetDetector “stores
`every packet, from header to payload, in an indexed database,” which “not
`only permits an administrator to be notified when an attack has occurred but
`also to reconstruct the attack, keystroke by keystroke, packet by packet, and
`determine the exact commands issued by the attacker, in addition to any files
`or other data that was transmitted to or from the compromised system.”
`Pet. 14 (citing Ex. 1005, 1). Petitioner adds that Venezia further teaches that
`once NetDetector has identified a particular attack or signature, every packet
`comprising that event is available in raw packet form with the option to
`replay the session just as it was recorded. Id.
`Patent Owner argues that Venezia does not disclose “flagging . . . for
`replay” required in claim 1, because NetDetector’s replay occurs at the
`option of an administrator and does not occur automatically after
`NetDetector identifies network data matching an attack signature. PO Resp.
`19 (citing Ex. 2009 ¶¶ 6971). Patent Owner adds that the replay decision is
`made by a human administrator and NetDetector does not have the ability to
`decide whether or not to replay data. Id. Patent Owner further argues that
`Venezia’s examples of replay involve data that was not identified as
`suspicious. Id. at 19–20. Specifically, there is no indication of an attack for
`
`17
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`the replay of an AOL Instant Messenger (“AIM”) session (Ex. 1005) or the
`replay discussed in the Niksun white paper (Ex. 1012)6. Id.
`We do not agree with Patent Owner’s arguments. First, as written,
`claim 1 requires “flagging . . . for replay,” but does not indicate expressly
`that the replay occurs automatically after flagging. Further, Patent Owner
`has not explained sufficiently how the claim language requires automatic
`replay otherwise.
`Second, we also do not agree that the “flagging” limitation excludes a
`replay decision made by a human administrator. Claim 1 requires that the
`recited controller is configured to “flag . . . data as suspicious by flagging
` . . . the network data for replay.” However, claim 1 does not recite that the
`controller (or any other component) must decide whether or when the replay
`occurs.
`Third, we are not persuaded that Venezia does not teach or suggest the
`replay of data that has been identified as suspicious. Specifically, as
`Petitioner argues, Venezia describes the replay of the AIM session as an
`example of how data is replayed once it has been recorded. This example of
`replay is given in the context of having first identified an attack prior to
`replay. Ex. 1005, 2 (“once a particular attack or signature has been
`identified, every packet comprising that event is available both in raw packet
`form.”). Moreover, Petitioner points to Venezia’s teaching that an
`administrator can reconstruct an attack, keystroke by keystroke, packet by
`packet, after being notified of an attack. Pet. 15 (citing Ex. 1005, 1). Thus,
`we find that Venezia teaches that once an attack event has been identified,
`
`
`6 The Petition refers Ex. 1012 (“Niksun”), titled “Network Security –
`NetDetector Intrusion Forensic System,” as further describing the operation
`of the NetDetector system disclosed in Venezia. See Pet. 35.
`18
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`the data for that event is recorded such that it can be replayed as described in
`the example of the recorded AIM session. Id.
`Next, Patent Owner argues that Venezia does not teach an “analysis
`environment” because (1) an administrator, rather than the environment,
`performs the analysis rather than the environment; and (2) Venezia’s
`NetDetector does not provide any ability to replay the packets to a
`destination device and then reconstruct or otherwise display the effect of
`those packets on the destination device. PO Resp. 20–24 (citing Ex. 2009
`¶¶ 76–79).
`As discussed, we find that the language of claim 1 does not exclude
`manual analysis and, further, does not require the analysis environment to
`perform the analysis under the broadest reasonable construction of “analysis
`environment.” See supra Claim Construction. Further, we do not agree that
`the claim term “analysis environment” requires replay to a destination
`device. As discussed above, we construe “an
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
