`571-272-7822
`
`
`
`
`Paper 29
`Entered: July 10, 2015
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`FINJAN, INC.,
`Petitioner,
`
`v.
`
`FIREEYE, INC.,
`Patent Owner.
`____________
`
`Case IPR2014-00492
`Patent 8,171,553 B2
`
`
`
`Before BRYAN F. MOORE, LYNNE E. PETTIGREW, and
`FRANCES L. IPPOLITO, Administrative Patent Judges.
`
`IPPOLITO, Administrative Patent Judge.
`
`FINAL WRITTEN DECISION
`Inter Partes Review
`35 U.S.C. § 318(a) and 37 C.F.R. § 42.73
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`
`
`I. INTRODUCTION
`Finjan, Inc. filed a Corrected Petition (“Pet.”) on March 21, 2014,
`requesting an inter partes review of claims 1–30 of U.S. Patent No.
`8,171,553 B2 (“the ’553 patent”). Paper 4. Patent Owner FireEye, Inc. filed
`a Preliminary Response (“Prelim. Resp.”) to the Petition. Paper 7. On
`July 25, 2014, we instituted an inter partes review of claims 1, 3–8, 12–14,
`16–20, and 22–30 on the following grounds of unpatentability alleged in the
`Petition (Paper 8, “Dec.”):
`A. Claims 1, 5, 7, 17, 22, and 25–27 are unpatentable under 35 U.S.C.
`§ 103 over Kaeo1 and Venezia2;
`B. Claims 6, 8, 12–14, 16, 18, and 19 are unpatentable under
`35 U.S.C. § 103 over Kaeo, Venezia, and Chen3;
`C. Claims 1, 3–5, 7, 17, and 22–28 are unpatentable under 35 U.S.C.
`§ 103 over Kaeo and Liljenstam4; and
`D. Claims 18, 20, 29, and 30 are unpatentable under 35 U.S.C. § 103
`over Kaeo, Liljenstam, and Dunlap5.
`
`
`1 Merike Kaeo, Designing Network Security, Cisco Press (2nd ed. Nov.
`2003) (Ex. 1006, “Kaeo”).
`2 Paul Venezia, NetDetector Captures Intrusions, InfoWorld Issue 27 (July
`14, 2003) (Ex.1005, “Venezia”).
`3 Peter M. Chen and Brian D. Noble, When Virtual Is Better Than Real,
`Department of Electrical Engineering and Computer Science, University of
`Michigan (May 21, 2001) (Ex. 1009, “Chen”).
`4 Michael Liljenstam et al., Simulating Realistic Network Worm Traffic for
`Worm Warning System Design and Testing, Institute for Security
`Technology studies, Dartmouth College (Oct. 27, 2003) (Ex. 1007,
`“Liljenstam”).
`5 George W. Dunlap et al., ReVirt: Enabling Intrusion Analysis through
`Virtual-Machine Logging and Replay, Proceeding of the 5th Symposium on
`2
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`After institution of trial, Patent Owner filed a Patent Owner Response
`(“PO Resp.,” Paper 20) and Petitioner filed a Reply thereto (“Reply,” Paper
`23). An oral argument was held on March 31, 2015. The transcript of the
`oral hearing has been entered into the record. Paper 28, “Tr.”
`We have jurisdiction under 35 U.S.C. § 6(c). This Final Written
`Decision is issued pursuant to 35 U.S.C. § 318(a) and 37 C.F.R. § 42.73.
`Petitioner has shown, by a preponderance of the evidence, that claims
`1, 3–7, 17, 18, 20, and 22–30 of the ’553 patent are unpatentable. Petitioner
`has not shown, by a preponderance of the evidence, that claims 8, 12–14, 16,
`and 19 are unpatentable.
`
`A. Related Proceedings
`Petitioner indicates that the parties are involved in a related
`proceeding, Finjan, Inc. v. FireEye, Inc., No. 4:13-cv-03133-SBA, filed in
`the United States District Court for the Northern District of California.
`Paper 6, 1.
`The parties also are involved in Case IPR2014-00344, directed to U.S.
`Patent No. 8,291,499 B2 (“the ’499 patent”), which shares a common
`disclosure with the ’553 patent.
`B. The ’553 Patent
`The ’553 patent describes an authorized activity capture or detection
`system that analyzes copied network data with a heuristic to determine if the
`copied network data has the characteristics of a computer worm. See
`Ex. 1001, Claim 1. If the compared network data has a characteristic of a
`computer worm, the system flags the compared network data for replay in an
`analysis environment. Id.
`
`Operating Systems Design and Implementation, USENIX Association (Dec.
`911, 2002) (Ex. 1008, “Dunlap”).
`
`3
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`Figure 7 of the ’553 patent is reproduced below.
`
`
`Figure 7 depicts an embodiment of an unauthorized activity detection system
`described in the ’553 patent. Unauthorized activity detection system 700
`includes source device 705, destination device 710, and tap 715, each of
`which is coupled to communication network 720. Id. at 26:21–26. Tap 715
`is further coupled to controller 725. Id. at 26:25–26. In operation, tap 715
`monitors network data and provides a copy of the network data to controller
`725. Id. at 26:35–37.
`Figure 7 also shows controller 725, which “can be any digital device
`or software that receives network data from the tap 715.” Ex. 1001, 27:1–2.
`“In some embodiments, controller 725 is contained within computer worm
`sensor 105.” Id. at 27:2–4. Controller 725 also may be contained within
`separate traffic analysis device 135 or may be a stand-alone digital device.
`Id. at 27:4–6. Controller 725 can comprise virtual machine pool 745,
`analysis environment 750, heuristic module 730, and policy engine 755. Id.
`
`4
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`at 27:6–9. “[V]irtual machine pool 745 is configured to store virtual
`machines [and] . . . can be any storage capable of storing software.” Id. at
`28:51–52. Additionally, “analysis environment 750 simulates transmission
`of the network data between the source device 705 and the destination
`device 710 to analyze the effects of the network data upon the destination
`device 710.” Id. at 28:59–62. Heuristic module 730 can receive copied
`network data from tap 715 and apply heuristic and/or probability analysis to
`determine if the network data contains suspicious activity. Id. at 27:12–15.
`C. Illustrative Claim
`Of the challenged claims, claims 1, 8, 17, and 28 are independent.
`Claim 1, reproduced below, is illustrative of the subject matter of the ’553
`patent:
`1. An unauthorized activity capture system comprising:
`a
`tap configured
`to copy network data from a
`communication network; and
`a controller coupled to the tap and configured to receive
`the copy of the network data from the tap, analyze the copy of
`the network data with a heuristic to determine if the copy of the
`network data has one or more characteristics of a computer
`worm, flag at least a portion of the copy of the network data as
`suspicious by flagging the at least a portion of the copy of the
`network data for replay in an analysis environment based upon
`the heuristic determination that the at least a portion of the
`analyzed copy of
`the network data has one or more
`characteristics of a computer worm, and replay transmission of
`the suspicious, flagged network data copied from
`the
`communication network to a destination device.
`Ex. 1001, 31:6032:8.
`
`II. ANALYSIS
`A. Claim Construction
`During a review before the Patent Trial and Appeal Board (“Board”),
`
`5
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`we construe claims in an unexpired patent in accordance with the broadest
`reasonable interpretation in light of the specification of the patent in which
`they appear. 37 C.F.R. § 42.100(b); see In re Cuozzo Speed Techs., LLC,
`778 F.3d 1271, 1278–82 (Fed. Cir. 2015) (“Congress implicitly adopted the
`broadest reasonable interpretation standard in enacting the AIA,” and “the
`standard was properly adopted by PTO regulation.”); see Office Patent Trial
`Practice Guide, 77 Fed. Reg. 48,756, 48,766 (Aug. 14, 2012). Under the
`broadest reasonable interpretation standard, claim terms are given their
`“ordinary and customary meaning” as would be understood by one of
`ordinary skill in the art in the context of the entire disclosure. In re
`Translogic Tech., Inc., 504 F.3d 1249, 1257 (Fed. Cir. 2007). An inventor
`may rebut that presumption by providing a definition of the term in the
`Specification with “reasonable clarity, deliberateness, and precision.” In re
`Paulsen, 30 F.3d 1475, 1480 (Fed. Cir. 1994). In the absence of such a
`definition, limitations are not to be read from the Specification into the
`claims. In re Van Geuns, 988 F.2d 1181, 1184 (Fed. Cir. 1993).
`1. flag or flagging (Claims 1, 8, 17, and 28)
`For the purposes of our Decision to Institute, we determined that the
`broadest reasonable interpretation of the terms “flag” and “flagging” is
`“identify” and “identifying.” Dec. 6–7 (adopting our analysis in the
`Decision to Institute (Paper 17) for the same term at issue in IPR2014-
`00344, in which the ’499 patent shares the same disclosure as the ’553
`patent). Neither party disputes this interpretation. Pet. 5; PO Resp. 12.
`Based on the complete record now before us, we discern no reason to change
`this interpretation; thus, we adopt our previous analysis and interpret “flag”
`and “flagging” to mean “identify” and “identifying,” respectively.
`2. virtual machine pool (claims 6, 14, and 19)
`6
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`In the Decision instituting trial, we construed “virtual machine pool”
`to include “any storage capable of storing one or more virtual machines.”
`Dec. 6–7. Patent Owner contests this construction and argues that the
`“notion that ‘any storage’ is a virtual machine pool would mean that any
`hard drive is a virtual machine pool regardless of whether it stores potential
`virtual machines.” PO Resp. 12 n.1.
`We do not agree with Patent Owner’s arguments. Our construction in
`the Decision to Institute does not include “any storage,” as Patent Owner
`suggests, but “storage capable of storing one or more virtual machines.”
`Dec. 6–7 (referring to our discussion of “virtual machine pool” in the
`Decision to Institute (Paper 17) for IPR2014-00344). This construction is
`consistent with the Specification, which states that “virtual machine pool
`745 can be any storage capable of storing software” and “virtual machine
`pool 745 is configured to store virtual machines.” Ex. 1001, 28:50–52.
`Thus, under the broadest reasonable interpretation, we construe
`“virtual machine pool” to mean “any storage capable of storing one or more
`virtual machines.”
`3. analysis environment (claims 1, 8, 17, and 28)
`In the Decision to Institute, we determined, based on the preliminary
`record, that the term “analysis environment” means “an environment in
`which analysis of the effect of the network data upon a destination device is
`performed.” Dec. 6–7.
`In Patent Owner’s Response, Patent Owner disagrees with our
`construction because it “permits an analysis environment to be a passive
`location or one in which a human being performs analysis.” PO Resp. 13.
`Patent Owner asserts that a person of ordinary skill in the art would not
`consider an “analysis environment” to be an environment where analysis is
`7
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`performed by either the analysis environment or some other actor. Id. at 14.
`Patent Owner adds that the “analysis environment” is described throughout
`the ’553 patent as an actor rather than merely a passive component enabling
`actions by others. Id. at 14–15 (citing Ex. 1001, 29:24–25, 30:3, 30:8,
`31:17–19).
`Although the ’553 patent provides examples where analysis
`environment 750 “determines,” “simulates,” “can react,” or “replays,” as
`noted by Patent Owner in the cited sections above (Ex. 1001, 29:24–25,
`30:3–4, 30:8, 31:17–19), the Specification also indicates these descriptions
`of analysis environment 750 are non-limiting examples that disclose “some
`embodiments” or “one embodiment.” Ex. 1001, 29:22–23, 29:36–37,
`30:65–67. This disclosure in the Specification is consistent with the
`language of the challenged claims, which do not require explicitly that the
`analysis environment actively perform any action. For example, claim 1
`requires that the recited controller “flag at least a portion of the copy of the
`network data as suspicious by flagging the at least a portion of the copy of
`the network data for replay in an analysis environment.” (Emphasis added).
`In claim 1, the analysis environment provides a location for replay, which
`does not require that the network data is replayed by the analysis
`environment. Further, looking back to the Specification, the ’553 patent
`provides that “in accordance with one embodiment of the present
`invention . . . the analysis environment 750 replays transmission of the
`network data.” Ex. 1001, 30:65–66, 31:17–18 (emphasis added). This
`disclosure along with the express language of claim 1 indicates that, in the
`context of the ’553 patent, a distinction exists between an analysis
`environment that provides a location for replaying data versus an analysis
`environment that itself performs replay.
`8
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`Thus, we do not find that the recited “analysis environment” requires
`that the environment perform the analysis. Although claims are interpreted
`in light of the specification, limitations from the specification are not read
`into the claims. In re Van Geuns, 988 F.2d 1181, 1184 (Fed. Cir. 1993).
`The claim language does not require or mention the analysis environment
`performing an analysis. Moreover, even assuming Patent Owner is correct
`that the ’553 patent only describes the analysis environment as actively
`performing analysis, claims generally are not limited to any particular
`embodiment disclosed in the specification, even where only a single
`embodiment is disclosed. Innova/Pure Water, Inc. v. Safari Water Filtration
`Sys., Inc., 381 F.3d 1111, 1117 (Fed. Cir. 2004); see, e.g., Silicon Graphics,
`Inc. v. ATI Techs., Inc., 607 F.3d 784, 792 (Fed. Cir. 2010) (“A construing
`court’s reliance on the specification must not go so far as to import
`limitations into claims from examples or embodiments appearing only in a
`patent’s written description . . . unless the specification makes clear that the
`patentee . . . intends for the claims and the embodiments in the specification
`to be strictly coextensive.” (internal quotation marks omitted)).
`Accordingly, we construe “analysis environment” to mean “an
`environment in which analysis of the effect of the network data upon a
`destination device is performed.” See Dec. 6.
`4. virtual switch (claim 20)
`In the Decision to Institute, we determined that under the broadest
`reasonable interpretation, the term “virtual switch” means “software that is
`configured to mimic the performance of a switch.” Dec. 6. The parties do
`not dispute this construction. PO Resp. 12; Reply 2–5. Based on the
`complete record now before us, we discern no reason to change this
`
`9
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`construction; we adopt our previous analysis for this non-disputed claim
`term.
`
`5. replay transmission of the suspicious, flagged network data copied
`from the communication network to a destination device (claim 1);
`
`replaying transmission of the flagged at least a portion of the
`analyzed copied network data which was copied from the
`communication network to a destination device to identify
`unauthorized activity based on playback of the flagged suspicious
`at least a portion of the analyzed copy of the network data (claim
`17);
`
`replay transmission of the flagged suspicious at least a portion of
`the analyzed copied network data copied from the network to a
`destination device (claim 28)
`
`In distinguishing the challenged claims over the asserted prior art,
`Patent Owner argued at the oral hearing that the replay/replaying phrases
`(shown above) recited in independent claims 1, 17, and 28 require replay of
`data to a destination device.
`JUDGE IPPOLITO: Before you do, I would just like to
`go back to my original question about the claim construction
`that you are proposing for the replaying step. I just want to get
`on the record what exactly are you using for support for that
`claim construction that the replaying is done to a destination
`device as opposed to replaying transmission that originally was
`to a destination device.
`
`MR. McCOMBS: Your Honors, the only discussion in
`the entire specification of the patent is, when there is a
`replaying transmission, that it is done to a virtual machine. And
`that’s described in the specification at column 29, line 36
`through 42, and then at column 29, line 56 through 60.
`
`What is happening is the replaying, it is a simulation of a
`transmission where it is a virtual machine that is simulating the
`destination device. That’s the only time that there is any
`replaying done in the patent in an analysis environment to a
`10
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`destination device, which is a virtual machine that is simulating
`the original destination device.
`
`replaying
`is not a discussion of actually
`There
`transmission back out onto the communications network to
`some original destination. That is never described in the patent.
`
`Tr. 48:3–24.
`
`We understand Patent Owner’s reading of these claim phrases to be
`that replaying the transmission of data requires replaying the transmission to
`a destination device such as a virtual machine. However, we do not agree
`that this is the broadest reasonable interpretation of these phrases. For
`example, claim 1 recites “replay transmission of . . . data copied from the
`communication network to a destination device.” The term “replay” appears
`logically and grammatically to apply to the term “transmission,” which
`immediately follows “replay.” Further, the term “transmission” is modified
`by the following phrase “of the suspicious, flagged network data,” which
`describes the “transmission” as a transmission of suspicious, flagged
`network data. Claim 1 further describes the “data” as “copied from the
`communication network to a destination device.” Thus, we read the phrase
`“copied from the communication network to a destination device” as
`applying to “data,” and not requiring that “replay” occurs to a destination
`device. Similarly, we read the corresponding language in claim 28 as
`applying the phrase “copied from the network to a destination device” to the
`“copied network data” and not to “replay transmission.” Additionally, for
`claim 17, we read the claim language “which was copied from the
`communication network to a destination device” to apply to “copied network
`data” and not to “replaying transmission.”
`
`11
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`Our reading of the claim language is consistent with the disclosure of
`the ’553 patent. The ’553 patent uses the term “destination device” to
`describe original destination device 710 that receives the transmission of
`data from Source Device 705 via Communication Network 720. Ex. 1001,
`26:18–43, 29:56–60, Figs. 7, 10. Further, the sections of the ’553 patent
`cited by the Patent Owner do not support Patent Owner’s proposed
`interpretation of these phrases. Column 29, lines 36 through 42 do not refer
`to a destination device. Column 29, lines 56 through 60 disclose that virtual
`machine 815 simulates destination device 710. In other words, the ’553
`patent does not teach that virtual machine 815 is “a destination device,”
`instead it teaches that a virtual machine may simulate or mimic the original
`destination device. Id. at 29:56–60, Fig. 10. Additionally, we note that to
`the extent Patent Owner contends the recited replay phrases require replay to
`a virtual machine, the claim language does not recite a virtual machine.
`6. Other Claim Terms
`
`Patent Owner further proposes constructions for claim terms
`“determine” and “determination.” PO Resp. 15–16. Nonetheless, based on
`the evidence of record, these terms do not require express construction for
`the purposes of this Decision.
`B. Claims 1, 5, 7, 17, 22, and 25–27 – Obviousness over Kaeo (Ex. 1006)
`and Venezia (Ex. 1005)
`Petitioner argues that claims 1, 5, 7, 17, 22, and 25–27 are
`unpatentable under 35 U.S.C. § 103(a) over Kaeo and Venezia. Pet. 20–60.
`As explained in further detail below, having considered the arguments and
`evidence presented, we are persuaded that Petitioner has shown, by a
`preponderance of the evidence, that claims 1, 5, 7, 17, and 25–27 are
`unpatentable over Kaeo and Venezia. We are not persuaded of the same for
`
`12
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`claim 22.
`1. Relevant Legal Principles
`A claim is unpatentable under 35 U.S.C. § 103(a) if the differences
`between the claimed subject matter and the prior art are such that the subject
`matter, as a whole, would have been obvious at the time the invention was
`made to a person having ordinary skill in the art to which said subject matter
`pertains. KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 406 (2007). The
`question of obviousness is resolved on the basis of underlying factual
`determinations including (1) the scope and content of the prior art; (2) any
`differences between the claimed subject matter and the prior art; (3) the level
`of skill in the art; and, (4) where in evidence, so-called secondary
`considerations, including commercial success, long-felt but unsolved needs,
`failure of others, and unexpected results. Graham v. John Deere,
`383 U.S. 1, 1718 (1966) (“the Graham factors”). The level of ordinary
`skill in the art usually is evidenced by the references themselves.
`See Okajima v. Bourdeau, 261 F.3d 1350, 1355 (Fed. Cir. 2001);
`In re GPAC Inc., 57 F.3d 1573, 1579 (Fed. Cir. 1995); In re Oelrich,
`579 F.2d 86, 91 (CCPA 1978).
`For an obviousness analysis, prior art references “must be ‘considered
`together with the knowledge of one of ordinary skill in the pertinent art.’”
`In re Paulsen, 30 F.3d 1475, 1480 (Fed. Cir. 1994) (quoting In re Samour,
`571 F.2d 559, 562 (CCPA 1978)). Moreover, “it is proper to take into
`account not only specific teachings of the reference but also the inferences
`which one skilled in the art would reasonably be expected to draw
`therefrom.” In re Preda, 401 F.2d 825, 826 (CCPA 1968). That is because
`an obviousness analysis “need not seek out precise teachings directed to the
`specific subject matter of the challenged claim, for a court can take account
`13
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`of the inferences and creative steps that a person of ordinary skill in the art
`would employ.” KSR, 550 U.S. at 418; see In re Translogic Tech., Inc.,
`504 F.3d at 1259.
`2. Level of Ordinary Skill in the Art
`The parties agree that a person of ordinary skill in the art would have
`the following education and/or experience: a recent degree in a field such as
`computer science or computer networking and two or more years of
`experience in the computer networking or computer security industry. PO
`Resp. 16–17; Ex. 1003 ¶ 33. “Alternatively, in lieu of recent formal
`education, a person of ordinary skill in the art would have had six or more
`years of relevant experience in the computer networking or computer
`security industry.” PO Resp. 16–17. This level of ordinary skill in the art is
`consistent with the ordinary skill reflected in the prior art of record, which is
`directed to computer networking and computer security systems. For
`example, Venezia and Kaeo both disclose intrusion-detection-systems. Ex.
`1005; Ex. 1006.
`With this level of ordinary skill in mind, we now turn to the analysis
`of the differences between the asserted prior art references and the subject
`matter recited in the claims-at-issue.
`3. Summary of Venezia (Ex. 1005)
`Venezia discloses the performance of NetDetector, an intrusion-
`detection-system (“IDS”). Ex. 1005, 1. Venezia states that “[r]ather than
`simply capturing the packet headers of monitored data streams, and
`examining them for possible attacks, the NetDetector stores every packet,
`from header to payload, in an indexed database.” Id. Venezia adds that
`NetDetector notifies an administrator of an attack and allows the
`administrator to playback or “reconstruct the attack, keystroke by keystroke,
`14
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`packet by packet.” Id. Venezia further indicates that NetDetector relies on
`Snort, an open source IDS, for intrusion detection. Id. at 2. Snort is
`described as being able to “monitor all traffic or a selected segment (based
`on filtering rules) on any given interface.” Id. Venezia also states that “it’s
`possible to select a specific time frame or capture and reprocess that traffic
`stream through the IDS engine.” Id. Venezia explains that once an attack or
`signature has been identified, every packet comprising that event is
`available. Id.
`4. Summary of Kaeo (Ex. 1006)
`Kaeo describes various design options for network security, including
`intrusion detection systems based on statistical analysis and rule-based
`methods. Ex. 1006, 361. Kaeo indicates that the rule-based analysis method
`“uses rules that characterize known security attack scenarios and raise an
`alarm if observed activity matches any of its encoded rules.” Id. “This
`analysis can also detect intruders who exhibit specific patterns of behavior
`known to be suspicious or in violation of site security policy.” Id. Kaeo
`adds that most rule-based systems are user configurable so that the user can
`define her own rules based on her own corporate environment. Id. Kaeo
`also describes network intrusion detection systems with cable taps that serve
`as “[p]assive Ethernet taps . . . where ‘copies’ of the frames are sent to a
`second switch dedicated to IDS sensors.” Id. at 362, Fig. 8-2. Additionally,
`Kaeo teaches that “honey pots” are locations to send suspected traffic
`to/from an attack. Id. at 363. The data then can be collectively analyzed to
`mitigate some possible attacks. Id.
`
`15
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`5. Analysis
`a. Claims 1 and 17
`Petitioner contends that Kaeo and Venezia teach or suggest all the
`limitations of claims 1, 5, 7, 17, 22, and 25–27. Pet. 20–59. We have
`reviewed the Petition, the Patent Owner’s Response, and Petitioner’s Reply,
`as well as the evidence discussed in each of those papers, and are persuaded
`that Petitioner has shown, by a preponderance of the evidence, that claims 1
`and 17 would have been obvious based on Kaeo and Venezia. Our
`discussion below focuses on the limitations of independent claim 1, which
`are illustrative and largely overlap with limitations recited in independent
`claim 17. However, to the extent the limitations of independent claim 17
`require separate treatment, those limitations are discussed separately below.
`Additionally, dependent claims 5, 7, 22, and 25–27 are discussed in a
`following section.
`Claim 1 recites “a tap configured to copy network data from a
`communication network” and “a controller coupled to the tap and configured
`to receive the copy of the network data from the tap.” Petitioner asserts that
`Kaeo’s disclosure of cable taps or a SPAN/mirror port coupled to a network
`intrusion detection system meets these limitations. Pet. 30–32. We find
`Petitioner has shown sufficiently that Kaeo teaches these limitations.
`Claim 1 further recites a controller that is configured to “analyze the
`copy of the network data with a heuristic to determine if the copy of the
`network data has one or more characteristics of a computer worm.” We are
`persuaded by Petitioner’s assertion that Kaeo’s disclosure of a network
`intrusion detection system that performs IDS rule-based analysis and
`statistical analysis satisfies this limitation. Pet. 33–35.
`Additionally, claim 1 requires that the controller is configured to
`16
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`flag at least a portion of the copy of the network data as
`suspicious by flagging the at least a portion of the copy of the
`network data for replay in an analysis environment based upon
`the heuristic determination that the at least a portion of the
`analyzed copy of
`the network data has one or more
`characteristics of a computer worm, and replay transmission of
`the suspicious, flagged network data copied from
`the
`communication network to a destination device.
`
`For these limitations, Petitioner asserts that Venezia’s NetDetector “stores
`every packet, from header to payload, in an indexed database,” which “not
`only permits an administrator to be notified when an attack has occurred but
`also to reconstruct the attack, keystroke by keystroke, packet by packet, and
`determine the exact commands issued by the attacker, in addition to any files
`or other data that was transmitted to or from the compromised system.”
`Pet. 14 (citing Ex. 1005, 1). Petitioner adds that Venezia further teaches that
`once NetDetector has identified a particular attack or signature, every packet
`comprising that event is available in raw packet form with the option to
`replay the session just as it was recorded. Id.
`Patent Owner argues that Venezia does not disclose “flagging . . . for
`replay” required in claim 1, because NetDetector’s replay occurs at the
`option of an administrator and does not occur automatically after
`NetDetector identifies network data matching an attack signature. PO Resp.
`19 (citing Ex. 2009 ¶¶ 6971). Patent Owner adds that the replay decision is
`made by a human administrator and NetDetector does not have the ability to
`decide whether or not to replay data. Id. Patent Owner further argues that
`Venezia’s examples of replay involve data that was not identified as
`suspicious. Id. at 19–20. Specifically, there is no indication of an attack for
`
`17
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`the replay of an AOL Instant Messenger (“AIM”) session (Ex. 1005) or the
`replay discussed in the Niksun white paper (Ex. 1012)6. Id.
`We do not agree with Patent Owner’s arguments. First, as written,
`claim 1 requires “flagging . . . for replay,” but does not indicate expressly
`that the replay occurs automatically after flagging. Further, Patent Owner
`has not explained sufficiently how the claim language requires automatic
`replay otherwise.
`Second, we also do not agree that the “flagging” limitation excludes a
`replay decision made by a human administrator. Claim 1 requires that the
`recited controller is configured to “flag . . . data as suspicious by flagging
` . . . the network data for replay.” However, claim 1 does not recite that the
`controller (or any other component) must decide whether or when the replay
`occurs.
`Third, we are not persuaded that Venezia does not teach or suggest the
`replay of data that has been identified as suspicious. Specifically, as
`Petitioner argues, Venezia describes the replay of the AIM session as an
`example of how data is replayed once it has been recorded. This example of
`replay is given in the context of having first identified an attack prior to
`replay. Ex. 1005, 2 (“once a particular attack or signature has been
`identified, every packet comprising that event is available both in raw packet
`form.”). Moreover, Petitioner points to Venezia’s teaching that an
`administrator can reconstruct an attack, keystroke by keystroke, packet by
`packet, after being notified of an attack. Pet. 15 (citing Ex. 1005, 1). Thus,
`we find that Venezia teaches that once an attack event has been identified,
`
`
`6 The Petition refers Ex. 1012 (“Niksun”), titled “Network Security –
`NetDetector Intrusion Forensic System,” as further describing the operation
`of the NetDetector system disclosed in Venezia. See Pet. 35.
`18
`
`
`
`
`
`IPR2014-00492
`Patent 8,171,553 B2
`the data for that event is recorded such that it can be replayed as described in
`the example of the recorded AIM session. Id.
`Next, Patent Owner argues that Venezia does not teach an “analysis
`environment” because (1) an administrator, rather than the environment,
`performs the analysis rather than the environment; and (2) Venezia’s
`NetDetector does not provide any ability to replay the packets to a
`destination device and then reconstruct or otherwise display the effect of
`those packets on the destination device. PO Resp. 20–24 (citing Ex. 2009
`¶¶ 76–79).
`As discussed, we find that the language of claim 1 does not exclude
`manual analysis and, further, does not require the analysis environment to
`perform the analysis under the broadest reasonable construction of “analysis
`environment.” See supra Claim Construction. Further, we do not agree that
`the claim term “analysis environment” requires replay to a destination
`device. As discussed above, we construe “an