Trials@uspto.gov
`Tel: 571-272-7822
`
`Paper 11
`Entered: October 30, 2014
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`INTERNATIONAL BUSINESS MACHINES CORPORATION,
`Petitioner,
`
`v.
`
`INTELLECTUAL VENTURES II LLC,
`Patent Owner.
`
`Case IPR2014-00681
`Patent 6,715,084 B2
`
`
`
`
`
`
`
`
`
`Before KRISTEN L. DROESCH, JENNIFER S. BISK, and
`JUSTIN BUSCH, Administrative Patent Judges.
`
`BISK, Administrative Patent Judge.
`
`DECISION
`Denying Institution of Inter Partes Review
`37 C.F.R. § 42.108
`
`
`
`INTRODUCTION
`
`A. Background
`
`International Business Machines Corporation (“IBM” or “Petitioner”)
`
`filed a Corrected Petition (Paper 4, “Pet.”) requesting an inter partes review
`
`of claims 1–9 and 12–18 (the “challenged claims”) of U.S. Patent No.
`
`
`Tel: 571-272-7822
`
`Paper 11
`Entered: October 30, 2014
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`INTERNATIONAL BUSINESS MACHINES CORPORATION,
`Petitioner,
`
`v.
`
`INTELLECTUAL VENTURES II LLC,
`Patent Owner.
`
`Case IPR2014-00681
`Patent 6,715,084 B2
`
`
`
`
`
`
`
`
`
`Before KRISTEN L. DROESCH, JENNIFER S. BISK, and
`JUSTIN BUSCH, Administrative Patent Judges.
`
`BISK, Administrative Patent Judge.
`
`DECISION
`Denying Institution of Inter Partes Review
`37 C.F.R. § 42.108
`
`
`
`INTRODUCTION
`
`A. Background
`
`International Business Machines Corporation (“IBM” or “Petitioner”)
`
`filed a Corrected Petition (Paper 4, “Pet.”) requesting an inter partes review
`
`of claims 1–9 and 12–18 (the “challenged claims”) of U.S. Patent No.
`
`
`
`IPR2014-00681
`Patent 6,715,084 B2
`
`6,715,084 B2 (Ex. 1005, “the ’084 patent”). 35 U.S.C. § 311. Intellectual
`
`Ventures II LLC, (“Intellectual Ventures” or “Patent Owner”), filed a
`
`Preliminary Response. Paper 10 (“Prelim. Resp.”).
`
`We have authority to determine whether to institute an inter partes
`
`review. 35 U.S.C. § 314(b); 37 C.F.R. § 42.4(a). The standard for
`
`instituting an inter partes review is set forth in 35 U.S.C. § 314(a), which
`
`provides that an inter partes review may not be instituted “unless the
`
`Director determines . . . there is a reasonable likelihood that the petitioner
`
`would prevail with respect to at least 1 of the claims challenged in the
`
`petition.”
`
`After considering the Petition and Preliminary Response, we
`
`determine that IBM has not established a reasonable likelihood of prevailing
`
`on any of the claims challenged in the Petition. Accordingly, we do not
`
`institute an inter partes review.
`
`B. Related Matters
`
`At the time of filing the Petition in this proceeding, IBM filed another
`
`petition for inter partes review in IPR2014-00682 challenging claims 19, 20,
`
`and 22–33 of the ’084 patent. Subsequent to IBM’s filings, another
`
`petitioner also filed two petitions challenging claims of the ’084 patent in
`
`IPR2014-00793 and IPR2014-00801.
`
`IBM indicates that the ’084 patent is the subject of concurrent
`
`proceedings in various district courts, none of which name IBM as a
`
`defendant. See Pet. 2–3; Paper 9 (Petitioner’s Amended Mandatory
`
`Notices).
`
`2
`
`
`
`IPR2014-00681
`Patent 6,715,084 B2
`
`C. The ’084 Patent
`
`The ’084 patent relates to network-based intrusion detection systems.
`
`Ex. 1005, 1:7–10. Intrusion detection systems are used to determine that a
`
`breach of computer security—access to computer resources by an
`
`unauthorized outsider—has occurred, is underway, or is beginning. Id. at
`
`3:38–49. Conventional intrusion detection products and services are based
`
`on specialized equipment located on a customer’s premises and are directed
`
`to the analysis of a single customer’s data. Id. at 4:51–67. These systems
`
`may produce false alarms and are often unable to detect the earliest stages of
`
`network attacks. Id. In contrast, the broad-scope intrusion detection system
`
`of the ’084 patent analyzes the traffic coming into multiple hosts or other
`
`customers’ computers or sites, providing additional data for analysis, and
`
`consequently, the ability to recognize intrusions that would otherwise be
`
`difficult or impossible to diagnose. Id. at 5:44–56.
`
`As described, one embodiment of the broad-scope intrusion detection
`
`system monitors the communications on a network, or on a particular
`
`segment of the network, by a data collection and processing center coupled
`
`to the network. Ex. 1005, 7:18–24; 7:31–35. Because the data collection
`
`and processing center gathers information from multiple network devices,
`
`including potentially multiple customers, it has access to a broader scope of
`
`network activity. Id. at 8:13–21. This additional data allows for the
`
`recognition of additional patterns of suspicious activity beyond those
`
`detectable with conventional systems. Id. at 8:21–22.
`
`To detect intrusions, the ’084 patent describes one technique of
`
`collecting suspicious network traffic events, forwarding those events to a
`
`central database and analysis engine, and then using pattern correlations to
`
`3
`
`
`
`IPR2014-00681
`Patent 6,715,084 B2
`
`determine suspected intrusion-oriented activity. Ex. 1005, 8:23–31. Upon
`
`detection of suspected malicious activity, adjustments to devices such as
`
`firewalls can be made to focus sensitivity on attacks from suspected sources
`
`or against suspected targets. Id. at 8:31–35; 10:49–67. In addition, if any
`
`intrusions or attempted intrusions have been detected, alerts can be sent both
`
`to the system to which the suspicious communication was directed and also
`
`to systems that have not yet received the communication. Id. at 11:53–12:4.
`
`D. Illustrative Claim
`
`Of the challenged claims in the ’084 patent, claims 1 and 9 are
`
`independent. Claim 1 is illustrative and recites:
`
`1. A method of alerting at least one device in a networked
`computer system comprising a plurality of devices to an anomaly,
`at least one of the plurality of devices having a firewall,
`comprising:
`
`detecting an anomaly in the networked computer system using
`network-based intrusion detection techniques comprising
`analyzing data entering into a plurality of hosts, servers, and
`computer sites in the networked computer system;
`
`determining which of the plurality of devices are anticipated to be
`affected by the anomaly by using pattern correlations across the
`plurality of hosts, servers, and computer sites; and
`
`alerting the devices that are anticipated to be affected by the
`anomaly.
`
`E. The Evidence of Record
`
`IBM relies upon the following prior art references as its basis for
`
`challenging claims 1–9 and 12–18 of the ’084 patent.1
`
`Reference Patents/Printed Publications
`
`Exhibit
`
`
`1 IBM also proffers the Declaration of Dr. Steven M. Bellovin. See Ex.
`1001.
`
`4
`
`
`
`IPR2014-00681
`Patent 6,715,084 B2
`
`Porras
`
`Phillip A. Porras & Alfonso
`Valdes, Live Traffic Analysis of
`TCP/IP Gateways, Proceedings
`of the 1998 ISOC Symposium on
`Network and Distributed Sys.
`Security 1–13, (Dec. 12, 1997)
`U.S. Patent No. 7,237,264 B1
`Graham
`NetRanger NetRangerTM User’s Guide
`Version 1.3.1, WheelGroup Corp.
`001–327, (1997)
`Steven R. Snapp et al., A System
`for Distributed Intrusion
`Detection, IEEE 170–176, (1991)
`
`Snapp
`
`Ex. 1006 (“Porras”)
`
`Ex. 1007 (“Graham”)
`Ex. 1008 (“NetRanger”)
`
`Ex. 1009 (“Snapp”)
`
`F. The Asserted Grounds of Unpatentability
`
`IBM contends that the challenged claims are unpatentable under
`
`35 U.S.C. §§ 102 and/or 103 based on the following grounds (Pet. 4–5):
`
`Statutory Ground
`§ 102(b)
`§ 102(e)
`§ 103
`§ 102(b)
`§ 103
`
`Basis
`
`Porras
`Graham
`Graham and Snapp
`NetRanger
`NetRanger and Snapp
`
`Challenged Claims
`1–9, 12–18
`1–7, 9, 12–17
`8, 18
`1–7, 9, 12–17
`8, 18
`
`A. Claim Construction
`
`ANALYSIS
`
`In an inter partes review, claim terms are given their broadest
`
`reasonable interpretation in light of the specification in which they appear
`
`and the understanding of others skilled in the relevant art. See 37 C.F.R.
`
`§ 42.100(b). Applying that standard, we interpret the claim terms of the
`
`’084 patent according to their ordinary and customary meaning in the
`
`context of the patent’s written description. See In re Translogic Tech., Inc.,
`
`504 F.3d 1249, 1257 (Fed. Cir. 2007).
`
`5
`
`
`
`IPR2014-00681
`Patent 6,715,084 B2
`
`IBM proposes interpretations for “an anomaly in the network,”
`
`“network-based intrusion detection techniques,” “alerting the device / alerts
`
`the device,” and “generating an automated response to the intrusion.” Pet.
`
`5–9. Intellectual Ventures disputes IBM’s analysis and provides its own
`
`interpretations for “anomaly,” “network based intrusion detection
`
`techniques,” “generating an automated response to the intrusion,”
`
`“determining which of the plurality of devices are anticipated to be affected
`
`by the anomaly,” and “alert [-ing/-s] the device.” Prelim. Resp. 6–18. Of
`
`these terms, we consider it necessary, for purposes of this Decision, to
`
`expressly construe the terms “anomaly” and “determining which . . . are
`
`anticipated to be affected by the anomaly.” None of the remaining terms
`
`requires an express construction at this time.
`
`1. “anomaly”
`
`IBM proposes that “an anomaly in the network” be construed as “a
`
`predetermined pattern of data in the network.” Pet. 5. Intellectual Ventures
`
`disagrees, arguing that an anomaly is “a departure from the usual or
`
`expected; an abnormality or irregularity.” Prelim. Resp. 10 (citing Exs.
`
`2002; 2003 (reciting dictionary definitions of “anomaly”)).
`
`We agree that Intellectual Ventures’s proposed construction is the
`
`broadest reasonable interpretation of the term and is consistent with the
`
`specification of the ’084 patent. For example, the ’084 patent states that
`
`“Anomaly detection systems look for statistically anomalous behavior . . .
`
`[s]tatistical scenarios can be implemented for user, dataset, and program
`
`usage to detect ‘exceptional’ use of the system.” Ex. 1005, 3:54–57.
`
`6
`
`
`
`IPR2014-00681
`Patent 6,715,084 B2
`
`2. “determining which of the plurality of devices are anticipated
`to be affected by the anomaly”
`
`IBM does not propose an explicit construction for “determining which
`
`of the plurality of devices are anticipated to be affected by the anomaly”
`
`(“the determining limitation”)2. Intellectual Ventures proposes that the
`
`broadest reasonable construction is “deciding or ascertaining which devices
`
`are expected or foreseen to be affected by the detected anomaly.” Prelim.
`
`Resp. 15–18. Intellectual Ventures bases this construction on dictionary
`
`definitions of “determine” and “anticipate.” Id. at 15–16 (citing Exs. 2008,
`
`2009 (defining determine as “to set limits to; bound; define . . . to reach a
`
`decision about after thought and investigation; decide upon”); Exs. 2010,
`
`2011 (defining anticipate as “to . . . expect . . . to foresee (a command, wish
`
`etc.) and perform in advance”)).
`
`Intellectual Ventures’s proposed construction is consistent with the
`
`specification. For example, the specification states that “[a]n anomaly is
`
`detected in the computer system, and then it is determined which device[] or
`
`devices are anticipated to be affected by the anomaly in the future. These
`
`anticipated devices are then alerted to the potential for the future anomaly.”
`
`Ex. 1005, 5:57–64. Although the specification also states that “the devices
`
`are polled in a predetermined sequential order, and a device anticipated to be
`
`affected by the anomaly is a device that has not been polled,” the ’084 patent
`
`does not limit anticipated devices solely to devices that have not been polled.
`
`Id. at 5:66–6:2.
`
`
`2 This language is recited by claim 1. Claim 9 has a similar limitation
`“determining a device that is anticipated to be affected by the anomaly.”
`
`7
`
`
`
`IPR2014-00681
`Patent 6,715,084 B2
`
`In keeping with the broadest reasonable interpretation that is
`
`consistent with the specification, we construe the determining limitation to
`
`mean deciding or ascertaining which devices are expected or foreseen to be
`
`affected by the anomaly.
`
`B. The Asserted Grounds
`
`1. Anticipation by Porras (Ex. 1006)
`
`Porras is an article describing “Live Traffic Analysis of TCP/IP
`
`Gateways.” Ex. 1006. The article discloses “a variety of ways to extend
`
`both statistical and signature-based intrusion-detection analysis techniques to
`
`monitor network traffic.” Id. at Abstract.
`
`IBM challenges claims 1–9 and 12–18 as anticipated by Porras. Pet.
`
`14–27. With respect to the determining limitation, IBM points to Porras’s
`
`disclosure that “malicious activity, nonmalicious failures, and other
`
`exceptional events” are detected and “warnings [are sent] to other domains
`
`that have not yet experienced or reported the session anomalies.” Pet. 15–
`
`16; 18–19. Although IBM contends that a skilled artisan would have
`
`understood Porras to teach the determining limitation, IBM’s only evidence
`
`of such an understanding is the conclusory statement by its declarant that
`
`“there would be no need for Porras to send warnings to domains that have
`
`not yet experienced the anomaly” unless Porras was identifying devices
`
`anticipated to be affected by the anomaly. Prelim. Resp. 25 (quoting Ex.
`
`1001 ¶ 87).
`
`Intellectual Ventures asserts that the declarant’s statement is not only
`
`conclusory, but also incorrect because “sending warnings to domains
`
`without identifying which devices are anticipated to be affected, for
`
`example, sounding a general alarm, is a reasonable practice in some
`
`8
`
`
`
`IPR2014-00681
`Patent 6,715,084 B2
`
`situations.” Prelim. Resp. 25 (citing Ex. 1008, 164). We agree with
`
`Intellectual Ventures that the cited portion of Porras expressly states that
`
`warnings are sent to domains that have not yet experienced the anomaly.
`
`This disclosure indicates that Porras must determine which devices have
`
`been affected by the attack to differentiate the domains that have not been
`
`affected from those that have. We are not persuaded, however, that Porras
`
`discloses determining which of the devices are expected to be affected by the
`
`attack.
`
`We have reviewed the rest of the portions of Porras relied upon by
`
`IBM (Pet. 18–19), and we are not persuaded that any of them disclose the
`
`determining limitation. Nor does IBM point to persuasive evidence that the
`
`determining limitation is inherent. Thus, we deny IBM’s challenge that
`
`Porras anticipates claims 1–9 and 12–18.
`
`2. Anticipation by Graham (Ex. 1007)
`
`Graham describes a “system and method for preventing network
`
`misuse.” Ex. 1007, Abstract. One of Graham’s embodiments evaluates
`
`“whether a firewall is configured to block certain suspicious data signatures
`
`before raising an alert and/or taking action in response to those signatures.”
`
`Id. at 12:15–19. Figure 1 of Graham is reproduced below.
`
`9
`
`
`
`IPR2014-00681
`Patent 6,715,084 B2
`
`
`
`Figure 1 illustrates an exemplary network architecture on which
`
`various features described by Graham are implemented. Ex. 1007, 2:65–67.
`
`The architecture generally depicts a local area network 140 over which a
`
`plurality of nodes 130–134 communicate. Id. at 3:47–51. Each of nodes
`
`130–134 may be a computer or any device that includes a processor and a
`
`network interface. Id. at 3:51–55. Although Figure 1 shows node 130 and
`
`firewall 152 as separate devices, they may be implemented on a single
`
`computer which performs the functions of both elements. Id. at 12:33–38.
`
`IBM challenges claims 1–7, 9, and 12–17 as anticipated by Graham.
`
`Pet. 29–40. Intellectual Ventures disputes Graham’s anticipation of the
`
`claimed invention. Prelim. Resp. 27–39. We agree with Intellectual
`
`Ventures that IBM has not shown that Graham discloses the detecting
`
`limitation—“detecting an anomaly in the networked computer system using
`
`network-based intrusion detection techniques comprising analyzing data
`
`entering into a plurality of hosts, servers, and computer sites in the
`
`networked computer system”—as required by the challenged claims. See id.
`
`at 34–36.
`
`10
`
`
`
`IPR2014-00681
`Patent 6,715,084 B2
`
`IBM equates node 130 to the claimed “data collection and processing
`
`center comprising a computer with a firewall coupled to a computer
`
`network.” Pet. 28–30. Because “node 130 may be configured to scan for
`
`suspicious network traffic . . . and may work with the firewall 152 to filter
`
`out suspicious data” (Ex. 1007, 12:19–21), IBM asserts that node 130 also
`
`fulfills the claim requirement that “the data collection and processing center
`
`monitor[s] data communicated to the network.” Pet. at 29. Finally, IBM
`
`asserts that Graham discloses the detecting limitation because it “analyze[s]
`
`data across LAN 140.” Id. at 29–30.
`
`The only language in Graham that IBM points to as supporting
`
`“analyzing data entering into a plurality of hosts,” however, is a statement
`
`that the nodes include a processor for processing data, and that when “node
`
`132 identifies an incident,” it may take precautionary measures. Pet. at 30
`
`(quoting Ex. 1007, 3:51–55, 4:45–50). Nothing in this language describes
`
`explicitly any of the nodes analyzing data. Nor does IBM assert that this
`
`analysis is inherently disclosed by Graham. See id. Moreover, IBM
`
`provides no evidence to support a finding of inherency. For example, IBM’s
`
`declarant, Dr. Bellovin, concludes that “Graham teaches node 130 . . .
`
`analyzing data entering into multiple nodes” based on language in Graham
`
`that node 130 monitors traffic for an incident. Ex. 1001 ¶ 163. Dr. Bellovin,
`
`however, does not discuss how Graham teaches this limitation or whether
`
`such analysis necessarily flows from the disclosure of Graham. Id.
`
`We are, therefore, not persuaded that IBM has established that there is
`
`a reasonable likelihood that claims 1–7, 9, and 12–17 are unpatentable as
`
`anticipated by Graham.
`
`11
`
`
`
`IPR2014-00681
`Patent 6,715,084 B2
`
`3. Obviousness over Graham and Snapp (Ex. 1009)
`
`Snapp is an article titled “A System for Distributed Intrusion
`
`Detection.” Ex. 1009. Snapp describes one approach to solving the problem
`
`of attacks or intrusions on computer systems called the intrusion-detection
`
`concept. Id. at Abstract. The focus of the article is to extend the concept
`
`from the local area network environment to arbitrarily wider areas using
`
`components including a host manager, a local access network manager, and
`
`a central manager, which receives, processes, and correlates reports from the
`
`other managers in order to detect intrusions. Id.
`
`a. Claims 8 and 18
`
`IBM challenges claims 8 and 18 as obvious over the combination of
`
`Graham and Snapp. Pet. 39–42. IBM relies on Snapp for disclosure of the
`
`limitation “adjusting anomaly detection sensitivity and alarm thresholds
`
`based on the detected anomaly,” recited by both claims 8 and 18. Id. at 39–
`
`40.
`
`IBM, however, continues to rely solely on Graham for teaching the
`
`detecting limitation. Pet. 29–30, 41–42. This asserted ground, therefore,
`
`suffers from the same deficiency as discussed above with respect to
`
`anticipation by Graham. Moreover, IBM does not point to any evidence that
`
`a person of ordinary skill in the art would have found the detecting limitation
`
`obvious over the combined disclosures of Graham and Snapp. See Pet. 41–
`
`42; Ex. 1001 ¶¶ 198–202.
`
`We are, therefore, not persuaded that IBM has established that there is
`
`a reasonable likelihood that claims 8 and 18 are unpatentable as obvious
`
`over Graham combined with Snapp.
`
`12
`
`
`
`IPR2014-00681
`Patent 6,715,084 B2
`
`4. Anticipation by NetRanger (Ex. 1008)
`
`NetRanger is a user guide for a product of the same name—“a real-
`
`time network security management system that detects, analyzes, responds
`
`to, and deters unauthorized network activity.” Ex. 1008, 019. NetRanger
`
`uses “centralized monitoring and management of remote dynamic packet
`
`filtering devices that plug into TCP/IP networks.” Id. The NetRanger
`
`System includes the “NSX,” which is the “sensing and management
`
`component.” Id. at 020–021. The NSX, in turn, communicates with one or
`
`more “Director,” which provides monitoring and analysis. Id.
`
`a. Printed Publication
`
`Intellectual Ventures argues that Petitioner has not made a sufficient
`
`threshold showing that NetRanger was available on the putative publication
`
`date. Prelim. Resp. 57–58. Intellectual Ventures cites Synopsys, Inc. v.
`
`Mentor Graphics Corp., for the proposition that absent evidence of
`
`publication or public accessibility of a reference, a petitioner for inter partes
`
`review, with respect to grounds based on that reference, should be denied.
`
`Id. (citing IPR2012-00042, slip op. at 35–36 (PTAB Feb. 22, 2013), Paper
`
`16). Indeed, the determination of whether a given reference qualifies as a
`
`prior art “printed publication” involves a case-by-case inquiry into the facts
`
`and circumstances surrounding the reference’s disclosure to members of the
`
`public. In re Klopfenstein, 380 F.3d 1345, 1350 (Fed. Cir. 2004).
`
`Unlike the reference at issue in Synopsys, which was a company’s
`
`product brochure that lacked any date on its face, NetRanger includes a
`
`copyright date printed on its face. Ex. 1008. In fact, the disclosed copyright
`
`date of 1997 is several years before the priority date of the ’084 patent—
`
`March 26, 2002. Intellectual Ventures has not pointed to any other
`
`13
`
`
`
`IPR2014-00681
`Patent 6,715,084 B2
`
`indication, in NetRanger itself, that it is anything other than what it appears
`
`to be—a User’s Guide that was published and accessible to users of the
`
`corresponding product on or around the disclosed 1997 copyright date. Id.
`
`On this record, we are persuaded that Petitioner has made a threshold
`
`showing that NetRanger is a “printed publication” under 35 U.S.C. § 102(a).
`
`As a consequence, for purposes of this Decision, NetRanger is available as
`
`prior art for Petitioner to demonstrate a reasonable likelihood that the
`
`challenged claims are unpatentable.
`
`b. Claims 1–7, 9, and 12–17
`
`IBM challenges claims 1–7, 9, and 12–17 as anticipated by
`
`NetRanger. Pet. 42–56. Intellectual Ventures disputes NetRanger’s
`
`anticipation of the claimed invention. Prelim. Resp. 45–54. We agree with
`
`Intellectual Ventures that NetRanger does not disclose the determining
`
`limitation—“determining which of the plurality of devices are anticipated to
`
`be affected by the anomaly by using pattern correlations across the plurality
`
`of hosts, servers, and computer sites.” See id. at 47–50.
`
`IBM points to NetRanger’s disclosure that “[n]umerous computers are
`
`vulnerable to an attack where if you send an ICMP packet with an extremely
`
`large data size it will crash the machine . . . NetRanger blocks and alarms
`
`this traffic.” Pet. 43, 46–47 (quoting Ex. 1008, 164); Ex. 1001 ¶¶ 225–30.
`
`This language discloses detecting an anomaly and pre-emptively blocking
`
`that traffic. IBM, however, does not explain how this language discloses
`
`determining which device has been affected by, or is anticipated to be
`
`affected by, such an attack.
`
`IBM points to testimony of Dr. Bellovin stating that a skilled artisan
`
`would have understood NetRanger to teach the determining limitation
`
`14
`
`
`
`IPR2014-00681
`Patent 6,715,084 B2
`
`because “there would be no need for NetRanger to generate reports of
`
`network vulnerabilities or to block the network traffic” unless the Director
`
`was identifying devices anticipated to be affected by the anomaly. Ex. 1001
`
`¶ 229. This testimony does not support either an explicit or inherent
`
`disclosure of this limitation by NetRanger, as required for anticipation.
`
`Moreover, the statement is conclusory and not persuasive. We agree with
`
`Intellectual Ventures that preemptively blocking all traffic may be a
`
`reasonable practice in some situations, and network vulnerability reports
`
`may not require detecting the anomaly before identifying the vulnerable
`
`devices. See Prelim. Resp. 50.
`
`We have reviewed the rest of the portions of NetRanger relied upon
`
`by IBM (Pet. 46–47), and we are not persuaded that any of them disclose the
`
`determining limitation. We are, therefore, not persuaded that IBM has
`
`established that there is a reasonable likelihood that claims 1–7, 9, and 12–
`
`17 are unpatentable as anticipated by NetRanger.
`
`5. Obviousness over NetRanger and Snapp
`
`IBM challenges claims 8 and 18 as obvious over the combination of
`
`NetRanger and Snapp. Pet. 56–57. IBM admits that NetRanger does not
`
`provide an express description of the claim limitation “wherein the data
`
`collection and processing center adjusts anomaly detection sensitivity and
`
`alarm thresholds based on the detected anomaly” and relies on Snapp for
`
`disclosure of this limitation. Id. at 56.
`
`IBM continues to rely solely on NetRanger for teaching the
`
`determining limitation. Id. This asserted ground, therefore, suffers from the
`
`same deficiency as discussed above with respect to anticipation by
`
`NetRanger. Moreover, IBM does not point to any evidence that a person of
`
`15
`
`
`
`IPR2014-00681
`Patent 6,715,084 B2
`
`ordinary skill in the art would have found the determining limitation obvious
`
`over the combined disclosures of NetRanger and Snapp. See Pet. 56–57; Ex.
`
`1001 ¶¶ 270–277. We are, therefore, not persuaded that IBM has
`
`established that there is a reasonable likelihood that claims 8 and 18 are
`
`unpatentable as obvious over NetRanger combined with Snapp.
`
`CONCLUSION
`
`For the foregoing reasons, we determine that Petitioner has not shown
`
`a reasonable likelihood that it would prevail in demonstrating that any of the
`
`challenged claims of the ’084 patent are unpatentable on at least one
`
`challenged ground. The Board has not made a final determination on the
`
`patentability of any challenged claim.
`
`ORDER
`
`ORDERED that an inter partes review of U.S. Patent No. 6,715,084
`
`B2 is not instituted based on this Petition.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`16
`
`
`
`IPR2014-00681
`Patent 6,715,084 B2
`
`
`
`PETITIONER:
`
`Kenneth Adamo
`kenneth.adamo@kirkland.com
`
`Eugene Goryunov
`eugene.goryunov@kirkland.com
`
`PATENT OWNER:
`
`Jonathan Strang
`jstrang-PTAB@skgf.com
`
`Lori Gordon
`lgordon-PTAB@skgf.com
`
`
`
`17
`
`
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
