`Tel: 571-272-7822
`
`Paper 11
`Entered: October 30, 2014
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`INTERNATIONAL BUSINESS MACHINES CORPORATION,
`Petitioner,
`
`v.
`
`INTELLECTUAL VENTURES II LLC,
`Patent Owner.
`
`Case IPR2014-00682
`Patent 6,715,084 B2
`
`
`
`
`
`
`
`
`
`
`
`Before KRISTEN L. DROESCH, JENNIFER S. BISK, and
`JUSTIN BUSCH, Administrative Patent Judges.
`
`BISK, Administrative Patent Judge.
`
`DECISION
`Institution of Inter Partes Review
`37 C.F.R. § 42.108
`
`
`
`INTRODUCTION
`
`A. Background
`
`International Business Machines Corporation (“IBM” or “Petitioner”)
`
`filed a Corrected Petition (Paper 4, “Pet.”) requesting an inter partes review
`
`of claims 19, 20, and 22–33 (the “challenged claims”) of U.S. Patent No.
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`6,715,084 B2 (Ex. 1004, “the ’084 patent”). 35 U.S.C. § 311. Intellectual
`
`Ventures II LLC (“Intellectual Ventures” or “Patent Owner”) filed a
`
`Preliminary Response. Paper 10 (“Prelim. Resp.”).
`
`We have authority to determine whether to institute an inter partes
`
`review. 35 U.S.C. § 314(b); 37 C.F.R. § 42.4(a). The standard for
`
`instituting an inter partes review is set forth in 35 U.S.C. § 314(a), which
`
`provides that an inter partes review may not be instituted “unless the
`
`Director determines . . . there is a reasonable likelihood that the petitioner
`
`would prevail with respect to at least 1 of the claims challenged in the
`
`petition.”
`
`After considering the Petition and Preliminary Response, we
`
`determine that IBM has established a reasonable likelihood of prevailing on
`
`claims 26, 28, and 30–33 challenged in the Petition, but not claims 19, 20,
`
`22–25, 27, and 29. Accordingly, we institute an inter partes review of
`
`claims 26, 28, and 30–33.
`
`B. Related Matters
`
`At the time of filing the Petition in this proceeding, IBM filed another
`
`petition for inter partes review in IPR2014-00681 challenging claims 1–9
`
`and 12–18 of the ’084 patent. Subsequent to IBM’s filings, another
`
`petitioner also filed two petitions challenging claims of the ’084 patent in
`
`IPR2014-00793 and IPR2014-00801.
`
`IBM indicates that the ’084 patent is the subject of concurrent
`
`proceedings in various district courts, none of which name IBM as a
`
`defendant. See Pet. 2–3; Paper 9 (Petitioner’s Amended Mandatory
`
`Notices).
`
`2
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`C. The ’084 Patent
`
`The ’084 patent relates to network-based intrusion detection systems.
`
`Ex. 1004, 1:7–10. Intrusion detection systems are used to determine that a
`
`breach of computer security—access to computer resources by an
`
`unauthorized outsider—has occurred, is underway, or is beginning. Id. at
`
`3:38–49. Conventional intrusion detection products and services are based
`
`on specialized equipment located on a customer’s premises and are directed
`
`to the analysis of a single customer’s data. Id. at 4:51–67. These systems
`
`may produce false alarms and are often unable to detect the earliest stages of
`
`network attacks. Id. In contrast, the broad-scope intrusion detection system
`
`of the ’084 patent analyzes the traffic coming into multiple hosts or other
`
`customers’ computers or sites, providing additional data for analysis, and
`
`consequently, the ability to recognize intrusions that would otherwise be
`
`difficult or impossible to diagnose. Id. at 5:44–56.
`
`As described, one embodiment of the broad-scope intrusion detection
`
`system monitors the communications on a network, or on a particular
`
`segment of the network, by a data collection and processing center coupled
`
`to the network. Ex. 1004, 7:18–24; 7:31–35. Because the data collection
`
`and processing center gathers information from multiple network devices,
`
`including potentially multiple customers, it has access to a broader scope of
`
`network activity. Id. at 8:13–21. This additional data allows for the
`
`recognition of additional patterns of suspicious activity beyond those
`
`detectable with conventional systems. Id. at 8:21–22.
`
`To detect intrusions, the ’084 patent describes one technique of
`
`collecting suspicious network traffic events, forwarding those events to a
`
`central database and analysis engine, and then using pattern correlations to
`
`3
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`determine suspected intrusion-oriented activity. Ex. 1004, 8:23–31. Upon
`
`detection of suspected malicious activity, adjustments to devices such as
`
`firewalls can be made to focus sensitivity on attacks from suspected sources
`
`or against suspected targets. Id. at 8:31–35; 10:49–67. In addition, if any
`
`intrusions or attempted intrusions have been detected, alerts can be sent both
`
`to the system to which the suspicious communication was directed and also
`
`to systems that have not yet received the communication. Id. at 11:53–12:4.
`
`D. Illustrative Claims
`
`Of the challenged claims in the ’084 patent, claims 19 and 26 are
`
`independent. Claims 19 and 26 are illustrative and recite:
`
`19. An intrusion detection and alerting system for a computer
`network comprising:
`
`a plurality of devices coupled to the computer network, each
`device adapted to at least one of: (1) sense data and provide the
`data to a data collection and processing center, and (2) be
`adjustable; and
`
`the data collection and processing center comprising a computer
`with a firewall coupled to the computer network, the data
`collection and processing center monitoring data communicated
`to at least a portion of the plurality of devices coupled to the
`network, detecting an anomaly in the network using network-
`based intrusion detection techniques comprising analyzing data
`entering into a plurality of hosts, servers, and computer sites in
`the networked computer system, determining which of the
`devices are anticipated to be affected by the anomaly by using
`pattern correlations across the plurality of hosts, servers, and
`computer sites, and altering the devices.
`
`26. A data collection and processing center comprising a computer
`with a firewall coupled to a computer network, the data collection
`and processing center monitoring data communicated to the
`network, and detecting an anomaly in the network using network-
`based intrusion detection techniques comprising analyzing data
`
`4
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`entering into a plurality of hosts, servers, and computer sites in the
`networked computer system.
`
`E. The Evidence of Record
`
`IBM relies upon the following prior art references as its basis for
`
`challenging claims 19, 20, and 22–33 of the ’084 patent.1
`
`Reference Patents/Printed Publications
`Porras
`Phillip A. Porras & Alfonso
`Valdes, Live Traffic Analysis of
`TCP/IP Gateways, Proceedings
`of the 1998 ISOC Symposium on
`Network and Distributed Sys.
`Security 1–13, (Dec. 12, 1997)
`U.S. Patent No. 7,237,264 B1
`Graham
`NetRanger NetRangerTM User’s Guide
`Version 1.3.1, WheelGroup Corp.
`001–327, (1997)
`Steven R. Snapp et al., A System
`for Distributed Intrusion
`Detection, IEEE 170–176, (1991)
`Cheswick William R. Cheswick & Steven
`M. Bellovin, Firewalls and
`Internet Security 001–005, (1st
`ed. 1994)
`
`Snapp
`
`Exhibit
`Ex. 1005 (“Porras”)
`
`Ex. 1006 (“Graham”)
`Ex. 1007 (“NetRanger”)
`
`Ex. 1009 (“Snapp”)
`
`Ex. 1008 (“Cheswick”)
`
`F. The Asserted Grounds of Unpatentability
`
`IBM contends that the challenged claims are unpatentable under
`
`35 U.S.C. §§ 102 and/or 103 based on the following grounds (Pet. 4–5):
`
`Statutory Ground
`§ 103
`§ 102(e)
`§ 103
`§ 102(b)
`§ 103
`
`Basis
`Porras and Cheswick
`Graham
`Graham and Snapp
`NetRanger
`NetRanger and Snapp
`
`Challenged Claims
`19, 20, 22–33
`19, 20, 22–24, 26–32
`25, 33
`19, 20, 22–24, 26–32
`25, 33
`
`
`1 IBM also proffers the Declaration of Dr. Steven M. Bellovin. Ex. 1001.
`
`5
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`A. Claim Construction
`
`ANALYSIS
`
`In an inter partes review, claim terms are given their broadest
`
`reasonable interpretation in light of the specification in which they appear
`
`and the understanding of others skilled in the relevant art. See 37 C.F.R.
`
`§ 42.100(b). Applying that standard, we interpret the claim terms of the
`
`’084 patent according to their ordinary and customary meaning in the
`
`context of the patent’s written description. See In re Translogic Tech., Inc.,
`
`504 F.3d 1249, 1257 (Fed. Cir. 2007).
`
`IBM proposes interpretations for “an anomaly in the network,”
`
`“network-based intrusion detection techniques,” and “alerting the device /
`
`alerts the device.” Pet. 5–8. Intellectual Ventures disputes IBM’s analysis
`
`and provides its own interpretations for “anomaly,” “network based
`
`intrusion detection techniques,” “determining which of the plurality of
`
`devices are anticipated to be affected by the anomaly,” “alert[-ing/-s] the
`
`device,” and “adjustable.” Prelim. Resp. 4–16. Of these terms, we consider
`
`it necessary, for purposes of this Decision, to expressly construe the terms
`
`“anomaly,” and “determining which . . . are anticipated to be affected by the
`
`anomaly.” We determine that none of the remaining terms requires an
`
`express construction at this time.
`
`1. “anomaly”
`
`IBM proposes that “an anomaly in the network” be construed as “a
`
`predetermined pattern of data in the network.” Pet. 5–6. Intellectual
`
`Ventures disagrees, arguing that an anomaly is “a departure from the usual
`
`or expected; an abnormality or irregularity.” Prelim. Resp. 7–8 (citing Exs.
`
`2002; 2003 (reciting dictionary definitions of “anomaly”)).
`
`6
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`We agree that Intellectual Ventures’s proposed construction is the
`
`plain meaning of the term and is consistent with the specification of the ’084
`
`patent. For example, the ’084 patent states that “[a]nomaly detection
`
`systems look for statistically anomalous behavior . . . [s]tatistical scenarios
`
`can be implemented for user, dataset, and program usage to detect
`
`‘exceptional’ use of the system.” Ex. 1004, 3:54–57.
`
`2. “determining which of the plurality of devices are anticipated
`to be affected by the anomaly”
`
`IBM does not propose explicitly a construction for “determining
`
`which of the plurality of devices are anticipated to be affected by the
`
`anomaly” (“the determining limitation”). Intellectual Ventures proposes that
`
`the broadest reasonable construction is “deciding or ascertaining which
`
`devices are expected or foreseen to be affected by the detected anomaly.”
`
`Prelim. Resp. 12–14. Intellectual Ventures bases this construction on
`
`dictionary definitions of “determine” and “anticipate.” Id. at 12–13 (citing
`
`Exs. 2008, 2009 (defining determine as “to set limits to; bound; define . . . to
`
`reach a decision about after thought and investigation; decide upon”); Exs.
`
`2010, 2011 (defining anticipate as “to . . . expect . . . to foresee (a command,
`
`wish etc.) and perform in advance”))).
`
`Intellectual Ventures’s proposed construction is consistent with the
`
`specification. For example, the specification states that “[a]n anomaly is
`
`detected in the computer system, and then it is determined which device[] or
`
`devices are anticipated to be affected by the anomaly in the future. These
`
`anticipated devices are then alerted to the potential for the future anomaly.”
`
`Ex. 1004, 5:57–64. Although the specification also states that “the devices
`
`are polled in a predetermined sequential order, and a device anticipated to be
`
`7
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`affected by the anomaly is a device that has not been polled,” the ’084 patent
`
`does not limit anticipated devices solely to devices that have not been polled.
`
`Id. at 5:66–6:2.
`
`In keeping with the broadest reasonable interpretation that is
`
`consistent with the specification, we construe the determining limitation to
`
`mean deciding or ascertaining which devices are expected or foreseen to be
`
`affected by the anomaly.
`
`B. The Asserted Grounds
`
`1. Obviousness over Porras (Ex. 1005) and Cheswick (Ex. 1008)
`
`Porras is an article describing “Live Traffic Analysis of TCP/IP
`
`Gateways.” Ex. 1005. The article discloses “a variety of ways to extend
`
`both statistical and signature-based intrusion-detection analysis techniques to
`
`monitor network traffic.” Id. at Abstract.
`
`Cheswick is an excerpt of a book titled “Firewalls and Internet
`
`Security.” Ex. 1008. The excerpt includes several pages from a chapter
`
`called “Firewalls,” which defines the term firewall and describes how and
`
`why they are used. Id. at 003–005. IBM relies on Cheswick only for the
`
`firewall element of the challenged claims. Pet. 14.
`
`a. Claims 19, 20, 22–25, 27, and 29
`
`IBM challenges claims 19, 20, 22–25, 27, and 29 as obvious over the
`
`combination of Porras and Cheswick. Pet. 13–29. IBM relies solely on
`
`Porras for teaching the determining limitation, required by each of these
`
`claims.2 Id. at 20–21. Specifically, IBM points to Porras’s disclosure that
`
`
`2 Claim 29 recites “wherein the data collection and processing center further
`adjusts a firewall of each of a plurality of devices that is connected to the
`
`8
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`“malicious activity, nonmalicious failures, and other exceptional events” are
`
`detected and “warnings [are sent] to other domains that have not yet
`
`experienced or reported the session anomalies.” Id. Although IBM
`
`contends that a skilled artisan would have understood Porras to teach the
`
`determining limitation, IBM’s only evidence of such an understanding is the
`
`conclusory statement by its declarant that “there would be no need for Porras
`
`to send warnings to domains that have not yet experienced the anomaly”
`
`unless Porras was identifying devices anticipated to be affected by the
`
`anomaly. Ex. 1001 ¶ 104; Pet. 21–22.
`
`Intellectual Ventures asserts that the declarant’s statement is not only
`
`conclusory, but also incorrect because “sending warnings to domains
`
`without identifying which devices are anticipated to be affected, for
`
`example, sounding a general alarm, is a reasonable practice in some
`
`situations.” Prelim. Resp. 25 (citing Ex. 1007, 164). We agree with
`
`Intellectual Ventures that the cited portion of Porras expressly states that
`
`warnings are sent to domains that have not yet experienced the anomaly.
`
`This disclosure indicates that Porras must determine which devices have
`
`been affected by the attack3 to differentiate the domains that have not been
`
`affected from those that have. We are not persuaded, however, that Porras
`
`discloses determining which of the devices are expected to be affected by the
`
`attack.
`
`We have reviewed the rest of the portions of Porras relied upon by
`
`IBM (Pet. 20–21), and we are not persuaded that any of them disclose the
`
`
`network that is anticipated to be affected by the anomaly responsive to the
`detection of the anomaly.”
`3 This determination is required, for example, by claim 28.
`
`9
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`determining limitation. Nor does IBM point to persuasive evidence that one
`
`of ordinary skill in the art would have found the determining limitation
`
`obvious based on the disclosures of Porras and Cheswick. We are, therefore,
`
`not persuaded that IBM has established that there is a reasonable likelihood
`
`that claims 19, 20, 22–25, 27, and 29 are unpatentable as obvious over
`
`Porras combined with Cheswick.
`
`b. Claim 26
`
`Claim 26 does not recite the determining limitation. IBM admits that
`
`Porras does not provide an express description of the “data collection and
`
`processing center comprising a computer with a firewall,” and relies on
`
`Cheswick for disclosure of this limitation. Pet. 14; see id. at 18–19, 27–28.
`
`IBM asserts that one of ordinary skill in the art would have recognized the
`
`enterprise-layer monitor of Porras as part of a security domain and “[i]t was
`
`conventional in the art to include firewalls on internal domains within a
`
`secured network to protect security.” Id. at 15 (citing Ex. 1001 ¶¶ 91–92);
`
`see Ex. 1008, 004. IBM further asserts that a person of ordinary skill
`
`“would have been motivated to add internal firewalls to the Porras” intrusion
`
`detection system because of the known value of protecting internal security
`
`domains. Pet. at 15 (citing Ex. 1001 ¶ 93). On the record before us, we are
`
`persuaded that IBM has provided sufficient articulated reasoning with some
`
`rational underpinning to support its legal conclusion of obviousness. See
`
`KSR Int’l v. Teleflex Inc., 550 U.S. 398, 418 (2007) (citing In re Kahn, 441
`
`F.3d 977, 988 (Fed. Cir. 2006)).
`
`Intellectual Ventures argues that IBM has not shown that Porras
`
`discloses “detecting an anomaly in the network using network-based
`
`intrusion detection techniques comprising analyzing data entering into a
`
`10
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`plurality of hosts, servers, and computer sites in the networked computer
`
`system” (“the detecting limitation”). Prelim. Resp. 18–21. First, Intellectual
`
`Ventures argues that IBM gives an erroneous claim construction for the term
`
`anomaly and does not provide a sufficient explanation of where this term is
`
`shown in Porras. Id. Second, Intellectual Ventures argues that IBM has not
`
`shown that Porras discloses the detecting limitation or “the data collection
`
`and processing center monitoring data communicated to the network” (“the
`
`monitoring limitation”) even using the proper construction of anomaly. Id.
`
`at 21. Specifically, Intellectual Ventures asserts that IBM equates the data
`
`and processing center to Porras’s enterprise-layer monitor, but that IBM
`
`does not show that the enterprise-layer monitor actually monitors or
`
`analyzes data as required. Id. According to Intellectual Ventures, the
`
`language relied upon by IBM shows that the enterprise-layer monitor
`
`analyzes results sent to it by Porras’s surveillance modules, not data, and
`
`does no monitoring. Id.
`
`Although, as described above, we do not agree with IBM’s
`
`construction of anomaly, we are persuaded that IBM has made a sufficient
`
`threshold showing that Porras discloses the detecting limitation when using
`
`the proper construction of anomaly—a departure from the usual or expected;
`
`an abnormality or irregularity. See, e.g., Pet. 20 (quoting Ex. 1005, 1
`
`(“Specifically, we present techniques to analyze TCP/IP packet streams that
`
`flow through network gateways for signs of malicious activity, nonmalicious
`
`failures, and other exceptional events.”)).
`
` We are also persuaded that IBM has made a sufficient threshold
`
`showing that Porras discloses the monitoring limitation. We agree that IBM
`
`equates Porras’s enterprise-layer monitor to the claimed data collection and
`
`11
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`processing center. Pet. 20. We also agree that the language in Porras relied
`
`upon by IBM discloses that the enterprise-layer monitor analyzes results
`
`produced by “the distributed gateway surveillance modules.” Id. (quoting
`
`Ex. 1005, 8–9). However, the quoted language also discloses that the
`
`surveillance modules “report . . . suspicious activity observed,” and thus,
`
`discloses a type of monitoring of, in addition to analyzing, data
`
`communicated to the network. Id. (quoting Ex. 1005, 10). Further, Figure 1
`
`of Porras shows that the surveillance modules are part of the enterprise-layer
`
`monitor. Id. at 14 (reproducing Ex. 1005, Fig. 1). Thus, we are persuaded
`
`that IBM has established sufficiently that Porras’s enterprise-layer monitor
`
`monitors data communicated to the network.
`
`We are, therefore, persuaded that IBM has established that there is a
`
`reasonable likelihood that claim 26 is unpatentable as obvious over Porras
`
`combined with Cheswick.
`
`c. Claims 28 and 30–33
`
`Intellectual Ventures argues that IBM has not made a sufficient
`
`showing that the limitations added by dependent claims 28–33 (all
`
`dependent from claim 26) are disclosed by Porras. Prelim. Resp. 28–31. On
`
`this record, we are not persuaded by Intellectual Venture’s arguments. See
`
`id. We are persuaded that IBM has established that there is a reasonable
`
`likelihood that claims 28 and 30–33 are unpatentable as obvious over Porras
`
`combined with Cheswick.
`
`2. Anticipation by Graham (Ex. 1006)
`
`Graham describes a “system and method for preventing network
`
`misuse.” Ex. 1006. One of Graham’s embodiments evaluates “whether a
`
`firewall is configured to block certain suspicious data signatures before
`
`12
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`raising an alert and/or taking action in response to those signatures.” Id. at
`
`12:15–18.
`
`Figure 1 of Graham is reproduced below.
`
`
`
`Figure 1 illustrates an exemplary network architecture on which various
`
`features described by Graham are implemented. Ex. 1006, 2:65–67. The
`
`architecture generally depicts a local area network 140 over which a
`
`plurality of nodes 130–134 communicate. Id. at 3:47–51. Each of nodes
`
`130–134 may be a computer or any device that includes a processor and a
`
`network interface. Id. at 3:51–55. Although Figure 1 shows node 130 and
`
`firewall 152 as separate devices, they may be implemented on a single
`
`computer which performs the functions of both elements. Id. at 12:33–38.
`
`a. Claims 19, 20, 22–24, and 26–32
`
`IBM challenges claims 19, 20, 22–24, and 26–32 as anticipated by
`
`Graham. Pet. 29–40. Intellectual Ventures disputes Graham’s anticipation
`
`of the claimed invention. Prelim. Resp. 31–41. We agree with Intellectual
`
`13
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`Ventures that IBM has not shown that Graham discloses the detecting
`
`limitation—“detecting an anomaly in the network using network-based
`
`intrusion detection techniques comprising analyzing data entering into a
`
`plurality of hosts, servers, and computer sites in the networked computer
`
`system”—as required by the challenged claims. See id. at 34–36.
`
`IBM equates node 130 to the claimed “data collection and processing
`
`center comprising a computer with a firewall coupled to the computer
`
`network.” Pet. 33. Because “node 130 may be configured to scan for
`
`suspicious network traffic . . . and may work with the firewall 152 to filter
`
`out suspicious data,” (Ex. 1006, 12:19–21), IBM asserts that node 130 also
`
`fulfills the claim requirement that “the data collection and processing center
`
`monitor[s] data communicated to the network.” Pet. 33–34. Finally, IBM
`
`asserts that Graham discloses the detecting limitation because it “analyze[s]
`
`data across LAN 140.” Id. at 34.
`
`The only language in Graham that IBM points to as supporting
`
`“analyzing data entering into a plurality of hosts,” however, is a statement
`
`that the nodes include a processor for processing data, and that when “node
`
`132 identifies an incident,” it may take precautionary measures. Id. (quoting
`
`Ex. 1006, 3:51–55, 4:45–50). Nothing in this language explicitly describes
`
`any of the nodes analyzing data. Nor does IBM assert that this analysis is
`
`inherently disclosed by Graham. See id. Moreover, IBM provides no
`
`evidence to support a finding of inherency. For example, IBM’s declarant,
`
`Dr. Bellovin, concludes that “Graham teaches node 130 . . . analyzing data
`
`entering into multiple nodes” based on language in Graham that node 130
`
`monitors traffic for an incident. Ex. 1001 ¶ 166. Dr. Bellovin, however,
`
`14
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`does not discuss how Graham teaches this limitation or whether such
`
`analysis necessarily flows from the disclosure of Graham. Id.
`
`We are, therefore, not persuaded that IBM has established that there is
`
`a reasonable likelihood that claims 19, 20, 22–24, and 26–32 are
`
`unpatentable as anticipated by Graham.
`
`3. Obviousness over Graham and Snapp (Ex. 1009)
`
`Snapp is an article titled “A System for Distributed Intrusion
`
`Detection.” Ex. 1009. Snapp describes one approach to solving the problem
`
`of attacks or intrusions on computer systems called the intrusion-detection
`
`concept. Id. at Abstract. The focus of the article is to extend the concept
`
`from the local area network environment to arbitrarily wider areas using
`
`components including a host manager, a local access network manager, and
`
`a central manager, which receives, processes, and correlates reports from the
`
`other managers in order to detect intrusions. Id.
`
`a. Claims 25 and 33
`
`IBM challenges claims 25 and 33 as obvious over the combination of
`
`Graham and Snapp. Pet. 41–43. IBM relies on Snapp for disclosure of the
`
`limitation “wherein the data collection and processing center adjusts
`
`anomaly detection sensitivity and alarm thresholds based on the detected
`
`anomaly,” recited by both claims 25 and 33. Id. at 43.
`
`IBM, however, continues to rely solely on Graham for teaching the
`
`detecting limitation. Pet. 20–21, 41–43. This asserted ground, therefore,
`
`suffers from the same deficiency as discussed above with respect to
`
`anticipation by Graham. Moreover, IBM does not point to any evidence that
`
`a person of ordinary skill in the art would have found the detecting limitation
`
`15
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`obvious over the combined disclosures of Graham and Snapp. See Pet. 41–
`
`43; Ex. 1001 ¶¶ 206–210.
`
`We are, therefore, not persuaded that IBM has established that there is
`
`a reasonable likelihood that claims 25 and 33 are unpatentable as obvious
`
`over Graham combined with Snapp.
`
`4. Anticipation by NetRanger (Ex. 1007)
`
`NetRanger is a user guide for a product of the same name—“a real-
`
`time network security management system that detects, analyzes, responds
`
`to, and deters unauthorized network activity.” Ex. 1007, 019. NetRanger
`
`uses “centralized monitoring and management of remote dynamic packet
`
`filtering devices that plug into TCP/IP networks.” Id. The NetRanger
`
`System includes the “NSX,” which is the “sensing and management
`
`component.” Id. at 020–021. The NSX, in turn, communicates with one or
`
`more “Director,” which provides monitoring and analysis. Id.
`
`a. Printed Publication
`
`Intellectual Ventures argues that Petitioner has not made a sufficient
`
`threshold showing that NetRanger was available on the putative publication
`
`date. Prelim. Resp. 57–58. Intellectual Ventures cites Synopsys, Inc. v.
`
`Mentor Graphics Corp., for the proposition that absent evidence of
`
`publication or public accessibility of a reference, a petition for inter partes
`
`review, with respect to grounds based on that reference, should be denied.
`
`Id. (citing IPR2012-00042, slip op. at 35–36 (PTAB Feb. 22, 2013), Paper
`
`16). Indeed, the determination of whether a given reference qualifies as a
`
`prior art “printed publication” involves a case-by-case inquiry into the facts
`
`and circumstances surrounding the reference’s disclosure to members of the
`
`public. In re Klopfenstein, 380 F.3d 1345, 1350 (Fed. Cir. 2004).
`
`16
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`Unlike the reference at issue in Synopsys, which was a company’s
`
`product brochure that lacked any date on its face, NetRanger includes a
`
`copyright date printed on its face. Ex. 1007. In fact, the disclosed copyright
`
`date of 1997 is several years before the priority date of the ’084 patent—
`
`March 26, 2002. Intellectual Ventures has not pointed to any other
`
`indication, in NetRanger itself, that it is anything other than what it appears
`
`to be—a User’s Guide that was published and accessible to users of the
`
`corresponding product on or around the disclosed 1997 copyright date. Id.
`
`On this record, we are persuaded that Petitioner has made a threshold
`
`showing that NetRanger is a “printed publication” under 35 U.S.C. § 102(a).
`
`As a consequence, for purposes of this Decision, NetRanger is available as
`
`prior art for Petitioner to demonstrate a reasonable likelihood that the
`
`challenged claims are unpatentable.
`
`b. Claims 19, 20, 22–24, and 27–29
`
`IBM challenges claims 19, 20, 22–24, and 27–29 as anticipated by
`
`NetRanger. Pet. 44–56. Intellectual Ventures disputes NetRanger’s
`
`anticipation of the claimed invention. Prelim. Resp. 45–54. We agree with
`
`Intellectual Ventures that NetRanger does not disclose the determining
`
`limitation—“determining which of the devices are anticipated to be affected
`
`by the anomaly by using pattern correlations across the plurality of hosts,
`
`servers, and computer sites.”4 See id. at 47–51.
`
`IBM points to NetRanger’s disclosure that “[n]umerous computers are
`
`vulnerable to an attack where if you send an ICMP packet with an extremely
`
`
`4 Although claim 28 does not include determining which of the devices are
`anticipated to be affected by an anomaly, claim 28 requires a determination
`of which device has been affected by an anomaly.
`
`17
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`large data size it will crash the machine . . . NetRanger blocks and alarms
`
`this traffic.” Pet. 45–46, 50–51 (quoting Ex. 1007, 164); Ex. 1001 ¶¶ 240–
`
`45. This language discloses detecting an anomaly and pre-emptively
`
`blocking that traffic. IBM, however, does not explain how this language
`
`discloses determining which device has been affected by, or is anticipated to
`
`be affected by, such an attack.
`
`IBM points to testimony of Dr. Bellovin stating that a skilled artisan
`
`would have understood NetRanger to teach the determining limitation
`
`because “there would be no need for the Director to generate reports of
`
`network vulnerabilities or to block the network traffic” unless the Director
`
`was identifying devices anticipated to be affected by the anomaly. Ex. 1001
`
`¶ 244. This testimony does not support either an explicit or inherent
`
`disclosure of this limitation by NetRanger, as required for anticipation.
`
`Moreover, the statement is conclusory and not persuasive. We agree with
`
`Intellectual Ventures that preemptively blocking all traffic may be a
`
`reasonable practice in some situations, and network vulnerability reports
`
`may not require detecting the anomaly before identifying the vulnerable
`
`devices. See Prelim. Resp. 50.
`
`We have reviewed the remaining portions of NetRanger relied upon
`
`by IBM (Pet. 50–51), and we are not persuaded that any of them disclose the
`
`determining limitation. We are, therefore, not persuaded that IBM has
`
`established that there is a reasonable likelihood that claims 19, 20, 22–24,
`
`and 27–29 are unpatentable as anticipated by NetRanger.
`
`c. Claim 26
`
`Claim 26 does not recite the determining limitation. Intellectual
`
`Ventures argues that IBM has not shown that NetRanger discloses the
`
`18
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`detecting limitation—“detecting an anomaly in the network using network-
`
`based intrusion detection techniques comprising analyzing data entering into
`
`a plurality of hosts, servers, and computer sites in the networked computer
`
`system.” Prelim. Resp. 45–47.
`
`Intellectual Ventures argues that IBM gives an erroneous claim
`
`construction for the term anomaly and does not provide a sufficient
`
`explanation of where this limitation is shown in NetRanger. Id. at 45–46.
`
`Although, as described above, we do not agree with IBM’s construction of
`
`anomaly, we are persuaded that IBM has made a sufficient threshold
`
`showing that NetRanger discloses the detecting limitation when using the
`
`proper construction of anomaly—a departure from the usual or expected; an
`
`abnormality or irregularity. See, e.g., Pet. 49 (quoting Ex. 1007, 019
`
`(“NetRanger . . . detects, analyzes, responds to, and deters unauthorized
`
`network activity.”)), 50 (quoting Ex. 1007, 023 (“NetRanger . . . also looks
`
`for network patterns of misuse based on a variety of different attack
`
`signatures.”)).
`
`We are, therefore, persuaded that IBM has established that there is a
`
`reasonable likelihood that claim 26 is unpatentable as anticipated by
`
`NetRanger.
`
`d. Claims 30–32
`
`Intellectual Ventures argues that IBM has not shown that claims 30–
`
`32 (dependent from claim 26) are unpatentable because it has not made a
`
`sufficient threshold showing that the limitations added by these dependent
`
`claims are disclosed by NetRanger. Prelim. Resp. 56–58. On this record,
`
`we are not persuaded by Intellectual Ventures’s arguments. See