Trials@uspto.gov
`Tel: 571-272-7822
`
`Paper 11
`Entered: October 30, 2014
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`INTERNATIONAL BUSINESS MACHINES CORPORATION,
`Petitioner,
`
`v.
`
`INTELLECTUAL VENTURES II LLC,
`Patent Owner.
`
`Case IPR2014-00682
`Patent 6,715,084 B2
`
`
`
`
`
`
`
`
`
`
`
`Before KRISTEN L. DROESCH, JENNIFER S. BISK, and
`JUSTIN BUSCH, Administrative Patent Judges.
`
`BISK, Administrative Patent Judge.
`
`DECISION
`Institution of Inter Partes Review
`37 C.F.R. § 42.108
`
`
`
`INTRODUCTION
`
`A. Background
`
`International Business Machines Corporation (“IBM” or “Petitioner”)
`
`filed a Corrected Petition (Paper 4, “Pet.”) requesting an inter partes review
`
`of claims 19, 20, and 22–33 (the “challenged claims”) of U.S. Patent No.
`
`
`Tel: 571-272-7822
`
`Paper 11
`Entered: October 30, 2014
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`INTERNATIONAL BUSINESS MACHINES CORPORATION,
`Petitioner,
`
`v.
`
`INTELLECTUAL VENTURES II LLC,
`Patent Owner.
`
`Case IPR2014-00682
`Patent 6,715,084 B2
`
`
`
`
`
`
`
`
`
`
`
`Before KRISTEN L. DROESCH, JENNIFER S. BISK, and
`JUSTIN BUSCH, Administrative Patent Judges.
`
`BISK, Administrative Patent Judge.
`
`DECISION
`Institution of Inter Partes Review
`37 C.F.R. § 42.108
`
`
`
`INTRODUCTION
`
`A. Background
`
`International Business Machines Corporation (“IBM” or “Petitioner”)
`
`filed a Corrected Petition (Paper 4, “Pet.”) requesting an inter partes review
`
`of claims 19, 20, and 22–33 (the “challenged claims”) of U.S. Patent No.
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`6,715,084 B2 (Ex. 1004, “the ’084 patent”). 35 U.S.C. § 311. Intellectual
`
`Ventures II LLC (“Intellectual Ventures” or “Patent Owner”) filed a
`
`Preliminary Response. Paper 10 (“Prelim. Resp.”).
`
`We have authority to determine whether to institute an inter partes
`
`review. 35 U.S.C. § 314(b); 37 C.F.R. § 42.4(a). The standard for
`
`instituting an inter partes review is set forth in 35 U.S.C. § 314(a), which
`
`provides that an inter partes review may not be instituted “unless the
`
`Director determines . . . there is a reasonable likelihood that the petitioner
`
`would prevail with respect to at least 1 of the claims challenged in the
`
`petition.”
`
`After considering the Petition and Preliminary Response, we
`
`determine that IBM has established a reasonable likelihood of prevailing on
`
`claims 26, 28, and 30–33 challenged in the Petition, but not claims 19, 20,
`
`22–25, 27, and 29. Accordingly, we institute an inter partes review of
`
`claims 26, 28, and 30–33.
`
`B. Related Matters
`
`At the time of filing the Petition in this proceeding, IBM filed another
`
`petition for inter partes review in IPR2014-00681 challenging claims 1–9
`
`and 12–18 of the ’084 patent. Subsequent to IBM’s filings, another
`
`petitioner also filed two petitions challenging claims of the ’084 patent in
`
`IPR2014-00793 and IPR2014-00801.
`
`IBM indicates that the ’084 patent is the subject of concurrent
`
`proceedings in various district courts, none of which name IBM as a
`
`defendant. See Pet. 2–3; Paper 9 (Petitioner’s Amended Mandatory
`
`Notices).
`
`2
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`C. The ’084 Patent
`
`The ’084 patent relates to network-based intrusion detection systems.
`
`Ex. 1004, 1:7–10. Intrusion detection systems are used to determine that a
`
`breach of computer security—access to computer resources by an
`
`unauthorized outsider—has occurred, is underway, or is beginning. Id. at
`
`3:38–49. Conventional intrusion detection products and services are based
`
`on specialized equipment located on a customer’s premises and are directed
`
`to the analysis of a single customer’s data. Id. at 4:51–67. These systems
`
`may produce false alarms and are often unable to detect the earliest stages of
`
`network attacks. Id. In contrast, the broad-scope intrusion detection system
`
`of the ’084 patent analyzes the traffic coming into multiple hosts or other
`
`customers’ computers or sites, providing additional data for analysis, and
`
`consequently, the ability to recognize intrusions that would otherwise be
`
`difficult or impossible to diagnose. Id. at 5:44–56.
`
`As described, one embodiment of the broad-scope intrusion detection
`
`system monitors the communications on a network, or on a particular
`
`segment of the network, by a data collection and processing center coupled
`
`to the network. Ex. 1004, 7:18–24; 7:31–35. Because the data collection
`
`and processing center gathers information from multiple network devices,
`
`including potentially multiple customers, it has access to a broader scope of
`
`network activity. Id. at 8:13–21. This additional data allows for the
`
`recognition of additional patterns of suspicious activity beyond those
`
`detectable with conventional systems. Id. at 8:21–22.
`
`To detect intrusions, the ’084 patent describes one technique of
`
`collecting suspicious network traffic events, forwarding those events to a
`
`central database and analysis engine, and then using pattern correlations to
`
`3
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`determine suspected intrusion-oriented activity. Ex. 1004, 8:23–31. Upon
`
`detection of suspected malicious activity, adjustments to devices such as
`
`firewalls can be made to focus sensitivity on attacks from suspected sources
`
`or against suspected targets. Id. at 8:31–35; 10:49–67. In addition, if any
`
`intrusions or attempted intrusions have been detected, alerts can be sent both
`
`to the system to which the suspicious communication was directed and also
`
`to systems that have not yet received the communication. Id. at 11:53–12:4.
`
`D. Illustrative Claims
`
`Of the challenged claims in the ’084 patent, claims 19 and 26 are
`
`independent. Claims 19 and 26 are illustrative and recite:
`
`19. An intrusion detection and alerting system for a computer
`network comprising:
`
`a plurality of devices coupled to the computer network, each
`device adapted to at least one of: (1) sense data and provide the
`data to a data collection and processing center, and (2) be
`adjustable; and
`
`the data collection and processing center comprising a computer
`with a firewall coupled to the computer network, the data
`collection and processing center monitoring data communicated
`to at least a portion of the plurality of devices coupled to the
`network, detecting an anomaly in the network using network-
`based intrusion detection techniques comprising analyzing data
`entering into a plurality of hosts, servers, and computer sites in
`the networked computer system, determining which of the
`devices are anticipated to be affected by the anomaly by using
`pattern correlations across the plurality of hosts, servers, and
`computer sites, and altering the devices.
`
`26. A data collection and processing center comprising a computer
`with a firewall coupled to a computer network, the data collection
`and processing center monitoring data communicated to the
`network, and detecting an anomaly in the network using network-
`based intrusion detection techniques comprising analyzing data
`
`4
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`entering into a plurality of hosts, servers, and computer sites in the
`networked computer system.
`
`E. The Evidence of Record
`
`IBM relies upon the following prior art references as its basis for
`
`challenging claims 19, 20, and 22–33 of the ’084 patent.1
`
`Reference Patents/Printed Publications
`Porras
`Phillip A. Porras & Alfonso
`Valdes, Live Traffic Analysis of
`TCP/IP Gateways, Proceedings
`of the 1998 ISOC Symposium on
`Network and Distributed Sys.
`Security 1–13, (Dec. 12, 1997)
`U.S. Patent No. 7,237,264 B1
`Graham
`NetRanger NetRangerTM User’s Guide
`Version 1.3.1, WheelGroup Corp.
`001–327, (1997)
`Steven R. Snapp et al., A System
`for Distributed Intrusion
`Detection, IEEE 170–176, (1991)
`Cheswick William R. Cheswick & Steven
`M. Bellovin, Firewalls and
`Internet Security 001–005, (1st
`ed. 1994)
`
`Snapp
`
`Exhibit
`Ex. 1005 (“Porras”)
`
`Ex. 1006 (“Graham”)
`Ex. 1007 (“NetRanger”)
`
`Ex. 1009 (“Snapp”)
`
`Ex. 1008 (“Cheswick”)
`
`F. The Asserted Grounds of Unpatentability
`
`IBM contends that the challenged claims are unpatentable under
`
`35 U.S.C. §§ 102 and/or 103 based on the following grounds (Pet. 4–5):
`
`Statutory Ground
`§ 103
`§ 102(e)
`§ 103
`§ 102(b)
`§ 103
`
`Basis
`Porras and Cheswick
`Graham
`Graham and Snapp
`NetRanger
`NetRanger and Snapp
`
`Challenged Claims
`19, 20, 22–33
`19, 20, 22–24, 26–32
`25, 33
`19, 20, 22–24, 26–32
`25, 33
`
`
`1 IBM also proffers the Declaration of Dr. Steven M. Bellovin. Ex. 1001.
`
`5
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`A. Claim Construction
`
`ANALYSIS
`
`In an inter partes review, claim terms are given their broadest
`
`reasonable interpretation in light of the specification in which they appear
`
`and the understanding of others skilled in the relevant art. See 37 C.F.R.
`
`§ 42.100(b). Applying that standard, we interpret the claim terms of the
`
`’084 patent according to their ordinary and customary meaning in the
`
`context of the patent’s written description. See In re Translogic Tech., Inc.,
`
`504 F.3d 1249, 1257 (Fed. Cir. 2007).
`
`IBM proposes interpretations for “an anomaly in the network,”
`
`“network-based intrusion detection techniques,” and “alerting the device /
`
`alerts the device.” Pet. 5–8. Intellectual Ventures disputes IBM’s analysis
`
`and provides its own interpretations for “anomaly,” “network based
`
`intrusion detection techniques,” “determining which of the plurality of
`
`devices are anticipated to be affected by the anomaly,” “alert[-ing/-s] the
`
`device,” and “adjustable.” Prelim. Resp. 4–16. Of these terms, we consider
`
`it necessary, for purposes of this Decision, to expressly construe the terms
`
`“anomaly,” and “determining which . . . are anticipated to be affected by the
`
`anomaly.” We determine that none of the remaining terms requires an
`
`express construction at this time.
`
`1. “anomaly”
`
`IBM proposes that “an anomaly in the network” be construed as “a
`
`predetermined pattern of data in the network.” Pet. 5–6. Intellectual
`
`Ventures disagrees, arguing that an anomaly is “a departure from the usual
`
`or expected; an abnormality or irregularity.” Prelim. Resp. 7–8 (citing Exs.
`
`2002; 2003 (reciting dictionary definitions of “anomaly”)).
`
`6
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`We agree that Intellectual Ventures’s proposed construction is the
`
`plain meaning of the term and is consistent with the specification of the ’084
`
`patent. For example, the ’084 patent states that “[a]nomaly detection
`
`systems look for statistically anomalous behavior . . . [s]tatistical scenarios
`
`can be implemented for user, dataset, and program usage to detect
`
`‘exceptional’ use of the system.” Ex. 1004, 3:54–57.
`
`2. “determining which of the plurality of devices are anticipated
`to be affected by the anomaly”
`
`IBM does not propose explicitly a construction for “determining
`
`which of the plurality of devices are anticipated to be affected by the
`
`anomaly” (“the determining limitation”). Intellectual Ventures proposes that
`
`the broadest reasonable construction is “deciding or ascertaining which
`
`devices are expected or foreseen to be affected by the detected anomaly.”
`
`Prelim. Resp. 12–14. Intellectual Ventures bases this construction on
`
`dictionary definitions of “determine” and “anticipate.” Id. at 12–13 (citing
`
`Exs. 2008, 2009 (defining determine as “to set limits to; bound; define . . . to
`
`reach a decision about after thought and investigation; decide upon”); Exs.
`
`2010, 2011 (defining anticipate as “to . . . expect . . . to foresee (a command,
`
`wish etc.) and perform in advance”))).
`
`Intellectual Ventures’s proposed construction is consistent with the
`
`specification. For example, the specification states that “[a]n anomaly is
`
`detected in the computer system, and then it is determined which device[] or
`
`devices are anticipated to be affected by the anomaly in the future. These
`
`anticipated devices are then alerted to the potential for the future anomaly.”
`
`Ex. 1004, 5:57–64. Although the specification also states that “the devices
`
`are polled in a predetermined sequential order, and a device anticipated to be
`
`7
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`affected by the anomaly is a device that has not been polled,” the ’084 patent
`
`does not limit anticipated devices solely to devices that have not been polled.
`
`Id. at 5:66–6:2.
`
`In keeping with the broadest reasonable interpretation that is
`
`consistent with the specification, we construe the determining limitation to
`
`mean deciding or ascertaining which devices are expected or foreseen to be
`
`affected by the anomaly.
`
`B. The Asserted Grounds
`
`1. Obviousness over Porras (Ex. 1005) and Cheswick (Ex. 1008)
`
`Porras is an article describing “Live Traffic Analysis of TCP/IP
`
`Gateways.” Ex. 1005. The article discloses “a variety of ways to extend
`
`both statistical and signature-based intrusion-detection analysis techniques to
`
`monitor network traffic.” Id. at Abstract.
`
`Cheswick is an excerpt of a book titled “Firewalls and Internet
`
`Security.” Ex. 1008. The excerpt includes several pages from a chapter
`
`called “Firewalls,” which defines the term firewall and describes how and
`
`why they are used. Id. at 003–005. IBM relies on Cheswick only for the
`
`firewall element of the challenged claims. Pet. 14.
`
`a. Claims 19, 20, 22–25, 27, and 29
`
`IBM challenges claims 19, 20, 22–25, 27, and 29 as obvious over the
`
`combination of Porras and Cheswick. Pet. 13–29. IBM relies solely on
`
`Porras for teaching the determining limitation, required by each of these
`
`claims.2 Id. at 20–21. Specifically, IBM points to Porras’s disclosure that
`
`
`2 Claim 29 recites “wherein the data collection and processing center further
`adjusts a firewall of each of a plurality of devices that is connected to the
`
`8
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`“malicious activity, nonmalicious failures, and other exceptional events” are
`
`detected and “warnings [are sent] to other domains that have not yet
`
`experienced or reported the session anomalies.” Id. Although IBM
`
`contends that a skilled artisan would have understood Porras to teach the
`
`determining limitation, IBM’s only evidence of such an understanding is the
`
`conclusory statement by its declarant that “there would be no need for Porras
`
`to send warnings to domains that have not yet experienced the anomaly”
`
`unless Porras was identifying devices anticipated to be affected by the
`
`anomaly. Ex. 1001 ¶ 104; Pet. 21–22.
`
`Intellectual Ventures asserts that the declarant’s statement is not only
`
`conclusory, but also incorrect because “sending warnings to domains
`
`without identifying which devices are anticipated to be affected, for
`
`example, sounding a general alarm, is a reasonable practice in some
`
`situations.” Prelim. Resp. 25 (citing Ex. 1007, 164). We agree with
`
`Intellectual Ventures that the cited portion of Porras expressly states that
`
`warnings are sent to domains that have not yet experienced the anomaly.
`
`This disclosure indicates that Porras must determine which devices have
`
`been affected by the attack3 to differentiate the domains that have not been
`
`affected from those that have. We are not persuaded, however, that Porras
`
`discloses determining which of the devices are expected to be affected by the
`
`attack.
`
`We have reviewed the rest of the portions of Porras relied upon by
`
`IBM (Pet. 20–21), and we are not persuaded that any of them disclose the
`
`
`network that is anticipated to be affected by the anomaly responsive to the
`detection of the anomaly.”
`3 This determination is required, for example, by claim 28.
`
`9
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`determining limitation. Nor does IBM point to persuasive evidence that one
`
`of ordinary skill in the art would have found the determining limitation
`
`obvious based on the disclosures of Porras and Cheswick. We are, therefore,
`
`not persuaded that IBM has established that there is a reasonable likelihood
`
`that claims 19, 20, 22–25, 27, and 29 are unpatentable as obvious over
`
`Porras combined with Cheswick.
`
`b. Claim 26
`
`Claim 26 does not recite the determining limitation. IBM admits that
`
`Porras does not provide an express description of the “data collection and
`
`processing center comprising a computer with a firewall,” and relies on
`
`Cheswick for disclosure of this limitation. Pet. 14; see id. at 18–19, 27–28.
`
`IBM asserts that one of ordinary skill in the art would have recognized the
`
`enterprise-layer monitor of Porras as part of a security domain and “[i]t was
`
`conventional in the art to include firewalls on internal domains within a
`
`secured network to protect security.” Id. at 15 (citing Ex. 1001 ¶¶ 91–92);
`
`see Ex. 1008, 004. IBM further asserts that a person of ordinary skill
`
`“would have been motivated to add internal firewalls to the Porras” intrusion
`
`detection system because of the known value of protecting internal security
`
`domains. Pet. at 15 (citing Ex. 1001 ¶ 93). On the record before us, we are
`
`persuaded that IBM has provided sufficient articulated reasoning with some
`
`rational underpinning to support its legal conclusion of obviousness. See
`
`KSR Int’l v. Teleflex Inc., 550 U.S. 398, 418 (2007) (citing In re Kahn, 441
`
`F.3d 977, 988 (Fed. Cir. 2006)).
`
`Intellectual Ventures argues that IBM has not shown that Porras
`
`discloses “detecting an anomaly in the network using network-based
`
`intrusion detection techniques comprising analyzing data entering into a
`
`10
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`plurality of hosts, servers, and computer sites in the networked computer
`
`system” (“the detecting limitation”). Prelim. Resp. 18–21. First, Intellectual
`
`Ventures argues that IBM gives an erroneous claim construction for the term
`
`anomaly and does not provide a sufficient explanation of where this term is
`
`shown in Porras. Id. Second, Intellectual Ventures argues that IBM has not
`
`shown that Porras discloses the detecting limitation or “the data collection
`
`and processing center monitoring data communicated to the network” (“the
`
`monitoring limitation”) even using the proper construction of anomaly. Id.
`
`at 21. Specifically, Intellectual Ventures asserts that IBM equates the data
`
`and processing center to Porras’s enterprise-layer monitor, but that IBM
`
`does not show that the enterprise-layer monitor actually monitors or
`
`analyzes data as required. Id. According to Intellectual Ventures, the
`
`language relied upon by IBM shows that the enterprise-layer monitor
`
`analyzes results sent to it by Porras’s surveillance modules, not data, and
`
`does no monitoring. Id.
`
`Although, as described above, we do not agree with IBM’s
`
`construction of anomaly, we are persuaded that IBM has made a sufficient
`
`threshold showing that Porras discloses the detecting limitation when using
`
`the proper construction of anomaly—a departure from the usual or expected;
`
`an abnormality or irregularity. See, e.g., Pet. 20 (quoting Ex. 1005, 1
`
`(“Specifically, we present techniques to analyze TCP/IP packet streams that
`
`flow through network gateways for signs of malicious activity, nonmalicious
`
`failures, and other exceptional events.”)).
`
` We are also persuaded that IBM has made a sufficient threshold
`
`showing that Porras discloses the monitoring limitation. We agree that IBM
`
`equates Porras’s enterprise-layer monitor to the claimed data collection and
`
`11
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`processing center. Pet. 20. We also agree that the language in Porras relied
`
`upon by IBM discloses that the enterprise-layer monitor analyzes results
`
`produced by “the distributed gateway surveillance modules.” Id. (quoting
`
`Ex. 1005, 8–9). However, the quoted language also discloses that the
`
`surveillance modules “report . . . suspicious activity observed,” and thus,
`
`discloses a type of monitoring of, in addition to analyzing, data
`
`communicated to the network. Id. (quoting Ex. 1005, 10). Further, Figure 1
`
`of Porras shows that the surveillance modules are part of the enterprise-layer
`
`monitor. Id. at 14 (reproducing Ex. 1005, Fig. 1). Thus, we are persuaded
`
`that IBM has established sufficiently that Porras’s enterprise-layer monitor
`
`monitors data communicated to the network.
`
`We are, therefore, persuaded that IBM has established that there is a
`
`reasonable likelihood that claim 26 is unpatentable as obvious over Porras
`
`combined with Cheswick.
`
`c. Claims 28 and 30–33
`
`Intellectual Ventures argues that IBM has not made a sufficient
`
`showing that the limitations added by dependent claims 28–33 (all
`
`dependent from claim 26) are disclosed by Porras. Prelim. Resp. 28–31. On
`
`this record, we are not persuaded by Intellectual Venture’s arguments. See
`
`id. We are persuaded that IBM has established that there is a reasonable
`
`likelihood that claims 28 and 30–33 are unpatentable as obvious over Porras
`
`combined with Cheswick.
`
`2. Anticipation by Graham (Ex. 1006)
`
`Graham describes a “system and method for preventing network
`
`misuse.” Ex. 1006. One of Graham’s embodiments evaluates “whether a
`
`firewall is configured to block certain suspicious data signatures before
`
`12
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`raising an alert and/or taking action in response to those signatures.” Id. at
`
`12:15–18.
`
`Figure 1 of Graham is reproduced below.
`
`
`
`Figure 1 illustrates an exemplary network architecture on which various
`
`features described by Graham are implemented. Ex. 1006, 2:65–67. The
`
`architecture generally depicts a local area network 140 over which a
`
`plurality of nodes 130–134 communicate. Id. at 3:47–51. Each of nodes
`
`130–134 may be a computer or any device that includes a processor and a
`
`network interface. Id. at 3:51–55. Although Figure 1 shows node 130 and
`
`firewall 152 as separate devices, they may be implemented on a single
`
`computer which performs the functions of both elements. Id. at 12:33–38.
`
`a. Claims 19, 20, 22–24, and 26–32
`
`IBM challenges claims 19, 20, 22–24, and 26–32 as anticipated by
`
`Graham. Pet. 29–40. Intellectual Ventures disputes Graham’s anticipation
`
`of the claimed invention. Prelim. Resp. 31–41. We agree with Intellectual
`
`13
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`Ventures that IBM has not shown that Graham discloses the detecting
`
`limitation—“detecting an anomaly in the network using network-based
`
`intrusion detection techniques comprising analyzing data entering into a
`
`plurality of hosts, servers, and computer sites in the networked computer
`
`system”—as required by the challenged claims. See id. at 34–36.
`
`IBM equates node 130 to the claimed “data collection and processing
`
`center comprising a computer with a firewall coupled to the computer
`
`network.” Pet. 33. Because “node 130 may be configured to scan for
`
`suspicious network traffic . . . and may work with the firewall 152 to filter
`
`out suspicious data,” (Ex. 1006, 12:19–21), IBM asserts that node 130 also
`
`fulfills the claim requirement that “the data collection and processing center
`
`monitor[s] data communicated to the network.” Pet. 33–34. Finally, IBM
`
`asserts that Graham discloses the detecting limitation because it “analyze[s]
`
`data across LAN 140.” Id. at 34.
`
`The only language in Graham that IBM points to as supporting
`
`“analyzing data entering into a plurality of hosts,” however, is a statement
`
`that the nodes include a processor for processing data, and that when “node
`
`132 identifies an incident,” it may take precautionary measures. Id. (quoting
`
`Ex. 1006, 3:51–55, 4:45–50). Nothing in this language explicitly describes
`
`any of the nodes analyzing data. Nor does IBM assert that this analysis is
`
`inherently disclosed by Graham. See id. Moreover, IBM provides no
`
`evidence to support a finding of inherency. For example, IBM’s declarant,
`
`Dr. Bellovin, concludes that “Graham teaches node 130 . . . analyzing data
`
`entering into multiple nodes” based on language in Graham that node 130
`
`monitors traffic for an incident. Ex. 1001 ¶ 166. Dr. Bellovin, however,
`
`14
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`does not discuss how Graham teaches this limitation or whether such
`
`analysis necessarily flows from the disclosure of Graham. Id.
`
`We are, therefore, not persuaded that IBM has established that there is
`
`a reasonable likelihood that claims 19, 20, 22–24, and 26–32 are
`
`unpatentable as anticipated by Graham.
`
`3. Obviousness over Graham and Snapp (Ex. 1009)
`
`Snapp is an article titled “A System for Distributed Intrusion
`
`Detection.” Ex. 1009. Snapp describes one approach to solving the problem
`
`of attacks or intrusions on computer systems called the intrusion-detection
`
`concept. Id. at Abstract. The focus of the article is to extend the concept
`
`from the local area network environment to arbitrarily wider areas using
`
`components including a host manager, a local access network manager, and
`
`a central manager, which receives, processes, and correlates reports from the
`
`other managers in order to detect intrusions. Id.
`
`a. Claims 25 and 33
`
`IBM challenges claims 25 and 33 as obvious over the combination of
`
`Graham and Snapp. Pet. 41–43. IBM relies on Snapp for disclosure of the
`
`limitation “wherein the data collection and processing center adjusts
`
`anomaly detection sensitivity and alarm thresholds based on the detected
`
`anomaly,” recited by both claims 25 and 33. Id. at 43.
`
`IBM, however, continues to rely solely on Graham for teaching the
`
`detecting limitation. Pet. 20–21, 41–43. This asserted ground, therefore,
`
`suffers from the same deficiency as discussed above with respect to
`
`anticipation by Graham. Moreover, IBM does not point to any evidence that
`
`a person of ordinary skill in the art would have found the detecting limitation
`
`15
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`obvious over the combined disclosures of Graham and Snapp. See Pet. 41–
`
`43; Ex. 1001 ¶¶ 206–210.
`
`We are, therefore, not persuaded that IBM has established that there is
`
`a reasonable likelihood that claims 25 and 33 are unpatentable as obvious
`
`over Graham combined with Snapp.
`
`4. Anticipation by NetRanger (Ex. 1007)
`
`NetRanger is a user guide for a product of the same name—“a real-
`
`time network security management system that detects, analyzes, responds
`
`to, and deters unauthorized network activity.” Ex. 1007, 019. NetRanger
`
`uses “centralized monitoring and management of remote dynamic packet
`
`filtering devices that plug into TCP/IP networks.” Id. The NetRanger
`
`System includes the “NSX,” which is the “sensing and management
`
`component.” Id. at 020–021. The NSX, in turn, communicates with one or
`
`more “Director,” which provides monitoring and analysis. Id.
`
`a. Printed Publication
`
`Intellectual Ventures argues that Petitioner has not made a sufficient
`
`threshold showing that NetRanger was available on the putative publication
`
`date. Prelim. Resp. 57–58. Intellectual Ventures cites Synopsys, Inc. v.
`
`Mentor Graphics Corp., for the proposition that absent evidence of
`
`publication or public accessibility of a reference, a petition for inter partes
`
`review, with respect to grounds based on that reference, should be denied.
`
`Id. (citing IPR2012-00042, slip op. at 35–36 (PTAB Feb. 22, 2013), Paper
`
`16). Indeed, the determination of whether a given reference qualifies as a
`
`prior art “printed publication” involves a case-by-case inquiry into the facts
`
`and circumstances surrounding the reference’s disclosure to members of the
`
`public. In re Klopfenstein, 380 F.3d 1345, 1350 (Fed. Cir. 2004).
`
`16
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`Unlike the reference at issue in Synopsys, which was a company’s
`
`product brochure that lacked any date on its face, NetRanger includes a
`
`copyright date printed on its face. Ex. 1007. In fact, the disclosed copyright
`
`date of 1997 is several years before the priority date of the ’084 patent—
`
`March 26, 2002. Intellectual Ventures has not pointed to any other
`
`indication, in NetRanger itself, that it is anything other than what it appears
`
`to be—a User’s Guide that was published and accessible to users of the
`
`corresponding product on or around the disclosed 1997 copyright date. Id.
`
`On this record, we are persuaded that Petitioner has made a threshold
`
`showing that NetRanger is a “printed publication” under 35 U.S.C. § 102(a).
`
`As a consequence, for purposes of this Decision, NetRanger is available as
`
`prior art for Petitioner to demonstrate a reasonable likelihood that the
`
`challenged claims are unpatentable.
`
`b. Claims 19, 20, 22–24, and 27–29
`
`IBM challenges claims 19, 20, 22–24, and 27–29 as anticipated by
`
`NetRanger. Pet. 44–56. Intellectual Ventures disputes NetRanger’s
`
`anticipation of the claimed invention. Prelim. Resp. 45–54. We agree with
`
`Intellectual Ventures that NetRanger does not disclose the determining
`
`limitation—“determining which of the devices are anticipated to be affected
`
`by the anomaly by using pattern correlations across the plurality of hosts,
`
`servers, and computer sites.”4 See id. at 47–51.
`
`IBM points to NetRanger’s disclosure that “[n]umerous computers are
`
`vulnerable to an attack where if you send an ICMP packet with an extremely
`
`
`4 Although claim 28 does not include determining which of the devices are
`anticipated to be affected by an anomaly, claim 28 requires a determination
`of which device has been affected by an anomaly.
`
`17
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`large data size it will crash the machine . . . NetRanger blocks and alarms
`
`this traffic.” Pet. 45–46, 50–51 (quoting Ex. 1007, 164); Ex. 1001 ¶¶ 240–
`
`45. This language discloses detecting an anomaly and pre-emptively
`
`blocking that traffic. IBM, however, does not explain how this language
`
`discloses determining which device has been affected by, or is anticipated to
`
`be affected by, such an attack.
`
`IBM points to testimony of Dr. Bellovin stating that a skilled artisan
`
`would have understood NetRanger to teach the determining limitation
`
`because “there would be no need for the Director to generate reports of
`
`network vulnerabilities or to block the network traffic” unless the Director
`
`was identifying devices anticipated to be affected by the anomaly. Ex. 1001
`
`¶ 244. This testimony does not support either an explicit or inherent
`
`disclosure of this limitation by NetRanger, as required for anticipation.
`
`Moreover, the statement is conclusory and not persuasive. We agree with
`
`Intellectual Ventures that preemptively blocking all traffic may be a
`
`reasonable practice in some situations, and network vulnerability reports
`
`may not require detecting the anomaly before identifying the vulnerable
`
`devices. See Prelim. Resp. 50.
`
`We have reviewed the remaining portions of NetRanger relied upon
`
`by IBM (Pet. 50–51), and we are not persuaded that any of them disclose the
`
`determining limitation. We are, therefore, not persuaded that IBM has
`
`established that there is a reasonable likelihood that claims 19, 20, 22–24,
`
`and 27–29 are unpatentable as anticipated by NetRanger.
`
`c. Claim 26
`
`Claim 26 does not recite the determining limitation. Intellectual
`
`Ventures argues that IBM has not shown that NetRanger discloses the
`
`18
`
`
`
`IPR2014-00682
`Patent 6,715,084 B2
`
`detecting limitation—“detecting an anomaly in the network using network-
`
`based intrusion detection techniques comprising analyzing data entering into
`
`a plurality of hosts, servers, and computer sites in the networked computer
`
`system.” Prelim. Resp. 45–47.
`
`Intellectual Ventures argues that IBM gives an erroneous claim
`
`construction for the term anomaly and does not provide a sufficient
`
`explanation of where this limitation is shown in NetRanger. Id. at 45–46.
`
`Although, as described above, we do not agree with IBM’s construction of
`
`anomaly, we are persuaded that IBM has made a sufficient threshold
`
`showing that NetRanger discloses the detecting limitation when using the
`
`proper construction of anomaly—a departure from the usual or expected; an
`
`abnormality or irregularity. See, e.g., Pet. 49 (quoting Ex. 1007, 019
`
`(“NetRanger . . . detects, analyzes, responds to, and deters unauthorized
`
`network activity.”)), 50 (quoting Ex. 1007, 023 (“NetRanger . . . also looks
`
`for network patterns of misuse based on a variety of different attack
`
`signatures.”)).
`
`We are, therefore, persuaded that IBM has established that there is a
`
`reasonable likelihood that claim 26 is unpatentable as anticipated by
`
`NetRanger.
`
`d. Claims 30–32
`
`Intellectual Ventures argues that IBM has not shown that claims 30–
`
`32 (dependent from claim 26) are unpatentable because it has not made a
`
`sufficient threshold showing that the limitations added by these dependent
`
`claims are disclosed by NetRanger. Prelim. Resp. 56–58. On this record,
`
`we are not persuaded by Intellectual Ventures’s arguments. See
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
