IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`____________
`
`RADWARE, INC.,
`
`Petitioner
`
`v.
`
`F5 NETWORKS, INC.,
`
`Patent Owner
`
`____________
`
`Inter Partes Review No. 2017-01249
`
`Patent No. 6,311,278
`
`____________________________________
`
`PETITION FOR INTER PARTES REVIEW
`
`UNDER 35 U.S.C. §§311-319 AND 37 C.F.R. §§42.1-.80, 42.100 ET SEQ.
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`TABLE OF CONTENTS
`
`Page
`INTRODUCTORY STATEMENT .......................................................................... 1
`I. MANDATORY NOTICES (37 C.F.R. §42.8(A)(1)) ..................................... 1
`
`A.
`
`B.
`
`Real Parties-in-Interest (37 C.F.R. §42.8(b)(1)) .................................. 1
`
`Related Matters (37 C.F.R. §42.8(b)(2)) .............................................. 1
`
`C. Designation of Lead and Back-Up Counsel (37 C.F.R.
`§42.8(b)(3)) .......................................................................................... 2
`
`D. Grounds for Standing (37 C.F.R. §42.104(a)) ..................................... 2
`
`E.
`
`Service Information (37 C.F.R. §42.8(b)(4)) ....................................... 3
`
`II.
`
`Payment of Fees (37 C.F.R. §42.103) .................................................. 3
`F.
`STATEMENT OF THE PRECISE RELIEF REQUESTED AND THE
`REASONS THEREFOR ................................................................................ 3
`III. THE ʼ278 PATENT (“RAANAN”) ............................................................... 4
`
`A.
`
`Summary .............................................................................................. 4
`
`Raanan’s File History ........................................................................... 8
`B.
`IV. A PERSON OF ORDINARY SKILL IN THE ART ..................................... 9
`V.
`CLAIM CONSTRUCTION (37 C.F.R. §§42.104(B)(3)) ............................ 10
`
`A.
`
`“Deriving From The Server Messages Sets Of Allowable
`Actions” .............................................................................................. 10
`VI. PRIOR ART BACKGROUND .................................................................... 12
`
`A. U.S. Patent No. 6,219,786 to Cunningham et al.
`(“Cunningham”) (Ex. 1010) ............................................................... 12
`
`B. U.S. Patent No. 5,987,611 to Freund et al. (“Freund”) (Ex.
`1011) ................................................................................................... 17
`
`C. U.S. Patent No. 6,151,624 to Teare et al. (“Teare”) (Ex. 1012) ........ 20
`IDENTIFICATION OF THE CHALLENGE (37 C.F.R. §42.104(B)) ....... 22
`
`VII.
`
`A.
`
`Claims of Raanan Are Not Entitled to the Priority Date of
`9/9/1998 .............................................................................................. 22
`
`
`
`
`
`-i-
`
`
`
`

`

`TABLE OF CONTENTS
`(continued)
`
`Page
`B. GROUND 1 ........................................................................................ 24
`
`1.
`
`2.
`
`3.
`
`4.
`
`5.
`
`6.
`
`7.
`
`Claim 15 ................................................................................... 24
`
`Claims 1 and 25 ........................................................................ 28
`
`Claims 2 and 3 .......................................................................... 32
`
`Claim 5 ..................................................................................... 34
`
`Claims 19, 26, and 10 .............................................................. 35
`
`Claim 21 ................................................................................... 41
`
` Claims 11, 12, and 14 ............................................................. 42
`
`C. GROUND 2: Claims 1-7, 10-12, 14-15, 19-26 are Rendered
`Obvious By Cunningham In View Of Freund ................................... 44
`
`1.
`
`2.
`
`3.
`
`4.
`
`5.
`
`6.
`
`7.
`
`8.
`
`9.
`
`Claim 15 ................................................................................... 47
`
`Claims 1 and 25 ........................................................................ 50
`
`Claims 2 and 3 .......................................................................... 55
`
`Claims 4, 5 and 7...................................................................... 58
`
`Claim 6 ..................................................................................... 60
`
`Claims 19, 26, and 10 .............................................................. 62
`
`Claims 20-21 and 23-24 ........................................................... 67
`
`Claim 22 ................................................................................... 70
`
`Claims 11, 12 and 14 ............................................................... 72
`
`D. Ground 3: Claim 23 Is Rendered Obvious By Cunningham In
`View Of Freund And Teare ................................................................ 75
`VIII. CONCLUSION ............................................................................................. 77
`IX. CERTIFICATION TO WORD COUNT UNDER 37 C.F.R.
`§42.24(D) ...................................................................................................... 78
`
`
`
`
`
`-ii-
`
`
`
`

`

`IPR2017-01249
`
`INTRODUCTORY STATEMENT
`
`Radware, Inc. (“Radware” or “Petitioner”) in accordance with 35 U.S.C.
`
`§§311-319 and 37 C.F.R. §§42.1-.80, 41.100-41.123, respectfully requests inter
`
`partes review and cancellation of claims 1-7, 10-12, 14-15, and 19-26 of U.S.
`
`Patent No. 6,311,278 (“’278 Patent” or “Raanan”) as anticipated and/or obvious
`
`under 35 U.S.C. §§102 and 103. The U.S. Patent and Trademark Office (USPTO)
`
`assignment records indicate that Raanan is assigned to F5 Networks, Inc. (“Patent
`
`Owner”).
`
`I. MANDATORY NOTICES (37 C.F.R. §42.8(a)(1))
`
`A. Real Parties-in-Interest (37 C.F.R. §42.8(b)(1))
`
`The real party-in-interest is Radware, a corporation organized under the laws
`
`of New Jersey. Radware is not barred by operation of estoppel to submit this
`
`Petition for inter partes review.
`
`B. Related Matters (37 C.F.R. §42.8(b)(2))
`
`Raanan (Ex. 1001) is asserted against Petitioner in litigation, F5 Networks,
`
`Inc. v. Radware, Inc., Case No. 16-cv-480-RAJ, pending in the United States
`
`District Court for the Western District of Washington. The complaint was filed on
`
`April 4, 2016 (Ex. 1002) and served on April 7, 2016 (Ex. 1003). Petitioner is not
`
`aware of any pending prosecution or administrative proceedings concerning
`
`-1-
`
`
`
`Raanan.
`
`
`
`
`

`

`IPR2017-01249
`
`
`C. Designation of Lead and Back-Up Counsel (37 C.F.R.
`§42.8(b)(3))
`
`Petitioner provides the following designation of counsel. Please address all
`
`correspondence to lead and back-up counsel.
`
`LEAD COUNSEL
`Fabio E. Marino (Cal. SBN 183825)
`Registration No. 43,339
`fmarino@mwe.com
`
`McDermott Will & Emery
`275 Middlefield Road, Suite 100
`Menlo Park, CA 94025-4004
`Tel: (650) 815-7605
`
`BACK-UP COUNSEL
`Barrington E. Dyer (Cal. SBN 264762)
`Pro Hac Vice to be requested
`bdyer@mwe.com
`
`McDermott Will & Emery
`275 Middlefield Road, Suite 100
`Menlo Park, CA 94025-4004
`Tel: (650) 815-7612
`
`D. Grounds for Standing (37 C.F.R. §42.104(a))
`
`Petitioner certifies that Raanan is eligible for inter partes review and further
`
`certifies that Petitioner is not barred or otherwise estopped from requesting inter
`
`partes review challenging the identified claims on the grounds in the present
`
`Petition. This Petition is filed within one year of the date Petitioner was served
`
`with a complaint of infringement of Raanan. A true copy of the Proof of Service
`
`of Summons and Complaint, showing the date of service of April 7, 2016 is
`
`included as Ex. 1003. Petitioner has not filed a civil action challenging the validity
`
`of a claim of Raanan. 35 U.S.C. §315(a).
`
`
`
`
`
`-2-
`
`
`
`

`

`IPR2017-01249
`
`
`E.
`
`Service Information (37 C.F.R. §42.8(b)(4))
`
`Papers concerning this matter should be addressed to the lead and back-up
`
`counsel at the address provided above. Petitioner consents to electronic service by
`
`email at: IPdocketMWE@MWE.com, fmarino@mwe.com and bdyer@mwe.com.
`
`F.
`
`Payment of Fees (37 C.F.R. §42.103)
`
`The Patent and Trademark Office is hereby authorized to charge Deposit
`
`Account No. 505907 for the fee set in 37 C.F.R. §42.15(a) for this Petition for inter
`
`partes review, and for any additional fees that may be due as a result of the
`
`submission of this Petition.
`
`II.
`
`STATEMENT OF THE PRECISE RELIEF REQUESTED AND
`THE REASONS THEREFOR
`Radware requests inter partes review and cancellation of claims 1-7, 10-12,
`
`14-15, and 19-26 of U.S. Patent No. 6,311,278 ( “Raanan,” Ex. 1001) based on 35
`
`U.S.C. §§102 and 103 for the reasons stated herein. This Petition establishes a
`
`reasonable likelihood that Petitioner will prevail in establishing that the challenged
`
`claims are unpatentable.
`
`The following chart summarizes the individual grounds, including the
`
`statutory basis and prior art relied upon for each ground.
`
`Ground
`No.
`1
`
`35
`U.S.C.
`§102
`
`Claims
`
`1-3, 5, 10-
`12, 14-15,
`19, 21, 25-
`
`
`
`
`
`Prior Art Reference(s)
`
`Cunningham
`
`-3-
`
`
`
`

`

`IPR2017-01249
`
`Ground
`No.
`
`35
`U.S.C.
`
`§103
`
`2
`
`3
`
`Prior Art Reference(s)
`
`Cunningham in view of Freund
`
`Claims
`
`26
`
`1-7, 10-12,
`14-15, 19-
`26
`
`§103
`
`23
`
`Cunningham in view of Freund and Teares
`
`None of the prior art references were made of record during prosecution of
`
`Raanan and were, therefore, not considered by the examiner.
`
`III. THE ʼ278 PATENT (“Raanan”)
`
`A.
`
`Summary
`
`Raanan is directed to a security system for extracting application protocol
`
`data. The system “extract[s] application protocol data from [a] server message” to
`
`retrieve the set of allowable actions which may be taken by a client; and filters the
`
`client request to “eliminate any disallowable actions requested by the client.”
`
`Raanan, 2:3-6, Fig. 3.
`
`“Application protocol data” includes “commands, fields,” or other “user-
`
`selectable options contained in the [server] message.” Id., Abstract. For example,
`
`a “‘search’ command” or “‘submit’ command on an HTML form,” or fields such
`
`as “fixed fields” and “hidden fields.” Id., 5:59-65, 6:2-4. “These items represent
`
`the set of allowable or authorized user actions for the application.” Id., Abstract,
`
`3:1-5; see also id., 2:10-12.
`
`
`
`
`
`-4-
`
`
`
`

`

`IPR2017-01249
`
`
`
`
`As depicted in Figure 2 above, the client 12 connects with the server 10 via a
`
`computer network such as “the Internet, an intranet, or any other private network
`
`that connects client 12 and server 10.” Id., 3:55-57 (emphasis added). The
`
`security system comprises a filter module 14, a protocol database 16, and a
`
`protocol extraction module 18. Id., 3:58-60. “These modules and database may be
`
`stored on the server 10, or on a computer separate from and connectable to the
`
`server 10, or on a number of separate but connectable computers.” Id., 3:61-64
`
`(emphasis added). Indeed, the claims of Raanan are not limited to being executed
`
`on only either the server or client side; the claimed “invention” need only be
`
`“interposed [somewhere] between the client and server.” Id., 1:66-67; see also
`
`Fig. 1-2A, 7:46-48. Thus, it may be on the client-side of the internet or the server-
`
`side of the internet (or, indeed, split over the two).
`
`
`
`
`
`
`
`-5-
`
`
`
`

`

`IPR2017-01249
`
`
`
`
`Figure 3, above, is a flow chart showing the process for defining allowable
`
`actions in an application protocol. The process begins with the server transmitting
`
`to the client a message “containing information relating to the application residing
`
`and running on the server 10 or a computer connected thereto” (step 30). Id., 51-
`
`54. “Using a copy of the server message or the message itself,” the protocol
`
`extraction module extracts the application protocol data from the server message.
`
`Id., 4:55-58.
`
`
`
`
`
`-6-
`
`
`
`

`

`IPR2017-01249
`
`
`The extraction of application protocol data by the extraction module 18
`
`“may be performed in a number of ways, including through the use of known
`
`techniques to identify a low level or communication protocol, such as TCP/IP,
`
`stripping such protocol while retaining required data such as IP source data, and
`
`searching the remainder of the message for allowed commands or other authorized
`
`user actions.” Id., 4:58-64.
`
`“Once extracted, the application protocol data is stored in the protocol
`
`database 16” (step 34). Id., 4:65-66. The protocol data may be added to a
`
`“permanent file” or a “temporary file” of the protocol database 16. Id., 4:66-5:4.
`
`Temporarily stored files may be “session-based” and used only for “a particular
`
`client/server session,” or used “only for a particular server message and then
`
`overwritten.” Id. (emphasis added).
`
`The server message is then sent to the client (step 36), which transmits a
`
`request back to the server (step 38). Id., 5:10-12. The client’s request may be a
`
`proper response to the server message or may be an attempt to cause the
`
`application to execute an unauthorized command. Id., 5:13-14. The filter module
`
`14 intercepts the client request, reads it, and queries the protocol database 16 (step
`
`40). Id., 5:14-16.
`
`The client request is compared to a list of allowable actions stored on the
`
`protocol database16 (step 42), which is either a list of allowable actions “for a
`
`
`
`
`
`-7-
`
`
`
`

`

`IPR2017-01249
`
`given client/server session, for a ‘stage’ or segment of the application program,” or
`
`“a static list of actions allowable for a given application program.” Id., 4:1-5
`
`(emphasis added), 5:20-22. If allowable, the filter module passes it to the server
`
`(step 44). Id., 5:22-23. If not, the request is denied access to the server (step 46).
`
`Id., 5:23-28. Alternatively, the non- allowable parts of the request are deleted
`
`before passed to the server. Id., 6:12-14.
`
`Independent Claim 15 is representative of the three main features of security
`
`system described above: a (1) protocol database for storing the list of allowable
`
`actions, (2) filter module for checking whether messages are allowable, and (3)
`
`protocol extraction module for extracting application protocol data. Mohapatra,
`
`¶44. Independent Claims 1, 19, 25, and 26 reflect the same three features, or
`
`subsets of them. Claim 1, for example, is directed to Feature 3, extracting and
`
`storing application protocol data. Id., ¶45.
`
`B. Raanan’s File History
`
`Raanan issued on October 30, 2001, from Patent Application No.
`
`09/345,920 (“’278 File History,” Ex. 1008), filed on July 1, 1999. It is a
`
`Continuation-in-Part of Application No. 09/149,911 (“’911 Application”) filed on
`
`September 9, 1998 (Ex. 1006). Despite being prosecuted for over two years,
`
`Raanan issued after just one office action.
`
`
`
`
`
`
`
`-8-
`
`
`
`

`

`IPR2017-01249
`
`
`
`
`
`
`As explained below (Section VII(A)), Raanan is not entitled to the priority date of
`
`the ’911 Application.
`
`IV. A PERSON OF ORDINARY SKILL IN THE ART
`
`With respect to Raanan, Dr. Mohapatra confirms that a person of ordinary
`
`skill in the art (“POSITA”) would have a Bachelors or Master’s degree in
`
`computer science or computer engineering or in a related field, as well as about
`
`two years of experience in design and deployment of Internet networking
`
`technology. Mohapatra, ¶18.
`
`
`
`
`
`-9-
`
`
`
`

`

`IPR2017-01249
`
`
`V. CLAIM CONSTRUCTION (37 C.F.R. §§42.104(b)(3))
`
`Because Raanan has not yet expired, each claim is given “its broadest
`
`reasonable construction in light of the specification of the patent in which it
`
`appears” to one of ordinary skill in the art. 37 C.F.R. §42.100(b). Under the
`
`broadest reasonable interpretation (BRI) standard, “the claims must be interpreted
`
`as broadly as their terms reasonably allow… This means that the words of the
`
`claim must be given their plain meaning unless the plain meaning is inconsistent
`
`with the specification.” MPEP §2111.01 (citing cases); see also In re Am. Acad. Of
`
`Sci. Tech Ctr., 367 F.3d 1359, 1369 (Fed. Cir. 2004) (“[T]he Board is required to
`
`use a different standard for construing claims than that used by district courts.”)
`
`(citations omitted).
`
`Radware’s proposed constructions are offered to comply with 37 C.F.R.
`
`§42.100(b) for this Petition only, and do not necessarily reflect the claim
`
`constructions that may be proposed by Radware or adopted by the court in any
`
`district court litigation, where a different standard applies. All claim terms for
`
`which a construction is not specifically proposed should be interpreted according
`
`to their plain meaning.
`
`A.
`
`“Deriving From The Server Messages Sets Of Allowable
`Actions”
`
`Independent claims 19 and 26 of Raanan includes the step of “deriving from
`
`the server messages sets of allowable actions which may be taken in response to
`
`
`
`
`
`-10-
`
`
`
`

`

`IPR2017-01249
`
`each of the server messages.” The BRI of “deriving from the server messages sets
`
`of allowable actions” includes “parsing the messages to identify commands, input
`
`fields, hidden fields, or hyperlinks including addresses within the server
`
`messages.” Mohapatra, ¶¶53-56.
`
`Although the specification and prosecution history never discuss “deriving
`
`from the server messages sets of allowable actions,” the dependent claims do, and
`
`thus provide the single best reference for the BRI of the term. Straight Path IP
`
`Group, Inc. v. Sipnet EU S.R.O., 806 F.3d 1356, 1360 (Fed. Cir. 2015) (“We start
`
`with the claim language—which has a meaning that can only be called plain”).
`
`Claims 20, 21, 23, and 24, each depend from Claim 19 and clarify that
`
`“deriving the set of allowable actions” comprises parsing the server message to
`
`identify specific information. Claim 19 adds that “deriving sets of allowable
`
`actions from the server messages comprises parsing the messages to identify
`
`commands allowed in the server messages.” Claim 21 specifies that “deriving sets
`
`of allowable actions from the server messages comprises parsing the messages to
`
`identify input fields in the server messages.” Claim 23 further adds that “deriving
`
`sets of allowable actions from the server messages comprises parsing the messages
`
`to identify hidden fields in the server messages.” And Claim 24 adds that
`
`“deriving sets of allowable actions from the server messages comprises parsing the
`
`messages to identify hyperlinks including addresses within the server message.”
`
`
`
`
`
`-11-
`
`
`
`

`

`IPR2017-01249
`
`
`Taken together, a POSITA would understand that “deriving from the server
`
`messages sets of allowable actions” at least comprises “parsing the messages to
`
`identify commands, input fields, hidden fields, or hyperlinks including addresses
`
`within the server messages.” Mohapatra, ¶¶53-56; see also Wright Med. Tech.,
`
`Inc. v. Osteonics Corp., 122 F.3d 1440, 1445 (Fed. Cir. 1997) (“we must not
`
`interpret an independent claim in a way that is inconsistent with a claim which
`
`depends from it”). Claims 20, 21, 23, and 24 subsequently specify which
`
`information is parsed to be identified. Further, because the same term is used in
`
`Claim 26 as in Claim 19, it should be construed consistently. See Omega Eng’g,
`
`Inc. v. Raytek Corp., 334 F.3d 1314, 1334 (Fed. Cir. 2003).
`
`VI. PRIOR ART BACKGROUND
`
`A. U.S. Patent No. 6,219,786 to Cunningham et al.
`(“Cunningham”) (Ex. 1010)
`
`Cunningham is a U.S. Patent for a “Method and System for Monitoring and
`
`Controlling Network Access” which was filed on September 9, 1998 and issued on
`
`April 17, 2001. It is therefore prior art under 35 U.S.C. §§102(e). Cunningham
`
`teaches that “[a] rules base is generated to apply at either or both of the connection
`
`time and the time subsequent to connection,” and is “maintained in a single rules
`
`base for the entire network.” Cunningham, Abstract. Data packets are examined
`
`from “the lowest level to the application-level data” to “identify the source and
`
`destination nodes, as well as contextual information (i.e., ISO Layer 7
`
`
`
`
`
`-12-
`
`
`
`

`

`IPR2017-01249
`
`information),” such as “the text of HTML pages,” in order to retrieve the access
`
`rules to be applied. Id., Abstract, 3:22-55, 11:14-49, Fig. 7.
`
`
`
`Figure 1 illustrates a system for monitoring and controlling network access
`
`using a rule base generated to apply at connection time or any time after. A router,
`
`firewall, workstation, or server, “dedicated to providing access control” acts as “a
`
`gateway between the network and an external network (e.g., the Internet).” Id.,
`
`3:40-42, 3:58-63 (emphasis added); 11:54-56. The system includes a “rule base”
`
`for storing access rules (id., 4:13-16), an “access management module” for
`
`monitoring traffic (id., 5:20-21), and a “module for receiving, assembling and
`
`examining data packet” (id., 3:63-66). By comparing data packets against the rules
`
`base, the system causes a connection attempt to be completed, denied, logged, or a
`
`combination of these and other actions. Id., Abstract.
`
`
`
`
`
`-13-
`
`
`
`

`

`IPR2017-01249
`
`
`The gateway system “receives…outbound data packets through Layers 1 and
`
`2” from a node on the network. Id., 7:59-61. A node may be a workstation or a
`
`“server 28 that is used in a conventional manner to enable selected services, such
`
`as web services.” Id., 5:11-25.
`
`
`
`When received, outbound data packets “are pieced together to identify ISO
`
`Layer 7 information, as well as lower layer information.” Id., 3:49-50. Figure 4
`
`illustrates the acquisition of Transport Layer, Network Layer, and Application
`
`Layer information. Id., 8:9-13. “For example, in an e-mail environment, the
`
`Application Layer information that may be relevant to application of the rules base
`
`-14-
`
`
`
`
`

`

`IPR2017-01249
`
`may include information within the “subject” line of an e-mail message. This
`
`information is acquired only upon accessing the data fields of the data packets of
`
`the e-mail message.” Id., 8:13-19.
`
`“Detailed information from the assembled data packets is stored until
`
`sufficient information is acquired regarding the node-to-node transmission to apply
`
`the previously configured rules base 70.” Id., 10:6-9 (emphasis added).
`
`“[I]nformation which is stored includes both low level state information and
`
`contextual information” (i.e., Application Layer information). Id., 10:21-24. In
`
`addition, “storage logs are maintained for transaction data” to allow “further
`
`analysis.” Id., 9:60-65.
`
`Enforcement of “[t]he access control rules may…depend upon application
`
`protocol data following a successful connection.” Id., 4:18-20. The system
`
`“identif[ies] which rules can be applied at the basic connection time and which
`
`rules need to be held-over for application once the connection is completed and
`
`data is flowing.” Id., 11:29-34.
`
`
`
`
`
`-15-
`
`
`
`

`

`IPR2017-01249
`
`
`
`
`While continuing to monitor the node-to-node communication, the system
`
`also “receives inbound…data packets.” Id., 7:59-61. Figure 7, above, shows the
`
`steps for application of the rule base. Id., 10:52-53. Comparing data packets
`
`“against the rules base causes a connection attempt to be completed or denied, a
`
`previously established connection to be broken, logging to occur, or a combination
`
`
`
`
`
`-16-
`
`
`
`

`

`IPR2017-01249
`
`of these and other actions” (step 102). Id., Abstract; see also, Mohapatra, ¶¶63-
`
`71.
`
`B. U.S. Patent No. 5,987,611 to Freund et al. (“Freund”) (Ex.
`1011)
`Freund is a U.S. Patent for an “internet access monitoring system” for
`
`“monitoring access to an open network” and “filtering of access” based on
`
`“[a]ccess rules which can be defined can specify criteria such as […] a list of
`
`protocols or protocol components that a user application can (or cannot) access.”
`
`Freund, Abstract, 8:42-44 (emphasis added). Freund was filed on May 6, 1997 and
`
`issued on November 16, 1999 and is prior art under 35 U.S.C. §102(e).
`
`The system “restrict[s] access to the Internet (or other Wide Area Network)
`
`to certain approved applications” through “centrally-maintained access rules” (id.
`
`8:42-53), thereby “restricting [clients to] permissible on-line activities.” Id., 9:4-9
`
`(emphasis added). The access rules include “a list of protocols or protocol
`
`components (such as Java Script™) that a user application can or cannot use,” and
`
`“what should happen if a rule is violated (e.g., denying Internet access, issue a
`
`warning, redirecting the access, creating a log entry, or the like).” Id., 4:8-19,
`
`4:26-28, 13:2-13 (emphasis added).
`
`
`
`
`
`-17-
`
`
`
`

`

`IPR2017-01249
`
`
`
`
`The system, shown above in Figure 3B, includes “central server component
`
`370” with “central supervisor application [373].” Id., 22:7-9. The central
`
`supervisor application 373 (“Supervisor”) “maintains the access rules for the client
`
`based filter” (id., 3:60-67) in a “rules database” (id., 29:50-52), and connects with
`
`“Client Monitor” 311 (“Monitor”) to enforce the access rules. Id., 22:22-7.
`
`
`
`The Monitor “can intercept the communications for determining whether the
`
`request is permitted under the rules.” Id., 15:26-24 (emphasis added).
`
`
`
`
`
`-18-
`
`
`
`

`

`IPR2017-01249
`
`
`
`
`Figure 12B, for example, illustrates a method of intercepting
`
`communications to determining whether a request is permitted. Id., 29:50-53.
`
`When the “Monitor intercepts the call” it “determines the protocol based on a
`
`combination of the TCP/IP port address, the address family, contents, and the
`
`like,…[and] checks the rules database to see if the user/computer has the right to
`
`download ‘.html’ files” (steps 1212-1214). Id., 29:44-52 (emphasis added).
`
`
`
`
`
`-19-
`
`
`
`

`

`IPR2017-01249
`
`
`If the request is allowed, it is forwarded to the Host server 350, which sends
`
`“foo.html” as requested (step 1219). Id., 29:56-57. The Monitor “intercepts,”
`
`“parses the contents of ‘foo.html,’ and checks for the following components: (a)
`
`References to Java™, ActiveX, and the like…; (b) References to Netscape style
`
`plug-ins…; (c) Imbedded scripts such as Java Script™, VBScript, and the like…;
`
`(d) References to other files or components…; and (e) Other syntax elements that
`
`are known or suspected to cause security or network problems.” Id., 29:54-30. By
`
`parsing the contents of “foo.html,” and referencing the rules database, the Monitor
`
`determines the permissible components of the HTML. Id., 30:1-10.
`
`A further discussion of Freund is provided in the Mohapatra Declaration,
`
`¶¶72-79.
`
`C. U.S. Patent No. 6,151,624 to Teare et al. (“Teare”) (Ex.
`1012)
`
`Teare is a U.S. Patent for a “Navigating Network Resources Based On
`
`Metadata” which was filed on February 3, 1998 and issued on November 21, 2000.
`
`Teare teaches “a method of navigating, based upon a natural language name, to a
`
`resource that is stored in a network.” Teare, 4:49-57. Requests are received and
`
`analyzed/parsed at the application protocol layer, and specific HTML data is
`
`identified. See, e.g., id, 25:60-26:18, 15:60-16:2, 18:18-29, 13:36-45. Figure 8,
`
`below, “is a block diagram of a computer system that can be used to implement the
`
`[Teare] invention.” Id., 5:57-58; Fig. 8.
`
`
`
`
`
`-20-
`
`
`
`

`

`IPR2017-01249
`
`
`
`
`In one embodiment, a web resource (e.g., a web page or application) is sent
`
`to the client that contains a hidden field. Id., 24:65-25:1. The system “receives the
`
`Web page, extracts the value of the hidden field, and compares the hidden field
`
`value to a table or mapping of hidden field values.” Id., 25:5-8.
`
`Thus Teare discloses parsing server messages (e.g., web pages or web
`
`applications) to identify and extract hidden fields, which are then compared to a
`
`pre-stored table or mapping.
`
`A further discussion of Teare is provided in the Mohapatra Declaration,
`
`¶¶80-82.
`
`
`
`
`
`-21-
`
`
`
`

`

`IPR2017-01249
`
`
`VII. IDENTIFICATION OF THE CHALLENGE (37 C.F.R.
`§42.104(B))
`
`Inter partes review of claims 1-7, 10-12, 14-15, 19-26 of Raanan is
`
`requested on Grounds 1-3 listed. None of the prior art references relied on herein
`
`were before (or considered by) the Examiner during prosecution of Raanan.
`
`Further, as confirmed by Dr. Mohapatra, the combinations presented below are not
`
`cumulative or redundant. Mohapatra, ¶¶85-86. As will be established by a careful
`
`analysis of the claims and the disclosure of the prior art references, all the
`
`limitations of the challenged claims were known prior to the priority date of July 1,
`
`1999. As a note, because a number of the claims share common elements, the
`
`sections below may refer back to earlier claims (and analysis) when analyzing the
`
`shared common elements in later claims. Id., ¶87.
`
`A. Claims of Raanan Are Not Entitled to the Priority Date of
`9/9/1998
`
`The application (Application No. 09/345,920) (“CIP Application”) that led
`
`to the issuance of Raanan is a Continuation-in Part of Application No. 09/149,911
`
`(“’911 Application”) filed on September 9, 1998 (Ex. 1006). However it is not
`
`entitled to this earlier priority date because the applicant added substantial new
`
`matter in the CIP Application not disclosed in the ’911 Application. See generally,
`
`Ex. 1009 (comparing the Parent Application to the CIP Application).
`
`
`
`
`
`-22-
`
`
`
`

`

`IPR2017-01249
`
`
`Other than the reference in the CIP Application to the ’911 Application, the
`
`CIP Application adds almost entirely new matter not disclosed in the ’911
`
`Application, and substitutes the original figures with new ones. Mohapatra, ¶¶57-
`
`62.
`
`This is not surprising, as the Applicant filed a “continuation-in-part” as
`
`opposed to “continuation”; indeed the “quintessential difference between a
`
`continuation and a continuation-in-part is the addition of new matter.”
`
`PowerOasis, Inc. v. T-Mobile USA, Inc., 522 F.3d 1299, n.4 (Fed. Cir. 2008).
`
`Consequently, the petitioned claims lack sufficient support from the ’911
`
`Application, and are not eligible for a priority date earlier than July 1, 1999—the
`
`filing date of the CIP Application. See id. at 1305 (“[T]here is simply no reason to
`
`presume that claims in a CIP application are entitled to the effective filing date of
`
`an earlier filed application.”).
`
`The new claimed matter without support from the ’911 Application is not
`
`limited to, but includes, (1) “extracting application protocol data from the server
`
`message”; (2) “to thereby retrieve the set of allowable actions”; (3) “storing the
`
`extracted application protocol data”; (4) “deriving from the server messages sets of
`
`allowable actions”; and (5) “disallowing any action […] not in at least one set of
`
`allowable actions.” Mohapatra, ¶¶60-61; Ex. 1009. This is critical, as the Federal
`
`Circuit emphasized in PowerOasis, stating:
`
`
`
`
`
`-23-
`
`
`
`

`

`IPR2017-01249
`
`
`“We have explained that to satisfy the written description
`
`requirement, ‘the missing descriptive matter must necessarily
`
`be present in the [original] application’s specification such that
`
`one skilled in the art would recognize such a disclosure.’”
`
`PowerOasis at 1306. Because the claimed features listed above were added in the
`
`CIP Application filed on July 1, 1999, and are required by each of the claims,
`
`Raanan is not entitled to the earlier date of the priority of the ’911 Application;
`
`only the filing date of the CIP Application. For this reason, all the references cited
`
`herein qualify as prior art.
`
`B. GROUND 1
`
`Cunningham anticipates claims 1-3, 5, 10-12, 14-15, 19, 21, and 25-26 as
`
`discussed below and explained in the Mohapatra Declaration, ¶¶88-137.
`
`1.
`
`Claim 15
`
`As explained below, Cunningham anticipates Claim 15 as it discloses every
`
`limitation of this independent claim. See also id., ¶¶112-116.
`
`Claim limitation 15[a] (preamble): “A security gateway system interposed
`
`between an external computing environment and an internal computing
`
`environment, the system comprising.” Cunningham discloses a security gateway
`
`system interposed on any network node that acts as a gateway between an external
`
`network and an internal network. Cunningham teaches that “the method and
`
`
`
`
`
`-24-
`
`
`
`

`

`IPR2017-01249
`
`system may also be implemented by examination and management at a choke
`
`point, such as a proprietary proxy 60 server, a firewall or other network node that
`
`is acting as a gateway between the network and an external network (e.g., the
`
`Internet).” Cunningham, 3:57-61. Cunningham also discloses that “Network
`
`traffic is monitored and access to internal and external resources is controlled and
`
`managed either at choke points (represented by the proxy server 28 and