`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________________
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`____________________
`
`InAuth, Inc.
`
`Petitioner
`
`v.
`
`mSIGNIA, Inc.
`
`Patent Owner
`
`
`
`
`
`____________________
`
`Case No. Unassigned
`
`
`
`PETITION FOR INTER PARTES REVIEW OF U.S. PATENT NO. 9,559,852
`UNDER 35 U.S.C. §§ 311-319 AND 37 C.F.R. §§ 42.1-.9-, 42.100-.123
`
`Claims 1-25
`
`
`
`
`
`
`
`
`
`
`I.
`
`
`
`IPR of USPN 9,559,852
`
`
`TABLE OF CONTENTS
`
`STATEMENT OF THE PRECISE RELIEF REQUESTED AND THE
`REASONS THEREFOR (37 C.F.R. §42.22(A)) ............................................ 1
`
`II. OVERVIEW .................................................................................................... 1
`
`III.
`
`IDENTIFICATION OF THE CHALLENGE (37 C.F.R. §42.104(B))
`AND RELIEF REQUESTED .......................................................................... 4
`
`A.
`
`Prior Art ................................................................................................. 4
`
`B. Grounds for Challenge .......................................................................... 5
`
`IV. THE ’852 PATENT ......................................................................................... 6
`
`A. Overview: The ’852 Patent Purported Invention Is a Method
`for Recognizing the Identity of a Computer or User Using
`Minutia That Is Subject to Change ........................................................ 6
`
`B.
`
`Prosecution History: The “Closest” Prior Art Before the
`Examiner Was Limited to Identity Recognition Systems Using
`Only Static Minutia, Not Minutia That Is Subject to Change ............... 8
`
`V.
`
`SCOPE AND CONTENT OF THE PRIOR ART: Identity
`Recognition Systems Using Minutia That Is Subject to Change Were
`Actually Well-Known and Disclosed in Multiple Reference That
`Were Not Cited to the Examiner ..................................................................... 9
`
`A.
`
`B.
`
`Etchegoyen ............................................................................................ 9
`
`Varghese .............................................................................................. 11
`
`VI. LEVEL OF ORDINARY SKILL IN THE ART ........................................... 12
`
`VII. PROPOSED CLAIM CONSTRUCTIONS ................................................... 12
`
`A.
`
`“generating a challenge” (Claims 1, 24, 25) ....................................... 13
`
`VIII. GROUND 1: CLAIMS 1-5, 7, 14-21, AND 24-25 ARE
`ANTICIPATED BY ETCHEGOYEN ........................................................... 14
`
`A.
`
`Independent Claim 1 ........................................................................... 14
`
`
`
`
`i
`
`
`
`
`
`B.
`
`C.
`
`IPR of USPN 9,559,852
`
`Independent Claim 24 ......................................................................... 23
`
`
`
`Independent Claim 25 ......................................................................... 26
`
`D. Dependent Claim 2 .............................................................................. 28
`
`E. Dependent Claim 3 .............................................................................. 29
`
`F.
`
`Dependent Claims 4-5 ......................................................................... 29
`
`G. Dependent Claim 7 .............................................................................. 31
`
`H. Dependent Claims 14-16 ..................................................................... 32
`
`I.
`
`J.
`
`Dependent Claims 17-19 ..................................................................... 33
`
`Dependent Claim 20 ............................................................................ 35
`
`K. Dependent Claim 21 ............................................................................ 36
`
`IX. GROUND 2: CLAIMS 1-5, 7, 14-21, AND 24-25 WOULD HAVE
`BEEN OBVIOUS IN VIEW OF ETCHEGOYEN ........................................ 36
`
`X. GROUND 3: DEPENDENT CLAIMS 6 AND 8-12 WOULD HAVE
`BEEN OBVIOUS IN VIEW OF ETCHEGOYEN AND JAKOBSSON ........ 38
`
`A. Dependent Claim 6 .............................................................................. 39
`
`B. Dependent Claims 8-12 ....................................................................... 42
`
`XI. GROUND 4: DEPENDENT CLAIMS 13, 22, AND 23 WOULD
`HAVE BEEN OBVIOUS IN VIEW OF ETCHEGOYEN AND
`VARGHESE ................................................................................................... 45
`
`XII. GROUND 5: CLAIMS 1-23, 25 ARE ANTICIPATED BY
`VARGHESE ................................................................................................... 47
`
`A.
`
`B.
`
`Independent Claim 1 ........................................................................... 47
`
`Independent Claim 25 ......................................................................... 55
`
`C. Dependent Claim 2 .............................................................................. 56
`
`D. Dependent Claim 3 .............................................................................. 56
`
`
`
`
`ii
`
`
`
`
`
`IPR of USPN 9,559,852
`
`E. Dependent Claims 4-6 ......................................................................... 57
`
`
`
`F.
`
`Dependent Claim 7 .............................................................................. 59
`
`G. Dependent Claims 8-12 ....................................................................... 60
`
`H. Dependent Claims 13, 22, and 23 ....................................................... 62
`
`I.
`
`J.
`
`Dependent Claims 14-16 ..................................................................... 64
`
`Dependent Claims 17-19 ..................................................................... 65
`
`K. Dependent Claim 20 ............................................................................ 68
`
`L. Dependent Claim 21 ............................................................................ 68
`
`XIII. GROUND 6: CLAIM 24 WOULD HAVE BEEN OBVIOUS IN
`VIEW OF VARGHESE .................................................................................. 69
`
`XIV. NO OBJECTIVE INDICIA ........................................................................... 70
`
`XV. MANDATORY NOTICES ........................................................................... 70
`
`A. Real Party-in-Interest (37 C.F.R. §42.8(b)(1)) .................................... 70
`
`B.
`
`C.
`
`Related Matters .................................................................................... 71
`
`Lead and Back-Up Counsel, and Service Information ....................... 71
`
`XVI. CERTIFICATION OF GROUNDS FOR STANDING ................................ 71
`
`XVII. CONCLUSION .............................................................................................. 72
`
`
`
`
`
`
`
`
`
`
`iii
`
`
`
`
`
`
`Exhibit
`
`IA1001
`
`
`
`IPR of USPN 9,559,852
`
`
`LIST OF EXHIBITS
`
`Description
`
`U.S. Patent No. 9,559,852 to Miller et al.
`
`IA1002
`
`Prosecution File History of U.S. Patent No. 9,559,852
`
`IA1003
`
`Declaration of Professor Patrick Traynor
`
`IA1004
`
`U.S. Patent No. 8,316,421 to Etchegoyen
`
`IA1005
`
`U.S. Patent Pub. No. 2006/0282660 to Varghese et al.
`
`IA1006
`
`U.S. Patent No. 8,312,157 to Jakobsson et al.
`
`IA1007
`
`U.S. Patent No. 6,185,316 to Buffam et al.
`
`IA1008
`
`U.S. Patent Pub. No. 2011/0007177 to Kang et al.
`
`IA1009
`
`Provisional Patent Application No. 61/462,474
`
`IA1010
`
`U.S. Patent No. 9,294,448 to Miller et al.
`
`IA1011
`
`Prosecution File History of U.S. Patent No. 9,294,448
`
`IA1012
`
`U.S. Patent No. 8,817,984 to Miller et al.
`
`IA1013
`
`Prosecution File History of U.S. Patent No. 8,817,984
`
`IA1014
`
`Provisional Patent Application No. 61/252,960 to Etchegoyen
`
`IA1015
`
`Patent Application No. 12/903,948 to Etchegoyen
`
`IA1016
`
`Patent Application No. 12/504,159 to Jakobsson et al.
`
`IA1017
`
`Kohno et al., “Remote Physical Device Fingerprinting” (Apr. 2005)
`
`IA1018
`
`Pang et al., “802.11 User Fingerprinting” (2007)
`
`IA1019
`
`IA1020
`
`IA1021
`
`“Race Is On To ‘Fingerprint’ Phones, PCs”, WALL STREET JOURNAL
`(Nov. 30, 2010)
`Denning & MacDoran, “Location-Based Authentication: Grounding
`Cyberspace for Better Security” (Feb. 1996)
`Cortes et al., “Communities of Interest” (2001)
`
`IA1022
`
`Johansen et al., “Email Communities of Interest” (2007)
`
`
`
`
`iv
`
`
`
`
`
`IPR of USPN 9,559,852
`
`
`Aiello et al., “Analysis of Communities of Interest in Data
`Networks” (2005)
`Smart et al., “Defeating TCP/IP Stack Fingerprinting” (1999)
`
`“The Man Who Invented The Cash Machine”, BBC NEWS (June 25,
`2007)
`Redline Comparison of Provisional Patent Application No.
`61/462,474 to Specification of Application No. 12/903,948
`mSIGNIA, Inc. v. InAuth, Inc., No. 8:17-cv-1289, Dkt. No. 1,
`Complaint (C.D. Cal. July 26, 2017)
`Curriculum Vitae of Professor Patrick Traynor (Appendix A)
`
`
`
`IA1023
`
`IA1024
`
`IA1025
`
`IA1026
`
`IA1027
`
`IA1028
`
`
`
`
`
`
`v
`
`
`
`IPR of USPN 9,559,852
`
`
`I.
`
`STATEMENT OF THE PRECISE RELIEF REQUESTED AND THE
`REASONS THEREFOR (37 C.F.R. §42.22(A))
`
`InAuth, Inc. (“Petitioner”) respectfully petitions for Inter Partes review, and
`
`seeks cancellation of Claims 1-25 (“the Challenged Claims”) of USPN 9,559,852
`
`(“the ’852 patent”) pursuant to 35 U.S.C. §311 and 37 C.F.R. §42.100. For the
`
`reasons discussed below, the Challenged Claims are anticipated and/or rendered
`
`obvious by each of two prior art references, USPN 8,316,421 (“Etchegoyen”) and
`
`U.S. App. Pub. No. 2006/0282660 (“Varghese”). Neither was before the Examiner
`
`during prosecution. During prosecution, the Examiner found that the prior art
`
`disclosed all limitations of the Challenged Claims, except for a single
`
`limitation. Each of Etchegoyen and Varghese expressly disclose this limitation and
`
`all other aspects of the claimed subject matter, and therefore anticipate or render
`
`obvious all Challenged Claims. Accordingly, Petitioner respectfully requests
`
`institution of Inter Partes review and cancellation of all Challenged Claims.
`
`II. OVERVIEW
`
`The ’852 patent generally pertains to methods for identifying a computer
`
`and/or user, for example in an authentication process, by using data found on the
`
`computer (referred to as device “minutia”). According to the specification, prior
`
`art “computer fingerprinting” methods were problematic because they could use
`
`only static identifying data on the device, such as permanent serial numbers, which
`
`are prone to spoofing. IA1001, 2:51-56. Prior art methods allegedly did not
`
`
`
`1
`
`
`
`
`
`
`
`IPR of USPN 9,559,852
`
`
`provide for the use of minutia that is subject to change because routine changes to
`
`the minutia, e.g., an upgrade to a component, would alter the fingerprint and cause
`
`false identification of a device as “different” (a “false negative”). Id., 2:56-3:2.
`
` The purportedly inventive feature of the ’852 patent system was to permit
`
`use of minutia that is subject to change, such as location or hardware or software
`
`versions, in the identification process. The patented system allegedly uses
`
`information regarding “anticipated changes” to the minutia to “deliver[] a tolerant,
`
`yet secure authentication with fewer false negatives.” Id., 5:40-44; see also
`
`IA1027, ¶19.
`
`During prosecution, the Examiner found that the prior art disclosed all
`
`limitations of the Challenged Claims, except the limitation directed to using
`
`“anticipated changes” to minutia in the system. IA1002, 348. But the Examiner
`
`was not presented with the full scope of prior art, including the two references that
`
`are the basis for this petition.
`
`Indeed, Etchegoyen and Varghese each disclose exactly what the Examiner
`
`was incorrectly led to believe was missing in the prior art—systems for identifying
`
`computers and users based on minutia that is subject to change and anticipating
`
`changes to such minutia. As such, these references eliminate the basis on which
`
`the ’852 patent was mistakenly granted.
`
`
`
`
`2
`
`
`
`
`
`
`
`IPR of USPN 9,559,852
`
`
`First, Etchegoyen identified the same problem with prior art computer
`
`fingerprints mentioned in the ’852 specification, namely that “in upgrading their
`
`devices, users may inadvertently make their devices invalid to a digital fingerprint
`
`authentication process,” and did so well before the ’852 patent. IA1004, 4:30-
`
`34. Etchegoyen further proposed the same solution of using information regarding
`
`anticipated changes to minutia to provide a more tolerant system with fewer false
`
`negatives. Id., 4:41-44 (“By building tolerance into the authentication process, the
`
`risk of rejecting a valid device is reduced”). Specifically, Etchegoyen discloses
`
`categorizing portions of fingerprints as corresponding to “typical-upgrade”
`
`components (i.e., anticipated to change) or “non-typical-upgrade” components
`
`(i.e., less likely to change) and using this information to recognize a device even if
`
`it has been upgraded. Id., 2:21-29.
`
`Second, Varghese discloses yet another prior art system that uses anticipated
`
`changes to minutia to identify a device and/or user. Specifically, Varghese uses
`
`sophisticated security policies to analyze changing minutia to “assess[] whether
`
`the current behavior is deviating from what is normal[] in similar circumstances”
`
`(i.e., anticipated). IA1005, ¶¶0100, 0124. For example, such policies evaluate
`
`whether changes to minutia show “multiple locations over an impossibly short
`
`duration of time” because, if so, the user is “likely to be [a] hacker.” Id.,
`
`
`
`
`3
`
`
`
`
`
`
`
`IPR of USPN 9,559,852
`
`
`¶0102. Based on whether changes to minutia are acceptable, the Varghese system
`
`determines whether to authenticate a computer or user. Id., ¶0034.
`
`Had Etchegoyen or Varghese been disclosed to the Examiner, the ’852
`
`patent would never have issued. Indeed, in the absence of these references, the
`
`Examiner mistakenly concluded that the “closest” prior art was a reference directed
`
`to authentication based solely on static information (a human fingerprint) and a
`
`reference that was not directed to authentication at all, but rather camera
`
`technology. Etchegoyen and Varghese disclose systems that—like the ’852
`
`system—use minutia that is subject to change in the identity recognition
`
`process. It is beyond dispute that both are closer to the ’852 patent subject matter
`
`than the “closest” prosecution prior art, and that both eliminate the basis on which
`
`the Examiner allowed the patent.
`
`For the reasons discussed above and in detail below, Petitioner respectfully
`
`requests IPR review.
`
`III.
`
`IDENTIFICATION OF THE CHALLENGE (37 C.F.R. §42.104(B))
`AND RELIEF REQUESTED
`
`Pursuant to Rules 42.22(a)(1) and 42.104(b)(1)-(2), Petitioner challenges
`
`Claims 1-25 of the ’852 patent.
`
`A.
`
`Prior Art
`
`The following references are pertinent to the grounds of unpatentability
`
`explained below:
`
`
`
`
`4
`
`
`
`
`
`
`
`IPR of USPN 9,559,852
`
`
`Etchegoyen is prior art1 under 35 U.S.C. §102(e). IA1003, ¶¶60-65.
`
`Varghese is prior art under 35 U.S.C. §102(b). Id., ¶186.
`
`USPN 8,312,157 (“Jakobsson”) is prior art under 35 U.S.C. §102(e).
`
`1.
`
`2.
`
`3.
`
`Id., ¶158.
`
`B. Grounds for Challenge
`
`This Petition, supported by the declaration of Dr. Patrick Traynor (IA1003),
`
`demonstrates that there is at least a reasonable likelihood Petitioner will prevail
`
`with respect to at least one Challenged Claim, and that each of the Challenged
`
`Claims is not patentable. Petitioner requests cancellation of the Challenged Claims
`
`under the following statutory grounds:
`
`Ground 35 U.S.C. § Claims
`
`§102
`
`§103
`
`§103
`
`§103
`
`§102
`
`§103
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`
`
`1-5, 7, 14-21, 24-25
`
`1-5, 7, 14-21, 24-25
`
`6, 8-12
`
`13, 22, 23
`
`1-23, 25
`
`24
`
`References
`
`Etchegoyen
`
`Etchegoyen
`
`Etchegoyen and
`Jakobsson
`
`Etchegoyen and
`Varghese
`
`Varghese
`
`Varghese
`
`
`1 Petitioner refers to the pre-AIA statutory framework for prior art throughout.
`
`
`
`
`5
`
`
`
`
`
`
`
`IPR of USPN 9,559,852
`
`
`IV. THE ’852 PATENT
`
`The ’852 patent issued January 31, 2017 and claims priority to U.S.
`
`Provisional Application No. 61/462,474, filed February 3, 2011.2
`
`A. Overview: The ’852 Patent Purported Invention Is a Method for
`Recognizing the Identity of a Computer or User Using Minutia
`That Is Subject to Change
`
`The ’852 patent specification identifies a number of purported problems
`
`with prior art authentication methods such as use of “computer fingerprints.” An
`
`alleged drawback of such fingerprints was that they “use a relatively small set of
`
`static minutia which may be prone to spoofing.” IA1001, 2:54-56. While some
`
`prior art approaches increased the number of minutia in the fingerprint, “changes
`
`occurr[ing] naturally to the minutia can result in a new computer fingerprint,”
`
`resulting in false negatives. Id., 2:60-63.
`
`The ’852 patent purports to solve this problem by “anticipating changes to
`
`the user device or computer” and thus “deliver[ing] a tolerant, yet secure
`
`authentication with fewer false negatives.” Id., 5:40-44. Claim 1 is exemplary
`
`and reads as follows:
`
`[Preamble] An identity recognition system comprising:
`
`[1.a]
`
`a non-transitory memory storing information associated
`with one or more identities,
`
`
`2 Petitioner does not concede that the ’852 patent is entitled to a February 3, 2011
`filing date, but uses that date as the priority date solely for purposes of this
`Petition.
`
`
`
`
`6
`
`
`
`
`
`
`
`IPR of USPN 9,559,852
`
`
`[1.b]
`
`[1.c]
`
`[1.d]
`
`[1.e]
`
`[1.f]
`
`[1.g]
`
`[1.h]
`
`wherein the information stored for an identity includes
`(a) data values associated with that identity; and
`
`(b) information regarding anticipated changes to
`one or more of the stored data values associated
`with that identity;
`
`one or more hardware processors in communication
`with the memory and configured to execute
`instructions to cause the identity recognition system to
`recognize that the presentation of identity information
`by a computer is authentic, by performing operations
`comprising:
`
`generating a challenge to the computer, wherein
`the challenge prompts the computer to provide
`a response based on one or more data values
`from the computer that correspond to one or
`more of the stored data values associated with
`the identity;
`
`receiving, from the computer, the response to the
`challenge;
`
`determining whether the response is allowable,
`wherein such determining comprises using the
`stored information regarding anticipated
`changes to the stored data values associated
`with the identity to determine whether a data
`value used to form the response is based on an
`acceptable change to a corresponding stored
`data value; and
`
` recognizing that the presentation of identity
`information by the computer is authentic,
`according to whether the computer has
`provided an allowable response to the
`challenge.
`
`As recited above, the claimed system includes a memory and one or more
`
`processors. The memory stores “data values” associated with an identity, such as
`
`hardware, software, user secrets, or location information and information regarding
`
`
`
`
`7
`
`
`
`
`
`
`
`IPR of USPN 9,559,852
`
`
`anticipated changes to the stored data values. Id., 20:45-54. Such changes include
`
`changes “caused by updates and natural usage of the computer.” Id., 5:17-21.
`
`Claim 1 recites using a four-step challenge-response method with this
`
`system to “recogniz[e] that the presentation of identity information by the
`
`computer is authentic.”
`
`B.
`
`Prosecution History: The “Closest” Prior Art Before the
`Examiner Was Limited to Identity Recognition Systems Using
`Only Static Minutia, Not Minutia That Is Subject to Change
`
`Neither Etchegoyen nor Varghese were disclosed to the Examiner. In the
`
`absence of these references, the Examiner identified the “closest prior art” as
`
`USPN 6,185,316 (“Buffam”) and Pub. No. 2011/0007177 (“Kang”). IA1002, 348.
`
`Unlike the references that are the basis of this Petition, neither disclosed methods
`
`of authenticating using minutia that is subject to change. Rather, Buffam is
`
`directed to authentication using a human fingerprint (static information) and Kang
`
`is not even directed to authentication at all but rather to a camera technology. Id.
`
`Accordingly, the applicants were able to distinguish Buffam and Kang on the
`
`basis that they did not disclose evaluating whether a response is based on an
`
`“acceptable change” to stored data values. Id., 327-29. The applicants contended
`
`that the alleged invention differed from the prior art because those references
`
`taught only “ identification using fingerprint minutia . . . which do not change over
`
`time.” Id., 327. In the notice of allowance, the sole basis for allowability was that
`
`
`
`
`8
`
`
`
`
`
`
`
`IPR of USPN 9,559,852
`
`
`the prior art did not disclose element 1.g, using “stored information regarding
`
`anticipated changes” to determine whether a response was based on an “acceptable
`
`change.” Id., 348.
`
`V.
`
`SCOPE AND CONTENT OF THE PRIOR ART: Identity Recognition
`Systems Using Minutia That Is Subject to Change Were Actually Well-
`Known and Disclosed in Multiple Reference That Were Not Cited to the
`Examiner
`
`A. Etchegoyen
`
`The application that issued as Etchegoyen was filed October 13, 2010. All
`
`claims of the Etchegoyen patent are entitled to priority of a provisional application
`
`(No. 61/252,960) filed October 19, 2009. IA1003, ¶¶ 60-65.
`
`Etchegoyen identifies the same problem with prior art computer fingerprints
`
`as later noted in the ’852 specification, namely that if the fingerprint is based on
`
`components that may be upgraded or modified, then “the known device may no
`
`longer have a fingerprint or identifier that will be recognized by the authentication
`
`system.” IA1004, 1:33-38. To solve this problem, Etchegoyen provides “an
`
`authentication method with built in flexibility or tolerance to allow for some
`
`upgrades or changes to the device.” Id., 1:41-43.
`
`Etchegoyen discloses a system for authenticating devices such as
`
`smartphones or laptops using digital fingerprints that are based on components that
`
`are subject to change. Devices to be authenticated (100A, 100B in Fig. 1 of
`
`Etchegoyen) communicate with an Authenticating Server (120). Id., 6:13-19; 37-
`
`
`
`
`9
`
`
`
`
`
`
`
`IPR of USPN 9,559,852
`
`
`46. Authenticating Server receives digital fingerprint or device identifier
`
`information3 and stores such information in Storage Module (155). Id., 9:49-52.
`
`Etchegoyen discloses a wide array of minutia that may be included in the
`
`fingerprint, including “hardware component, software component, or data
`
`component,” “software version,” “geo-location code,” and “username”. Id., 4:37-
`
`40; 6:4-10; 7:24-26; 7:11-14. The fingerprint may be a concatenation of multiple
`
`“mini-fingerprints”, each corresponding to a component of the device. Id., 12:24-
`
`27.
`
`Etchegoyen discloses that the components to be used in the fingerprint may
`
`be selected from a “typical-upgrade” and a “non-typical-upgrade” components list.
`
`The typical-upgrade components include “routinely upgraded components” such as
`
`hard drive, random access memory, network adaptor, etc. Id., 2:23-26. Non-
`
`typical-upgrade components may include motherboard or microprocessor. Id.,
`
`2:26-29.
`
`
`
`Etchegoyen discloses a challenge-response protocol in which the server
`
`prompts a device to transmit a fingerprint via a “request code.” Id., 5:35-37; 5:51-
`
`58. The server then analyzes the received fingerprint by comparing each portion of
`
`the fingerprint against stored digital fingerprints. Id., 12:28-31.
`
`
`3 In Etchegoyen, a “device identifier” constitutes a type of “device fingerprint”.
`Id., 7:64-67.
`
`
`
`
`10
`
`
`
`
`
`
`
`IPR of USPN 9,559,852
`
`
`In the event of a partial mis-match between a portion of a received
`
`fingerprint and corresponding stored fingerprint, the server evaluates whether the
`
`mis-matching portion corresponds to a “typical-upgrade component” or a “non-
`
`typical-upgrade component”, as it is anticipated that changes may occur to the
`
`former. Id., 12:52-56. The server determines whether the response is acceptable
`
`and the device authentic based on the ratio of failed fingerprint portions
`
`corresponding to non-typical-upgrade components to failed fingerprint portions
`
`corresponding to typical-upgrade components (“typical-upgrade ratio”). Id.,
`
`13:22-38.
`
`B.
`
`Varghese
`
`Varghese published on December 14, 2006. Varghese discloses an identity
`
`recognition system that determines whether to authenticate a computer or user by
`
`analyzing dynamically changing minutia to “assess[] whether the current behavior
`
`is deviating from what is normal[] in similar circumstances”. IA1005, ¶¶0100,
`
`0124.
`
`In one embodiment, upon detecting a request from a computer to access a
`
`resource, a server issues a “FingerPrintRequest” to the device, which “gathers
`
`identifying information describing the device” such as location information and
`
`software information (e.g., OS version). Id., ¶¶0090, 0075-76.
`
`
`
`
`11
`
`
`
`
`
`
`
`IPR of USPN 9,559,852
`
`
`The system then analyzes the received minutia values by comparing them to
`
`previously received values. Varghese discloses numerous “Security Policies” for
`
`analyzing whether or not changes to the minutia are acceptable. Id., ¶¶0098, 0100.
`
`One such policy evaluates whether changes show “multiple locations over an
`
`impossibly short duration of time” because, if so, the user is “likely to be [a]
`
`hacker.” Id., ¶0102. Using the Security Policies, Varghese calculates a risk score
`
`for the user request, which is used to determine whether or not to authenticate the
`
`device and user. Id., ¶¶0091, 0143.
`
`VI. LEVEL OF ORDINARY SKILL IN THE ART
`
`A person of ordinary skill in the art (“POSA”) at the time the application
`
`leading to the ’852 patent was filed would have an undergraduate degree in
`
`Computer Science, Electrical Engineering, or related fields and at least two-year’s
`
`experience with networking technologies, or a masters degree in Computer Science,
`
`Electrical Engineering, or related fields with at least one-year’s experience with
`
`networking technologies. Additional education could substitute for hands-on
`
`experience. IA1003, ¶¶22-23.
`
`VII. PROPOSED CLAIM CONSTRUCTIONS
`
`In accordance with 37 C.F.R. §42.100(b), the Challenged Claims must be
`
`given their broadest reasonable interpretations (BRI) in light of the specification
`
`and prosecution history. Petitioner submits that, for purposes of this IPR, the terms
`
`
`
`
`12
`
`
`
`
`
`
`
`IPR of USPN 9,559,852
`
`
`of the Challenged Claims take their ordinary and customary meaning that they
`
`would have to a POSA. To assist the PTAB in its analysis of the prior art,
`
`Petitioner sets forth below the plain and ordinary meaning of one term. Petitioner
`
`reserves the right to respond to, and/or to offer alternative constructions, to any
`
`proposed claim constructions offered by Patent Owner.4
`
`A.
`
`“generating a challenge” (Claims 1, 24, 25)
`
`POSA would have understood the term “generating a challenge” to mean,
`
`under the BRI: generating a request for information. IA1003, ¶¶49-50. As used in
`
`the specification, the challenge is a request to the computer to provide information
`
`based on selected minutia. The specification uses the term consistently with how it
`
`is used in the art, where a POSA would understand a “challenge” to be a question
`
`that the challenged party must answer correctly to proceed in the authentication
`
`process. A POSA, reviewing the ’852 specification, would understand this term to
`
`mean a “request for information”.
`
`
`4 The BRI of claim terms may differ from the construction those same terms may
`receive in connection with claim construction in a district court. See In re Trans
`Texas Holdings Corp., 498 F.3d 1290, 1297 (Fed. Cir. 2007). The claim
`constructions and applications of claim terms to the prior art used in this Petition
`do not necessarily reflect the claim constructions that Petitioner believes should be
`adopted by a district court.
`
`
`
`
`13
`
`
`
`
`
`
`
`IPR of USPN 9,559,852
`
`
`VIII. GROUND 1: CLAIMS 1-5, 7, 14-21, AND 24-25 ARE ANTICIPATED
`BY ETCHEGOYEN
`
`As illustrated in the claim charts and discussion below, a POSA would have
`
`understood that Etchegoyen discloses each element of, and therefore anticipates,
`
`Claims 1-5, 7, 14-21, and 24-25 of the ’852 patent. IA1003, ¶¶60-149.
`
`A.
`
`Independent Claim 1
`
`No. Claim Element
`1.pre 1. An identity
`recognition system
`comprising:
`
`1.a
`
`a non-transitory memory
`storing information
`associated with one or
`more identities,
`
`Etchegoyen
`From a practical standpoint, it is quite possible
`for a user of given known device (e.g., a device
`that is known and authorized to access a secured
`network), to upgrade, replace, or otherwise
`modify one or more components of the
`device. . . . Accordingly, it would be desirable
`to provide an authentication method with built
`in flexibility or tolerance to allow for some
`upgrades or changes to the device.
`
`(1:30-43.)
`
`After receiving the one or more digital
`fingerprints from the device, the authentication
`server stores the digital fingerprints along with
`other received information from the device. In
`one embodiment, the one or more digital
`fingerprints are associated with the device and
`user data and then stored in a database.
`(10:52-57.)
`
`
`
`
`14
`
`
`
`
`
`
`
`IPR of USPN 9,559,852
`
`
`No. Claim Element
`
`Etchegoyen
`
`1.b
`
`wherein the information
`stored for an identity
`includes (a) data values
`associated with that
`identity; and
`
`
`
`On the first install or run of the authentication
`client, a digital fingerprint (“first boot
`fingerprint”) is generated using information
`collected on the device’s hardware and software
`environment. The first boot fingerprint may
`then be stored for later comparison with newly
`received digital fingerprints during future
`authentication processes.
`
`(4:56-62.)
`
`
`The information used to generate the digital
`fingerprint may include information regarding
`hardware and software components, hardware
`configurations or statuses, and software version,
`etc.
`
`(4:37-40.)
`
`
`1.c
`
`
`
`
`(b) information
`regarding anticipated
`changes to one or more
`of the stored data values
`associated with that
`identity;
`
`[T]he first boot fingerprint may be generated
`using specific components of the device as
`predetermined by the authentication client. The
`specific components may include components
`from a typical-upgrade components list or a
`non-typical-upgrade components list.
`(4:63-5:2.)
`
`15
`
`
`
`
`
`
`
`IPR of USPN 9,559,852
`
`
`No. Claim Element
`
`1.d
`
`1.e
`
`one or more hardware
`processors in
`communication with the
`memory and configured
`to execute instructions to
`cause the identity
`recognition system to
`recognize that the
`presentation of identity
`information by a
`computer is authentic, by
`performing operations
`comprising:
`generating a challenge to
`the computer, wherein
`the challenge prompts
`the computer to provide
`a response based on one
`or more data values from
`the computer that
`correspond to one or
`more of the stored data
`values associated with
`the identity;
`
`Etchegoyen
`The device may then be authenticated based on
`the total number of failed fingerprint portions
`and having a predetermined non-typical-
`upgrade component/typical-upgrade
`component ratio (see step 450).
`
`(13:22-25.)
`
`
`See element 1.a, “Processing Module” of Figure
`1; see also 3:1-17; 3:38-49.
`
`
`
`According to another embodiment of the present
`invention, the authenticating server may
`generate a request code, to be transmitted to the
`device, representing one or more fingerprints of
`one or more components of a device. The
`request code may be configured to represent
`one or more portions of fingerprints of
`components located in the device.
`
`(5:35-40.)
`
`
`The request code may be configured such that
`when it is read by the device, a response code is
`generated by the device. The response code
`comprises one or more portions of the requested
`fingerprints of components inside the device.
`(5:44-47.)
`
`
`
`
`16
`
`
`
`
`
`
`
`IPR of USPN 9,559,852
`
`
`No. Claim Element
`
`Etchegoyen
`[T]he request code may request the following:
`the first five digits of the serial number of the
`device; the version of the operating system;
`and/or the last four digi