`571-272-7822
`
`
`
`
`Paper 26
`
`Date: March 31, 2020
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`CISCO SYSTEMS, INC.,
`Petitioner,
`
`v.
`
`CENTRIPETAL NETWORKS, INC.,
`Patent Owner.
`____________
`
`IPR2018-01513
`Patent 9,560,077 B2
`____________
`
`
`Before BRIAN J. McNAMARA, J. JOHN LEE, and
`JOHN P. PINKERTON, Administrative Patent Judges.
`
`LEE, Administrative Patent Judge.
`
`
`
`
`JUDGMENT
`Final Written Decision
`Determining All Challenged Claims Unpatentable
`35 U.S.C. § 318(a)
`
`
`
`
`
`
`
`
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`
`INTRODUCTION
`
`Cisco Systems, Inc. (“Petitioner”) filed a Petition (Paper 2, “Pet.”)
`
`requesting an inter partes review of claims 1–20 (“the challenged claims”)
`
`of U.S. Patent No. 9,560,077 B2 (Ex. 1001, “the ’077 Patent”). An inter
`
`partes review of all challenged claims was instituted on April 2, 2019.
`
`Paper 7 (“Inst. Dec.”). After institution, Centripetal Networks, Inc. (“Patent
`
`Owner”) filed a Patent Owner Response (Paper 13, “PO Resp.”), Petitioner
`
`filed a Reply (Paper 16, “Pet. Reply”), and Patent Owner filed a Sur-reply
`
`(Paper 20, “PO Sur-reply”). An oral hearing was held on January 9, 2020.
`
`Paper 24 (“Tr.”).
`
`We have jurisdiction under 35 U.S.C. § 6. This Final Written
`
`Decision is issued pursuant to 35 U.S.C. § 318(a). As explained below,
`
`Petitioner has shown by a preponderance of the evidence that all challenged
`
`claims of the ’077 Patent are unpatentable.
`
`A.
`
`Related Cases
`
`The parties identify as related to the present case Centripetal
`
`Networks, Inc. v. Cisco Systems, Inc., Case No. 2:18-cv-00094-MSD-LRL
`
`(E.D. Va.). Pet. 1; Paper 3, 1.
`
`B.
`
`The ’077 Patent
`
`The ’077 Patent relates to protecting networks using packet security
`
`gateways (PSGs) armed with dynamic security policies. Ex. 1001, 1:48–61.
`
`Figure 1 of the ’077 Patent is reproduced below:
`
`2
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`
`
`
`Figure 1 illustrates network environment 100 in which aspects of the
`
`claimed invention of the ’077 Patent are implemented, with networks 102,
`
`104, 106, 108, and 110 interfacing with each other. Id. at 4:27–30, 4:38–40.
`
`For example, one or more Internet Service Providers (ISPs) in network
`
`environment 100 may interface one or more networks via the Internet. Id. at
`
`4:40–45. PSG 112 is located at the boundary between Network A 102 and
`
`Network E 110. Id. at 5:11–15. Network A 102 may be, for example, a
`
`Local Area Network (LAN) associated with an organization or other entity.
`
`Id. at 4:30–37. Each PSG receives a dynamic security policy from security
`
`policy management (SPM) server 120. Id. at 5:29–31.
`
`
`
`PSG 112 may include a packet filter that examines information
`
`associated with data packets received by the PSG via its network interfaces
`
`3
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`with network A and network E. Id. at 5:66–6:10, Fig. 2. The packet filter
`
`may be configured with a dynamic security policy that includes one or more
`
`rules, each of which may specify criteria and an action to be taken on data
`
`packets meeting the criteria. Id. at 6:11–31. Such actions may include
`
`forwarding or dropping the packets. Id. at 6:19–27. In addition, PSG 112
`
`may be configured in a “network layer transparent manner,” i.e., without a
`
`network layer address, to be insulated against attacks launched at the
`
`network layer. Id. at 6:32–46.
`
`C. Challenged Claims
`
`Petitioner challenges all of the claims of the ’077 Patent. Claims 1, 7,
`
`13, 19, and 20 are the independent claims. Claim 1 is illustrative and is
`
`reproduced below:
`
`1.
`
`A method comprising:
`
`provisioning, each device of a plurality of devices, with one or
`more rules generated based on a boundary of a network protected
`by the plurality of devices with one or more networks other than
`the network protected by the plurality of devices at which the
`device is configured to be located; and
`
`configuring, each device of the plurality of devices, to:
`
`receive packets via a communication interface that does
`not have a network-layer address;
`
`responsive to a determination by the device that a portion
`of the packets received from or destined for a host located
`in the network protected by the plurality of devices
`corresponds to criteria specified by the one or more rules,
`drop the portion of the packets; and
`
`modify a switching matrix of a local area network (LAN)
`switch associated with the device such that the LAN
`
`4
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`
`switch is configured to drop the portion of the packets
`responsive to the determination by the device.
`
`D.
`
`Asserted Grounds of Unpatentability and Asserted Prior Art
`
`Trial was instituted on the following grounds of unpatentability
`
`asserted in the Petition:
`
`Claim(s) Challenged
`
`35 U.S.C. §
`
`Reference(s)/Basis
`
`1–4, 6–10, 12–16, 18, 20 103(a)1
`
`Jungck2
`
`5, 11, 17, 19
`
`103(a)
`
`Jungck, RFC 20033
`
`Inst. Dec. 26; see Pet. 20. In addition, Petitioner relies on two declarations
`
`by its proffered expert witness, Dr. Kevin Jeffay (Ex. 1004; Ex. 1012).
`
`Likewise, Patent Owner relies on a declaration by its proffered expert
`
`witness, Dr. Michael Goodrich (Ex. 2004).
`
`A.
`
`Level of Ordinary Skill in the Art
`
`ANALYSIS
`
`Based principally on the testimony of Dr. Jeffay, Petitioner asserts
`
`that a person of ordinary skill in the art would have had a bachelor’s degree
`
`
`
`1 The Leahy-Smith America Invents Act (“AIA”), Pub. L. No. 112-29, 125
`Stat. 284, 287–88 (2011), amended 35 U.S.C. § 103. Because the
`application from which the ’077 patent issued is a continuation of an
`application filed before March 16, 2013, the effective date of the relevant
`amendment, the pre-AIA version of § 103 applies.
`
`2 U.S. Patent Appl. Pub. No. 2009/0262741 A1, published Oct. 22, 2009
`(Ex. 1008, “Jungck”).
`
`3 C. Perkins, IP Encapsulation within IP, Oct. 1996 (Ex. 1009, “RFC
`2003”).
`
`5
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`in computer science, computer engineering or an equivalent, as well as four
`
`years of industry experience. Pet. 21 (citing Ex. 1004 ¶¶ 23–25). In
`
`addition, Petitioner indicates a person of ordinary skill would have had “a
`
`working knowledge of packet-switched networking, firewalls, security
`
`policies, communication protocols and layers, and the use of customized
`
`rules to address cyber-attacks.” Id.
`
`In its Response, Patent Owner does not dispute Petitioner’s
`
`formulation of the level of skill in the art.4 Based on the complete trial
`
`record, we find Dr. Jeffay’s testimony credible and persuasive (Ex. 1004
`
`¶¶ 23–25), and we adopt Petitioner’s formulation as a result.
`
`B.
`
`Claim Construction
`
`In this case, we give claim terms their broadest reasonable
`
`construction in light of the specification of the patent in which they appear.
`
`37 C.F.R. § 42.100(b) (2018); see Cuozzo Speed Techs., LLC v. Lee, 136 S.
`
`Ct. 2131, 2144–46 (2016). In the Decision on Institution, we construed
`
`several terms as follows:
`
`Claim Term/Phrase
`
`Construction
`
`rule / rules
`
`a condition or set of conditions that
`when satisfied cause a specific function
`to occur
`
`
`
`4 Dr. Goodrich testified to a slightly different description of the level of skill
`in the art (Ex. 2004 ¶¶ 50–51), but Patent Owner did not argue during trial
`that Dr. Goodrich’s description should be adopted instead of Dr. Jeffay’s
`description and waived any such argument as a result. See In re NuVasive,
`Inc., 842 F.3d 1376, 1380–81 (Fed. Cir. 2016). Moreover, Dr. Goodrich
`testified that his opinions would be unchanged under Dr. Jeffay’s description
`of the level of ordinary skill. Ex. 2004 ¶ 51.
`
`6
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`
`Claim Term/Phrase
`
`Construction
`
`provisioning, each device of a
`plurality of devices, with one or
`more rules generated based on a
`boundary of a network
`protected by the plurality of
`devices with one or more
`networks other than the network
`protected by the plurality of
`devices at which the device is
`configured to be located
`
`layer-2 virtual local area
`network (VLAN)
`
`network-layer address
`
`LAN switch
`
`switching matrix of a local area
`network (LAN) switch
`
`communicating one or more rules to
`each device of a plurality of devices,
`where the rule(s) are generated based on
`the location of the device at a boundary
`between a network protected by the
`plurality of devices and one or more
`other networks
`
`logical grouping of devices on one or
`more local area networks (LANs) that
`allows layer-2 communication to occur
`between them
`
`an address that identifies a device for
`communication on the network layer,
`such as an IP address
`
`a network device configured to send and
`receive data between computers on a
`local area network
`
`a switching matrix contained within a
`LAN switch that is configured to direct
`traffic in a LAN
`
`Inst. Dec. 10. Neither party disputed any of these preliminary claim
`
`constructions, and both parties adopted these constructions during trial. See
`
`PO Resp. 8–10; Pet. Reply 1. We do not discern any evidence in the full
`
`record after trial indicating that these constructions are incorrect or should be
`
`modified. Thus, we apply these constructions in this Decision.
`
`No other claim terms in the ’077 Patent require express construction
`
`for purposes of this Decision. See Nidec Motor Corp. v. Zhongshan Broad
`
`Ocean Motor Co., 868 F.3d 1013, 1017 (Fed. Cir. 2017) (holding that only
`
`7
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`claim terms in controversy require express construction, and only to the
`
`extent necessary to resolve the controversy). The parties raise additional
`
`issues involving claim interpretation in the context of applying the asserted
`
`prior art; such issues are discussed below in our obviousness analysis, to the
`
`extent necessary.
`
`C.
`
`Alleged Unpatentability Under § 103(a)
`
`A claim is unpatentable under § 103 if the differences between the
`
`claimed subject matter and the prior art are “such that the subject matter as a
`
`whole would have been obvious at the time the invention was made to a
`
`person having ordinary skill in the art to which said subject matter pertains.”
`
`KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 406 (2007). The question of
`
`obviousness is resolved on the basis of underlying factual determinations,
`
`including: (1) the scope and content of the prior art; (2) any differences
`
`between the claimed subject matter and the prior art; (3) the level of skill in
`
`the art; and (4) objective evidence of non-obviousness, i.e., secondary
`
`considerations. Graham v. John Deere Co., 383 U.S. 1, 17–18 (1966).
`
`Additionally, the obviousness inquiry typically requires an analysis of
`
`“whether there was an apparent reason to combine the known elements in
`
`the fashion claimed by the patent at issue.” KSR, 550 U.S. at 418 (citing
`
`In re Kahn, 441 F.3d 977, 988 (Fed. Cir. 2006) (requiring “articulated
`
`reasoning with some rational underpinning to support the legal conclusion of
`
`obviousness”)); see In re Warsaw Orthopedic, Inc., 832 F.3d 1327, 1333
`
`(Fed. Cir. 2016) (citing DyStar Textilfarben GmbH & Co. Deutschland KG
`
`v. C. H. Patrick Co., 464 F.3d 1356, 1360 (Fed. Cir. 2006)).
`
`As noted above, Petitioner contends that claims 1–4, 6–10, 12–16, 18,
`
`and 20 are unpatentable as obvious over Jungck. Pet. 20. Further, Petitioner
`
`8
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`contends that claims 5, 7, 11, and 19 are unpatentable as obvious over the
`
`combination of Jungck and RFC 2003. Id.
`
`1.
`
`Overview of Jungck
`
`Jungck is a published patent application relating to improvements to a
`
`network’s infrastructure, including a “packet interceptor/processor apparatus
`
`[that] is coupled with the network so as to be able to intercept and process
`
`packets flowing over the network.” Ex. 1008, code (57). “The apparatus
`
`applies one or more rules to the intercepted packets which execute one or
`
`more functions on a dynamically specified portion of the packet and take
`
`one or more actions with the packets.” Id. Such actions may include
`
`releasing the packet unmodified, deleting the packet, or forwarding the
`
`packet for subsequent processing. Id.
`
`Figure 1 of Jungck is reproduced below:
`
`
`
`9
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`Figure 1 depicts exemplary network 100 for use with the embodiments
`
`disclosed in Jungck. Id. ¶ 31. Network 100 may be the Internet, another type
`
`of public network, or a private network. Id. For example, the network may
`
`be a LAN or a wide area network (WAN). Id. ¶ 32. As shown in Figure 1, a
`
`client device (e.g., client 106) may be connected to network 100 via a point-
`
`of-presence (POP, e.g., POP 116), which is a “connecting point which
`
`separates the client . . . from the network.” Id. ¶ 41. A POP may comprise,
`
`for example, one or more routers, and may be provided by an ISP. Id.
`
`Jungck discloses a number of embodiments. The “[t]hird”
`
`embodiment is depicted in Figure 6, which is reproduced below:
`
`Figure 6 depicts enhanced network 100, which is connected to clients 102,
`
`104, 106, and 612 via service providers 118 and 120. Id. ¶ 107. More
`
`specifically, each client is connected via a POP—for example, client 104 is
`
`
`
`10
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`connected via POP2A of service provider 118. Id. Service provider 118
`
`also has edge server 602A, which may be “integrated with a router” and is
`
`“able to intercept all network traffic flowing between [POPs 116, including
`
`POP2A] and the network 100.” Id. Once network traffic is intercepted,
`
`edge server 602A can, for example, detect packets “whose origin address
`
`could not have come from the downstream network . . . to which it is
`
`connected” and prevent those packets from reaching network 100. Id. ¶ 111.
`
`
`
`The “fourth embodiment” of Jungck is depicted in Figure 7, which is
`
`reproduced below:
`
`Figure 7 depicts “edge adapter/packet interceptor system 700,” featuring
`
`packet interceptor adapter 720 coupled with router 702. Id. ¶¶ 126–127.
`
`Router 702 may be located within an ISP located at the edge of network 100,
`
`which may be the Internet or a private intranet/extranet as described above
`
`
`
`11
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`(e.g., Figure 1), and additionally may be an optical based network or an
`
`electrical network. Id. ¶ 127.
`
`
`
`Jungck’s “[f]ifth” embodiment includes exemplary device 900
`
`coupled with optical based network 100 (such as the Internet). Id. ¶ 265.
`
`Device 900 is positioned to “intercept and process packets communicated
`
`between the upstream network portion 100A and the downstream network
`
`portion 100B.” Id. ¶ 266. Processing elements within device 900 may
`
`perform “ingress and egress filtering,” whereby device 900 is “programmed
`
`with the range of network addresses in [downstream network portion 100B]”
`
`such that device 900 is able to detect and filter out packets arriving from
`
`downstream network portion 100B that do not have a network address
`
`within that range. Id. ¶ 269.
`
`2.
`
`Overview of RFC 2003
`
`
`
`RFC 2003 is a specification of an Internet protocol (IP) standard,
`
`specifically “a method by which an IP datagram may be encapsulated
`
`(carried as payload) within an IP datagram.” Ex. 1009, 1. This
`
`encapsulation enables altering the normal routing for a datagram by
`
`delivering it to an intermediate destination not specified by the IP header of
`
`the datagram. Id. This is performed by inserting an outer IP header before
`
`the original IP header whereby the outer IP header specifies that
`
`intermediate destination’s address. See id. at 3.
`
`3.
`
`Independent Claim 1
`
`a. Motivation to Combine the Jungck Embodiments
`
`The Petition relies on the teachings of multiple embodiments of
`
`Jungck to support its arguments with respect to each element of claim 1. See
`
`12
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`Pet. 33–46. Thus, we first address whether Petitioner articulated a sufficient
`
`rationale supporting its contention that a person of ordinary skill would have
`
`been motivated to combine the teachings of Jungck’s embodiments.
`
`Petitioner contends that a person of ordinary skill would have had
`
`reason to combine the embodiments because they are all applicable to the
`
`same network environment and architecture, and are directed to similar
`
`functions, as explained by Dr. Jeffay. Pet. 32 (citing Ex. 1008 ¶¶ 25, 31,
`
`111, 126, 182–183, 263–264, 282; Ex. 1004 ¶¶ 140–143). For example, as
`
`Dr. Jeffay noted (Ex. 1004 ¶ 140), Jungck expressly denotes Figure 1 as
`
`showing an exemplary network environment applicable to all of Jungck’s
`
`embodiments. See Ex. 1008 ¶ 31, Fig. 1; Pet. 22–23. Dr. Jeffay also
`
`identified specific features and objectives (e.g., packet filtering, packet
`
`interception at an edge device, prevention of distributed denial of service
`
`(DDoS) attacks, ingress filtering) that Jungck indicates are common or
`
`related to each of the embodiments in Petitioner’s asserted combination,
`
`noting that all of the embodiments are, of course, disclosed in the same
`
`reference and that Jungck does not discourage their combination. See
`
`Ex. 1004 ¶¶ 140–141; see also Ex. 1012 ¶¶ 18, 19, 28–32 (providing
`
`additional evidentiary support in Jungck).
`
`Relying on Dr. Jeffay’s testimony, Petitioner further asserts that
`
`combining the teachings of each of the Jungck embodiments would have
`
`“produce[d] predictable and operable results,” and involved “simple
`
`substitutions, and applying known programming techniques to improve
`
`similar systems” that a skilled artisan would have understood how to
`
`implement to accomplish certain design objectives. Id. at 32–33 (citing
`
`Ex. 1004 ¶¶ 140–143). Dr. Jeffay identified particular reasons and contexts
`
`13
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`in which an ordinary artisan would have looked to the embodiments, such as
`
`adding additional edge devices without additional latency (fourth
`
`embodiment) and addressing higher traffic volume when dealing with the
`
`“Optical Internet.” See Ex. 1004 ¶¶ 141–142; Ex. 1012 ¶¶ 28–34.
`
`We agree with Petitioner’s reasoning, and we find Dr. Jeffay’s
`
`supporting testimony to be credible and persuasive. Patent Owner’s
`
`arguments are unpersuasive, as we explain below.
`
`Patent Owner first argues that Petitioner sets forth a “multiplicity of
`
`ambiguous grounds” and “dozens of distinct challenges” that require the
`
`Board to speculate as to the combination of teachings Petitioner seeks to rely
`
`on. PO Resp. 27–29. We disagree. For each limitation of claim 1, the
`
`Petition sets forth the specific teachings from each embodiment of Jungck
`
`that it contends should be combined, and with adequate particularity. See
`
`generally Pet. 33–46. We also disagree that Petitioner’s arguments and
`
`Dr. Jeffay’s testimony are insufficient under TQ Delta, LLC v. Cisco
`
`Systems, Inc., 942 F.3d 1352, 1361–62 (Fed. Cir. 2019). PO Sur-reply 13–
`
`14. In TQ Delta, the Federal Circuit held that an expert’s unsupported
`
`testimony alone was inadequate to supply the necessary link between a
`
`technical problem described in one reference, and the purported solution in
`
`another reference. 942 F.3d at 1361–62. Here, as discussed above, Dr.
`
`Jeffay’s testimony is supported by specific disclosures of Jungck regarding
`
`the common problems addressed by each of the relevant embodiments, and
`
`similarities between the specific devices in each embodiment. See Ex. 1004
`
`¶¶ 140–143; Ex. 1012 ¶¶ 18, 19, 28–34.
`
`Next, Patent Owner contends that Jungck’s third embodiment is
`
`incompatible with the fourth and fifth embodiments because their network
`
`14
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`topologies are incompatible. PO Resp. 29–31, 33–35. According to Patent
`
`Owner, the relevant device of the third embodiment is depicted “in a manner
`
`such that the network 100 is always to one side thereby allegedly isolating
`
`the respective [ISP] networks 118 and 120.” Id. at 29–30 (citing Ex. 2004
`
`¶ 75; Ex. 1008, Fig. 6). In contrast, Patent Owner alleges the fourth and fifth
`
`embodiments are depicted such that network 100 is on both sides of the
`
`relevant device. Id. at 30–31, 33–35 (citing Ex. 2004 ¶¶ 80, 86; Ex. 1008,
`
`Figs. 7, 9).
`
`In essence, Patent Owner argues that a person of ordinary skill would
`
`not have bodily incorporated edge server 602 of the third embodiment
`
`together with packet interceptor adapter 720 of the fourth embodiment, or
`
`device 900 of the fifth embodiment, due to these alleged differences in
`
`depicted network topology. But that does not reflect the proper test for
`
`obviousness.
`
`The test for obviousness is not whether the features of a
`secondary reference may be bodily incorporated into the
`structure of the primary reference; nor is it that the claimed
`invention must be expressly suggested in any one or all of the
`references. Rather, the test is what the combined teachings of
`the references would have suggested to those of ordinary skill in
`the art.
`
`In re Keller, 642 F.2d 413, 425 (CCPA 1981). Thus, Petitioner need not
`
`show that these embodiments are able to be combined in their entirety, or
`
`that every feature of each embodiment is compatible. More importantly,
`
`Petitioner need not show that a skilled artisan would have been motivated to
`
`combine every feature of these embodiments. Patent Owner’s assertion that
`
`Jungck never expressly discloses that the devices of these embodiments are
`
`interchangeable or should be combined is inapposite for the same reason.
`
`15
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`See PO Resp. 32, 35–36.5 Indeed, as Petitioner notes (Pet. Reply 20–21),
`
`Patent Owner and Dr. Goodrich effectively acknowledge that Jungck teaches
`
`the devices of the third and fourth embodiments may be used together by
`
`admitting that Jungck teaches they may be “used in conjunction with” each
`
`other. See PO Resp. 32 (quoting Ex. 2004 ¶ 73) (emphasis omitted).
`
`Moreover, Petitioner does not rely on the network topology of either
`
`the fourth or fifth embodiment; thus, whether those topologies are
`
`compatible with the third embodiment is irrelevant unless, for example, the
`
`relevant teachings of the fourth or fifth embodiments require or depend on
`
`those topologies. See id. Patent Owner has not shown that is the case.
`
`Further, we agree with Petitioner that, in view of the similarity in the
`
`functions performed by all three embodiments, the differences in the
`
`corresponding topologies relative to network 100 shown in Jungck’s figures
`
`do not negate the reason to combine the respective teachings to a person of
`
`ordinary skill. Pet. Reply 20, 22; Ex. 1012 ¶¶ 22–26, 33. Jungck states edge
`
`server 602 of the third embodiment operates similarly to edge servers 402
`
`and 502 of the first and second embodiments. Ex. 1008 ¶ 108. In its
`
`discussion of the fourth embodiment, Jungck states the following:
`
`As can be seen from the above embodiments, edge devices
`generally perform the basic functions of intercepting packets
`from the general flow of network traffic, processing the
`intercepted packets and potentially releasing the original packets
`and/or reinserting new or modified packets back into the general
`flow of network traffic.
`
`
`
`5 We note that Jungck states that “any device which intercepts and processes
`packets can utilize the packet interceptor adaptor 720” of Jungck’s fourth
`embodiment. Ex. 1008 ¶ 180; Pet. 43.
`
`16
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`Id. ¶ 125. Thus, we find that Jungck teaches that each of its embodiments,
`
`in general, operate in a similar manner and perform similar functions. See
`
`Pet. 32 (citing Ex. 1008 ¶¶ 25, 31, 111, 126, 182, 183, 263, 264, 282;
`
`Ex. 1004 ¶¶ 140–142); Pet. Reply 20, 22 (citing Ex. 1008 ¶¶ 108, 113, 120–
`
`125, 127, 130, 131, 268, 269, 271; Ex. 1012 ¶¶ 28, 32).
`
`Patent Owner next contends that Jungck “expressly distinguishes” the
`
`third and fourth embodiments by describing how the fourth embodiment
`
`“can allegedly remedy the disadvantages typically caused by the
`
`implementation of Jungck’s [third embodiment] through the use [of] an edge
`
`adapter/packet interceptor system 700.” PO Resp. 31–32 (citing Ex. 1008
`
`¶¶ 124, 126; Ex. 2004 ¶ 83). The cited evidence, however, does not support
`
`this argument.
`
`The cited portions of Jungck make no mention of the third
`
`embodiment, much less expressly distinguish it or describe disadvantages of
`
`its implementation. See Ex. 1008 ¶¶ 124, 126. Rather, Jungck describes
`
`certain general technical challenges that the fourth embodiment is designed
`
`to address, such as latency. See id. Patent Owner does not identify evidence
`
`indicating whether those challenges apply to the third embodiment, nor does
`
`Patent Owner explain why that would be the case. See PO Resp. 31–32.
`
`In the testimony cited by Patent Owner, Dr. Goodrich only testified
`
`that the respective devices of the third and fourth embodiments are “separate
`
`and distinct” and that they “are not meant to be interchangeable.” Ex. 2004
`
`¶ 83. This evidence, too, fails to explain whether, or why, the technical
`
`challenges that the fourth embodiment addresses would indicate that a
`
`skilled artisan would not have combined its teachings with those of the third
`
`embodiment. In fact, we are persuaded that a person of ordinary skill would
`
`17
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`have had reason to combine the teachings of these embodiments to achieve
`
`the advantages of the fourth embodiment with respect to those challenges—
`
`i.e., to “decouple the interception of packets from the processing of those
`
`intercepted packets and provide a generic packet interception and pre-
`
`processing engine which can be utilized in parallel by multiple edge
`
`devices.” Id. ¶ 126; see Pet. 32 (quoting Jungck as indicating that the fourth
`
`embodiment, thus, enables avoiding “introducing additional network latency
`
`or potential failure points to the packet flow with the addition of each such
`
`edge/packet interception device”).
`
`Finally, Patent Owner contends Jungck teaches away from combining
`
`the fourth and fifth embodiments “because of the cost and latency issues
`
`described by Jungck for doing so.” PO Resp. 36. Specifically, Patent
`
`Owner relies on the testimony of Dr. Goodrich, who testified that an
`
`ordinary artisan would understand that “placing the packet interceptor
`
`adapters of [the fourth embodiment] in series, as is done with components of
`
`the device 900 in [the fifth embodiment] would increase network latency and
`
`potentially degrade ‘wire speed’ performance.” Ex. 2004 ¶ 89. Again,
`
`however, Patent Owner’s argument fails because bodily incorporation of the
`
`fifth embodiment—including placing devices in series—with the fourth
`
`embodiment is not required to prove obviousness. See Keller, 642 F.2d at
`
`425. Critically, Petitioner does not rely on Jungck’s disclosure of placing
`
`devices in series in the fifth embodiment as teaching any element of any
`
`challenged claim.
`
`Moreover, even considering the “in series” aspect of the fifth
`
`embodiment, we find credible and persuasive Dr. Jeffay’s testimony that
`
`such a practice—i.e., “pipelining”—was known to actually improve
`
`18
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`throughput and wire speed performance in some applications. Ex. 1012
`
`¶ 34. We further credit Dr. Jeffay’s testimony that a person of ordinary skill
`
`would have known how to balance the benefits and drawbacks (e.g., latency)
`
`of pipelining and other configurations to combine the relevant teachings of
`
`Jungck, rather than be deterred from combining them at all. Id. His
`
`testimony is supported by Jungck, which discloses that coupling devices
`
`serially could “enhance the ability to sub-divide the processing task[s],
`
`lowering the burden on any one network processor 906C, 906D only at the
`
`cost of the latency added to the packet stream by the additional network
`
`processors.” Ex. 1008 ¶ 278.
`
`For all of the reasons explained above, we conclude that the record
`
`evidence after trial supports Petitioner’s position, and we find that a person
`
`of ordinary skill would have been motivated to combine the teachings of
`
`Jungck’s embodiments in the manner set forth in the Petition.
`
`b.
`
`The “provisioning” limitation
`
`Claim 1 first recites “provisioning, each device of a plurality of
`
`devices, with one or more rules generated based on a boundary of a network
`
`protected by the plurality of devices with one or more networks other than
`
`the network protected by the plurality of devices at which the device is
`
`configured to be located.” According to Petitioner, Jungck teaches this
`
`“provisioning” limitation of claim 1 in its description of edge servers.
`
`Pet. 33–37. Specifically, Petitioner contends that Jungck discloses multiple
`
`edge servers (i.e., the recited “plurality of devices”) protecting a network
`
`(e.g., network 100 in Figure 6) from malicious traffic originating from other
`
`networks (e.g., the downstream networks of POPs 114 or 116) by being
`
`located at the boundary between them and filtering the traffic. Id. at 34, 36;
`
`19
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`see Ex. 1008, Fig. 6. Jungck explains that the edge server can “monitor the
`
`data transmission being generated by clients 102, 104, 106, 602 for
`
`malicious program code,” and “can eradicate it or prevent it from reaching
`
`the network 100,” thereby protecting the network. Ex. 1008 ¶ 111; see
`
`Ex. 1004 ¶¶ 148–151.
`
`For instance, Petitioner asserts that Jungck discloses an edge server
`
`capable of detecting data packets with origin addresses that do not match the
`
`downstream network to which it is connected, and blocking those packets
`
`from reaching the protected network. Pet. 36–37 (citing Ex. 1008 ¶ 111).
`
`Additionally, Petitioner also cites Jungck’s discussion of ingress filtering in
`
`its fifth embodiment, which similarly describes a device programmed to
`
`filter out data with invalid source network addresses. Id. (citing Ex. 1008
`
`¶ 269). Thus, Petitioner argues, Jungck teaches an edge server that applies
`
`rules based on the particular boundary where the edge server is located, i.e.,
`
`the boundary with a particular downstream network. Id. Petitioner also
`
`cites Jungck’s disclosure of a “rules processor” that interfaces with external
`
`devices that define and communicate rule sets to the packet interceptor
`
`adapter, for example, to intercept particular types of packets. See id. at 36;
`
`Ex. 1008 ¶ 157.
`
`Considering the complete trial record, we are persuaded by
`
`Petitioner’s arguments and find that Jungck teaches the “provisioning”
`
`limitation based on the reasoning outlined above. Patent Owner’s arguments
`
`to the contrary are unpersuasive. According to Patent Owner, Jungck does
`
`not teach the “provisioning” limitation because (a) Jungck does not disclose
`
`“a network protected by the plurality of devices”; (b) Jungck’s edge servers
`
`do not disclose “a plurality of devices” located at a “boundary” of a
`
`20
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`protected network; and (c) Jungck’s edge servers are not provided “one or
`
`more rules generated based on” such a boundary. PO Resp. 11–20; PO Sur-
`
`reply 1–10. We address each of these arguments in more detail below.
`
`i.
`
`Protected Network
`
`Patent Owner first attempts to distinguish between the claimed
`
`invention’s “protected” network and Jungck’s teachings, contending that
`
`“[t]o the extent that the techniques of Jungck ‘protect’ anything, they protect
`
`individual application servers . . . not networks.” PO Resp. 11. In
`
`particular, Patent Owner alleges that Jungck fails to teach defenses against a
`
`particular type of DDoS attack targeting entire networks, instead addressing
`
`only DDoS attacks against individual servers. See id. at 11–13. This
`
`argument, however, is not commensurate in scope with the claim, and Patent
`
`Owner has not identified sufficient evidence to support the narrow
`
`limitations it seeks to impose.
`
`As an initial matter, the claim is not limited to particular types of
`
`attacks. See Pet. Reply 3. The claim does not recite DDoS attacks, much
`
`less specific types of such attacks, nor does the claim recite attacks that
`
`“overload the network infrastructure” rather than target “indivi