`571-272-7822
`
`
`
`
`Paper 7
`
` Entered: April 2, 2019
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`CISCO SYSTEMS, INC.,
`Petitioner,
`
`v.
`
`CENTRIPETAL NETWORKS, INC.,
`Patent Owner.
`____________
`
`Case IPR2018-01513
`Patent 9,560,077 B2
`____________
`
`
`Before BRIAN J. McNAMARA, J. JOHN LEE, and
`JOHN P. PINKERTON, Administrative Patent Judges.
`
`LEE, Administrative Patent Judge.
`
`
`
`
`DECISION
`Institution of Inter Partes Review
`35 U.S.C. § 314
`
`
`
`
`
`
`
`
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`
`INTRODUCTION
`Cisco Systems, Inc. (“Petitioner”) filed a Petition (Paper 2, “Pet.”)
`requesting an inter partes review of claims 1–20 (“the challenged claims”)
`of U.S. Patent No. 9,560,077 B2 (Ex. 1001, “the ’077 Patent”). Centripetal
`Networks, Inc. (“Patent Owner”) timely filed a Preliminary Response
`(Paper 6, “Prelim. Resp.”).
`We have authority to institute an inter partes review only if the
`information presented in the Petition shows “there is a reasonable likelihood
`that the petitioner would prevail with respect to at least 1 of the claims
`challenged in the petition.” 35 U.S.C. § 314(a). An inter partes review may
`not be instituted on fewer than all claims challenged in the Petition. SAS
`Inst., Inc. v. Iancu, 138 S. Ct. 1348, 1359–60 (2018).
`Upon consideration of the Petition and Preliminary Response, we
`determine that the information presented shows there is a reasonable
`likelihood that Petitioner would prevail in establishing the unpatentability of
`each of the challenged claims. Accordingly, we institute an inter partes
`review of the challenged claims of the ’077 Patent.
`
`A.
`
`Related Cases
`The parties identify as related to the present case Centripetal
`Networks, Inc. v. Cisco Systems, Inc., Case No. 2:18-cv-00094-MSD-LRL
`(E.D. Va). Pet. 1; Paper 3, 1.
`
`B.
`
`The ’077 Patent
`The ’077 Patent relates to protecting networks using packet security
`gateways (PSGs) armed with dynamic security policies. Ex. 1001, 1:48–61.
`Figure 1 of the ’077 Patent is reproduced below:
`
`2
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`
`
`
`Figure 1 illustrates network environment 100 in which aspects of the
`claimed invention of the ’077 Patent are implemented, with networks 102,
`104, 106, 108, and 110 interfacing with each other. Id. at 4:27–30, 4:38–40.
`For example, one or more Internet Service Providers (ISPs) in network
`environment 100 may interface one or more networks via the Internet. Id. at
`4:40–45. PSG 112 is located at the boundary between Network A 102 and
`Network E 110. Id. at 5:11–15. Network A 102 may be, for example, a
`Local Area Network (LAN) associated with an organization or other entity.
`Id. at 4:30–37. Each PSG receives a dynamic security policy from security
`policy management (SPM) server 120. Id. at 5:29–31.
`
`PSG 112 may include a packet filter that examines information
`associated with data packets received by the PSG via its network interfaces
`
`3
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`with network A and network E. Id. at 5:66–6:10, Fig. 2. The packet filter
`may be configured with a dynamic security policy that includes one or more
`rules, each of which may specify criteria and an action to be taken on data
`packets meeting the criteria. Id. at 6:11–31. Such actions may include
`forwarding or dropping the packets. Id. at 6:19–27. In addition, PSG 112
`may be configured in a “network layer transparent manner,” i.e., without a
`network layer address, to be insulated against attacks launched at the
`network layer. Id. at 6:32–46.
`
`C.
`
`Challenged Claims
`Petitioner challenges all of the claims of the ’077 Patent. Claims 1, 7,
`13, 19, and 20 are the independent claims. Claim 1 is illustrative and is
`reproduced below:
`A method comprising:
`1.
`provisioning, each device of a plurality of devices, with one or
`more rules generated based on a boundary of a network protected
`by the plurality of devices with one or more networks other than
`the network protected by the plurality of devices at which the
`device is configured to be located; and
`configuring, each device of the plurality of devices, to:
`receive packets via a communication interface that does
`not have a network-layer address;
`responsive to a determination by the device that a portion
`of the packets received from or destined for a host located
`in the network protected by the plurality of devices
`corresponds to criteria specified by the one or more rules,
`drop the portion of the packets; and
`modify a switching matrix of a local area network (LAN)
`switch associated with the device such that the LAN
`
`4
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`
`switch is configured to drop the portion of the packets
`responsive to the determination by the device.
`
`D.
`
`Asserted Ground of Unpatentability and Asserted Prior Art
`Petitioner asserts that claims 1–4, 6–10, 12–16, 18, and 20 are
`unpatentable as obvious under 35 U.S.C. § 103(a) in view of Jungck.1
`Pet. 20. Further, Petitioner contends claims 5, 11, 17, and 19 are
`unpatentable as obvious under 35 U.S.C. § 103(a) in view of the
`combination of Jungck and RFC 2003.2 Id. In addition, Petitioner relies on
`the Declaration of Kevin Jeffay, Ph.D. (Ex. 1004), in support of both
`asserted grounds of unpatentability.
`
`ANALYSIS
`
`A.
`
`Claim Construction
`For petitions filed before November 13, 2018, claim terms in an
`unexpired patent are given their broadest reasonable construction in light of
`the specification of the patent in which they appear. 37 C.F.R. § 42.100(b);
`see Cuozzo Speed Techs., LLC v. Lee, 136 S. Ct. 2131, 2144–46 (2016). The
`parties propose constructions for several claim terms.
`
`
`1 U.S. Patent Application Pub. No. 2009/0262741 A1, published Oct. 22,
`2009 (Ex. 1008, “Jungck”).
`2 C. Perkins, IP Encapsulation within IP, Oct. 1996 (Ex. 1009, “RFC
`2003”). At this stage of the case, Patent Owner has not disputed
`Petitioner’s assertion that RFC 2003 qualifies as prior art. For purposes of
`this Decision, we determine Petitioner has made a sufficient showing that
`RFC 2003 is prior art to the ’077 Patent.
`
`5
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`
`1.
`
`rule / rules
`
`Petitioner’s Proposal
`
`Patent Owner’s Proposal
`
`a part of a dynamic security policy
`that may specify criteria and one or
`more packet transformation
`functions that should be performed
`for packets associated with the
`specified criteria
`
`a condition or set of conditions that
`when satisfied cause a specific
`function to occur
`
`Pet. 17; Prelim. Resp. 7.
`The ’077 Patent was issued from an application that was a
`continuation of an earlier application that became U.S. Patent No. 9,137,205
`B2 (“the ’205 Patent”). See Ex. 1001, at [63]. The ’205 Patent is the subject
`of another petition for inter partes review, IPR2018-01444, in which trial
`was instituted on February 12, 2019. See Cisco Sys., Inc. v. Centripetal
`Networks, Inc., Case IPR2018-01444, Paper 7 (PTAB Feb. 12, 2019) (“1444
`DI”). In that case, the parties—the same parties in the present case—
`advanced the same claim construction positions and arguments for the term
`“rule” or “rules” as in this case. See id. at 9–10; Pet. 17; Prelim. Resp. 7. In
`the 1444 DI, we concluded that Patent Owner’s proposed construction was
`supported by the intrinsic evidence and adopted it as a result. The relevant
`disclosures in the Specification of the ’077 Patent are the same as those of
`the ’205 Patent. Thus, at this stage, we also adopt Patent Owner’s proposed
`construction in this case for the same reasons as in the 1444 DI.
`
`6
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`
`2.
`
`provisioning, each device of a plurality of devices, with one or
`more rules generated based on a boundary of a network
`protected by the plurality of devices with one or more networks
`other than the network protected by the plurality of devices at
`which the device is configured to be located
`
`Petitioner’s Proposal
`
`Patent Owner’s Proposal
`
`plain meaning
`
`change a device from one state to
`another based on one or more rules
`derived from the boundary of a
`different network
`
`Pet. 17–18; Prelim. Resp. 7–8.
`Patent Owner notes that its proposed construction for this claim
`phrase was proposed in related litigation. Prelim. Resp. 7–8. In its
`Preliminary Response, however, Patent Owner does not provide adequate
`explanation or evidentiary support for its proposal. Indeed, the only
`evidence cited is one paragraph from the Specification, but that paragraph
`does not appear to discuss the “state” of any device, and Patent Owner does
`not explain how the cited disclosure supports its construction. See id. (citing
`Ex. 1001, 16:61–17:9).
`The Specification describes an SPM server “configured to
`communicate one or more dynamic security policies it maintains to [PSGs]
`on a periodic basis” to “ensure that each of [the PSGs] protect each of their
`respective [network] boundaries . . . in a uniform manner.” Ex. 1001,
`16:64–17:4. Based on this intrinsic evidence, we construe this claim phrase
`for purposes of this Decision as “communicating one or more rules to each
`device of a plurality of devices, where the rule(s) are generated based on the
`location of the device at a boundary between a network protected by the
`plurality of devices and one or more other networks.”
`
`7
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`
`3.
`
`layer-2 virtual local area network (VLAN)
`
`Petitioner’s Proposal
`
`Patent Owner’s Proposal
`
`logical subset of the computers on a
`local area network (LAN) that
`communicate only with the
`computers on the same subnetwork
`using a layer-2 protocol
`
`logical grouping of devices on one
`or more local area networks (LANs)
`that allows layer-2 communication
`to occur between them
`
`Pet. 19; Prelim. Resp. 9–10.
`Patent Owner argues Petitioner’s proposed construction is incorrect
`because it “narrowly requires that devices within the VLAN communicate
`only with other devices within the same subnetwork.” Prelim. Resp. 9.
`Petitioner supports its proposed construction of this term with the testimony
`of Dr. Jeffay. Pet. 19 (citing Ex. 1004 ¶¶ 135–136). Dr. Jeffay, however,
`testified to a slightly different construction: “logical subset of the computers
`on a local area network (LAN) that can only communicate with the
`computers in the same subset when only using a layer-2 protocol.” Ex. 1004
`¶ 136 (emphasis added).
`The Specification describes using a layer-2 VLAN such that after the
`packets are assigned to the VLAN, “[t]he packets may then be switched to
`another device on the same VLAN.” Ex. 1001, 10:37–45. This is consistent
`with the dictionary definition presented by Patent Owner. See Ex. 2002, 555
`(defining “VLAN” as a “logical grouping of hosts on one or more [LANs]
`that allows communication to occur between hosts as if they were on the
`same physical LAN”).
`On the record presently available, we agree with Patent Owner’s
`proposed construction and construe “layer-2 virtual local area network
`(VLAN)” as “logical grouping of devices on one or more local area
`
`8
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`networks (LANs) that allows layer-2 communication to occur between
`them,” for purposes of this Decision.
`
`Remaining Claim Terms
`4.
`The parties agree that (1) the term “network-layer address” should be
`construed as “an address that identifies a device for communication on the
`network layer, such as an IP address,” and (2) the term “LAN switch” should
`be construed as “a network device configured to send and receive data
`between computers on a local area network.” Pet. 18–19; Prelim. Resp. 8.
`For purposes of this Decision, we adopt these claim constructions.
`In addition, Petitioner proposes to apply the construction of
`“switching matrix of a local area network (LAN) switch” proposed by Patent
`Owner in related litigation. Pet. 19. Patent Owner does not dispute this
`construction, but notes that the district court in the related litigation has since
`adopted a slightly different construction. Prelim. Resp. 9. At this stage, we
`agree with Patent Owner that the differences between them do not affect the
`issues raised in this case. See id. Thus, for purposes of this Decision, we
`adopt the district court’s construction: “a switching matrix contained within
`a [LAN switch] that is configured to direct traffic in a local area network
`(LAN).” See Ex. 2001, 23.
`
`Preliminary Claim Constructions
`5.
`As explained above, for purposes of this Decision, we construe claim
`terms of the ’077 Patent as follows:
`
`9
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`
`Claim Term/Phrase
`
`rule / rules
`
`provisioning, each device of a
`plurality of devices, with one or
`more rules generated based on a
`boundary of a network protected
`by the plurality of devices with
`one or more networks other than
`the network protected by the
`plurality of devices at which the
`device is configured to be located
`
`layer-2 virtual local area network
`(VLAN)
`
`network-layer address
`
`LAN switch
`
`switching matrix of a local area
`network (LAN) switch
`
`Construction
`
`a condition or set of conditions that
`when satisfied cause a specific
`function to occur
`
`communicating one or more rules to
`each device of a plurality of devices,
`where the rule(s) are generated based
`on the location of the device at a
`boundary between a network protected
`by the plurality of devices and one or
`more other networks
`
`logical grouping of devices on one or
`more local area networks (LANs) that
`allows layer-2 communication to
`occur between them
`
`an address that identifies a device for
`communication on the network layer,
`such as an IP address
`
`a network device configured to send
`and receive data between computers
`on a local area network
`
`a switching matrix contained within a
`LAN switch that is configured to
`direct traffic in a LAN
`
`No other claim terms in the ’077 Patent require express construction
`for purposes of this Decision. See Vivid Techs., Inc. v. Am. Sci. & Eng'g,
`Inc., 200 F.3d 795, 803 (Fed. Cir. 1999).
`
`10
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`B.
`
`Alleged Unpatentability Under § 103(a)
`A claim is unpatentable under § 103 if the differences between the
`claimed subject matter and the prior art are “such that the subject matter as a
`whole would have been obvious at the time the invention was made to a
`person having ordinary skill in the art to which said subject matter pertains.”
`KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 406 (2007). The question of
`obviousness is resolved on the basis of underlying factual determinations,
`including: (1) the scope and content of the prior art; (2) any differences
`between the claimed subject matter and the prior art; (3) the level of skill in
`the art; and (4) objective evidence of nonobviousness, i.e., secondary
`considerations. Graham v. John Deere Co., 383 U.S. 1, 17–18 (1966).
`Additionally, the obviousness inquiry typically requires an analysis of
`“whether there was an apparent reason to combine the known elements in
`the fashion claimed by the patent at issue.” KSR, 550 U.S. at 418 (citing
`In re Kahn, 441 F.3d 977, 988 (Fed. Cir. 2006) (requiring “articulated
`reasoning with some rational underpinning to support the legal conclusion of
`obviousness”)); see In re Warsaw Orthopedic, Inc., 832 F.3d 1327, 1333
`(Fed. Cir. 2016) (citing DyStar Textilfarben GmbH & Co. Deutschland KG
`v. C. H. Patrick Co., 464 F.3d 1356, 1360 (Fed. Cir. 2006)).
`
`Level of Ordinary Skill
`1.
`Petitioner asserts that a person of ordinary skill in the art would have
`had a bachelor’s degree in computer science, computer engineering or an
`equivalent, as well as four years of industry experience. Pet. 21 (citing
`Ex. 1004 ¶¶ 23–25). In addition, Petitioner indicates a person of ordinary
`skill would have had “a working knowledge of packet-switched networking,
`
`11
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`firewalls, security policies, communication protocols and layers, and the use
`of customized rules to address cyber attacks.” Id.
`At this stage of the case, Patent Owner does not dispute Petitioner’s
`formulation of the level of skill in the art. Based on the information
`presented in the Petition and Dr. Jeffay’s testimony, we adopt Petitioner’s
`formulation for purposes of this Decision.
`
`Secondary Considerations of Non-Obviousness
`2.
`Neither party presented any evidence or argument regarding
`secondary considerations of non-obviousness at this stage of the case. Thus,
`we do not consider any such considerations in our analysis for this Decision.
`
`Overview of Jungck
`3.
`Jungck is a published patent application relating to improvements to a
`network’s infrastructure, including a “packet interceptor/processor apparatus
`[that] is coupled with the network so as to be able to intercept and process
`packets flowing over the network.” Ex. 1008, at [57]. “The apparatus
`applies one or more rules to the intercepted packets which execute one or
`more functions on a dynamically specified portion of the packet and take
`one or more actions with the packets.” Id. Such actions may include
`releasing the packet unmodified, deleting the packet, or forwarding the
`packet for subsequent processing. Id.
`Figure 1 of Jungck is reproduced below:
`
`12
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`
`
`
`Figure 1 depicts exemplary network 100 for use with the embodiments
`disclosed in Jungck. Id. ¶ [0031]. Network 100 may be the Internet, another
`type of public network, or a private network. Id. For example, the network
`may be a local area network (LAN) or a wide area network (WAN). Id.
`¶ [0032]. As shown in Figure 1, a client device (e.g., client 106) may be
`connected to network 100 via a point-of-presence (e.g., POP 116), which is a
`“connecting point which separates the client . . . from the network.” Id.
`¶ [0041]. A POP may comprise, for example, one or more routers, and may
`be provided by an internet service provider (ISP). Id.
`Jungck discloses a number of embodiments. The “[t]hird”
`embodiment is depicted in Figure 6, which is reproduced below:
`
`13
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`
`
`Figure 6 depicts enhanced network 100, which is connected to clients 102,
`104, 106, and 612 via service providers 118 and 120. Id. ¶ [0107]. More
`specifically, each client is connected via a POP—for example, client 104 is
`connected via POP2A of service provider 118. Id. Service provider 118
`also has edge server 602A, which may be “integrated with a router” and is
`“able to intercept all network traffic flowing between [POPs 116, including
`POP2A] and the network 100.” Id. Once intercepted, edge server 602A can,
`for example, detect packets “whose origin address could not have come from
`the downstream network . . . to which it is connected” and prevent those
`packets from reaching network 100. Id. ¶ [0111].
`
`The “fourth embodiment” of Jungck is depicted in Figure 7, which is
`reproduced below:
`
`14
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`
`
`
`Figure 7 depicts “edge adapter/packet interceptor system 700,” featuring
`packet interceptor adapter 720 coupled with router 702. Id. ¶¶ [0126]–
`[0127]. Router 702 may be located within an ISP located at the edge of a
`network 100, which may be the Internet or a private intranet/extranet as
`described above (e.g., Figure 1), and additionally may be an optical based
`network or an electrical network. Id. ¶ [0127].
`
`Jungck’s “[f]ifth” embodiment includes exemplary device 900
`coupled with optical based network 100 (such as the Internet). Id. ¶ [0265].
`Device 900 is positioned to “intercept and process packets communicated
`between the upstream network portion 100A and the downstream network
`portion 100B.” Id. ¶ [0266]. Processing elements within device 900 may
`perform “ingress and egress filtering,” whereby device 900 is “programmed
`with the range of network addresses in [downstream network portion 100B]”
`such that device 900 is able to detect and filter out packets arriving from
`
`15
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`downstream network portion 100B that do not have a network address
`within that range. Id. ¶ [0269].
`
`Overview of RFC 2003
`4.
`RFC 2003 is a specification of an Internet protocol (IP) standard,
`
`specifically “a method by which an IP datagram may be encapsulated
`(carried as payload) within an IP datagram.” Ex. 1009, 1. This
`encapsulation enables altering the normal routing for a datagram by
`delivering it to an intermediate destination not specified by the IP header of
`the datagram. Id. This is performed by inserting an outer IP header before
`the original IP header whereby the outer IP header specifies that
`intermediate destination’s address. See id. at 3.
`
`Independent Claim 1
`5.
`Petitioner contends claim 1 of the ’077 Patent is obvious in view of
`Jungck. According to Petitioner, Jungck teaches the “provisioning”
`limitation of claim 1 in its description of edge servers. Pet. 33–37.
`Specifically, Petitioner contends that Jungck discloses multiple edge servers
`(i.e., the recited “plurality of devices”) protecting a network (e.g., network
`100 in Figure 6) from malicious traffic originating from other networks (e.g.,
`the downstream networks of POPs 114 or 116) by being located at the
`boundary between them and filtering the data. Id. at 34, 36; see Ex. 1008,
`Fig. 6. Petitioner asserts Jungck discloses that an edge server can detect data
`packets with origin addresses that do not match the downstream network to
`which it is connected, and block those packets from reaching the protected
`network. Pet. 36–37 (citing Ex. 1008 ¶ [0111]). Additionally, Petitioner
`also cites Jungck’s discussion of ingress filtering in its fifth embodiment. Id.
`
`16
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`(citing Ex. 1008 ¶ [0269]). Thus, Petitioner argues, Jungck teaches that the
`edge server applies rules that are based on the particular boundary where the
`edge server is located, i.e., the boundary with a particular downstream
`network. Id. Petitioner cites Jungck’s disclosure of a “rules processor” that
`interfaces with external devices that define and communicate rule sets to the
`packet interceptor adapter, for example, to intercept particular types of
`packets. See id. at 36; Ex. 1008 ¶ [0157].
`With respect to the limitation of configuring each device to receive
`packets “via a communication interface that does not have a network-layer
`address,” Petitioner relies on Jungck’s disclosure that the device of its fourth
`embodiment may be “selectively transparent to the network” such that the
`device’s “addressability may be disabled to make the device invisible to
`other network devices.” Ex. 1008 ¶ [0126]; see Pet. 38. Petitioner also cites
`Jungck’s disclosure that an edge server “effective needs no address because
`it intercepts the necessary network traffic,” and clients “do not need to know
`of the existence of the edge server.” Ex. 1008 ¶ [0098]; see Pet. 38.
`Petitioner next contends Jungck teaches dropping packets responsive
`to a determination that a portion of packets “correspond to criteria” specified
`by the provisioned rule(s), as recited in claim 1, in its description of an
`“ingress filter.” Pet. 38–40. More specifically, Jungck describes how an
`edge server “detects a data packet whose origin address could not have come
`from the downstream network . . . to which it is connected,” in which case
`the edge server determines the packet “must be a forgery” and can “eradicate
`it or prevent it from reaching the network 100.” Ex. 1008 ¶ [0111].
`According to Petitioner, these disclosures teach the edge server determining
`that packets correspond to criteria (i.e., origin address) and, responsive to
`
`17
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`that determination, dropping those packets to prevent them from reaching
`the protected network. Pet. 39–40.
`Finally, for the “switching matrix” limitation, Petitioner notes that
`Jungck teaches the use of network switches and a switch “fabric” to manage
`network traffic. Id. at 42 (citing Ex. 1008 ¶¶ [0150], [0199]). Further,
`Petitioner relies on Jungck’s disclosures that an edge server can be
`“integrated with a router” and a router “is often included as part of a network
`switch.” Ex. 1008 ¶¶ [0033], [0092]; Pet. 42–43. Thus, Petitioner argues,
`Jungck teaches that a network switch, like a LAN switch, may be configured
`to drop packets determined by the edge server to trigger a rule because, as
`discussed above, Jungck discloses that the edge server (i.e., part of the
`network switch) can drop such packets. Pet. 43 (citing Ex. 1004 ¶ [0177]).
`Additionally, Petitioner cites Jungck’s disclosures regarding packet
`interceptor adapter 720, including that the adapter is shown as part of router
`702 (Ex. 1008, Fig. 7) and that “any device which intercepts and processes
`packets can utilize the packet interceptor adaptor 720” (id. ¶ [0180]).
`Pet. 43–44. Router 702 also includes buffer 714, routing table 728, and
`routing logic 730, which Petitioner contends also teach the recited switching
`matrix. Id. at 43–46 (citing Ex. 1004 ¶¶ [0178]–[0180]).
`Although some of Jungck’s teachings identified by Petitioner are from
`different embodiments of Jungck, Petitioner contends a person of ordinary
`skill would have had reason to combine them because they are all applicable
`to the same network environment and architecture, and are directed to
`similar functions. Pet. 32 (citing Ex. 1008 ¶¶ [0025], [0031], [0111], [0126],
`[0182]–[0183], [0263]–[0264], [0282]; Ex. 1004 ¶¶ 140–141). Relying on
`Dr. Jeffay’s testimony, Petitioner further asserts that combining the
`
`18
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`teachings of each of the Jungck embodiments would have “produce[d]
`predictable and operable results,” and involved “simple substitutions, and
`applying known programming techniques to improve similar systems” that a
`skilled artisan would have understood how to implement to accomplish
`certain design objectives. Id. at 32–33 (citing Ex. 1004 ¶¶ 141–143).
`On this record, we find Petitioner’s arguments and evidence discussed
`above make a sufficient showing at this stage that Jungck teaches each
`limitation of claim 1, as set forth in the Petition, and we find Patent Owner’s
`counterarguments unpersuasive. Patent Owner first argues that Jungck’s
`edge servers do not teach the recited plurality of devices because they are
`“not gateways,” and Jungck purportedly “distinguishes” them from gateway
`servers. Prelim. Resp. 31–32. Claim 1, however, does not recite “gateways”
`or “gateway servers,” instead reciting merely a “plurality of devices.”
`Next, Patent Owner contends Jungck’s edge servers do not teach the
`recited devices because they are “not located at a protected network.” Id. at
`32; see also id. at 34–37 (similar argument regarding Jungck’s fourth and
`fifth embodiments). According to Patent Owner, the edge servers are
`located “within ISPs on the client side of the network 100.” Id. at 33.
`Again, however, Patent Owner’s arguments are not commensurate with the
`scope of the claim. Claim 1 does not recite that the devices are located at
`the protected network but rather at the “boundary” between the protected
`network and one or more networks. As shown in Figure 6, for example,
`Jungck teaches edge server 602A located between network 100 (as well as
`connected servers 108 and 110) and the downstream network of POPs 116
`(including connected clients 102 and 104). Ex. 1008, Fig. 6.
`
`19
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`
`Patent Owner also asserts that Jungck does not teach the switching
`matrix limitations of claim 1. Prelim. Resp. 38–39. According to Patent
`Owner, applying the teachings of Jungck to place an edge server into a LAN
`switch would change the principle of operation of Jungck because the
`disclosed edge servers “are designed to be placed in heavy traffic access
`points such as at the edge of [ISPs].” Id. (citing Ex. 1008 ¶ [0107], Fig. 6).
`The evidence does not, however, support Patent Owner’s argument. The
`cited portions of Jungck do not indicate that Jungck’s edge servers are
`limited to “heavy traffic access points” or “the edge of [ISPs].” Although
`Jungck discusses edge servers in that context, Jungck explicitly states that
`“the disclosed embodiments are not limited to the Internet and are applicable
`to other types of public networks as well as private networks, and
`combinations thereof, and all such networks are contemplated.” Ex. 1008
`¶ [0031]. For example, Jungck discloses that system 700, including router
`702 and packet interceptor adapter 720, may be associated with “a private
`intranet or extranet.” Id. Ex. ¶ [0127].
`Lastly, Patent Owner argues that Petitioner failed to adequately
`demonstrate that a skilled artisan would have combined the teachings of
`Jungck’s multiple embodiments. Prelim. Resp. 17–27. These arguments are
`substantially similar to those advanced in IPR2018-01444, which also
`concerned combinations of teachings from multiple embodiments in Jungck,
`and are unpersuasive for similar reasons. See 1444 DI, at 15–18. We note,
`for example, that Jungck’s Figure 1 shows a common network environment
`applicable to all of Jungck’s embodiments. See Ex. 1008 ¶ [0031]; Fig. 1.
`Additionally, we note that Jungck states, for example, that “any device
`which intercepts and processes packets can utilize the packet interceptor
`
`20
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`adaptor 720” of Jungck’s fourth embodiment, as discussed above. Ex. 1008
`¶ [0180]. Contrary to Patent Owner’s assertions, we determine that the
`Petition sets forth an adequate showing with sufficient specificity that a
`skilled artisan would have had reason to combine the teachings of Jungck’s
`embodiments, for purposes of this Decision.
`In sum, for the reasons set forth above, we conclude that Petitioner
`has demonstrated a reasonable likelihood of prevailing on its asserted
`ground of unpatentability that claim 1 of the ’077 Patent is obvious in view
`of the teachings of Jungck.
`
`Independent Claims 7 and 13
`6.
`Claim 7 recites essentially the same limitations as claim 1, but is
`directed to a system rather than a method. Likewise, claim 13 recites the
`same limitations as claim 1, but is directed instead to non-transitory
`computer-readable media comprising instructions that, when executed,
`perform the recited steps. Petitioner relies on the same arguments and
`evidence for these claims as for claim 1, and further explains how Jungck
`teaches the recited structural elements (e.g., the “processor” and “memory”
`of claim 7). Pet. 34–46. Patent Owner does not raise any arguments with
`respect to these claims other than those for claim 1.
`For the same reasons as explained above for claim 1, we conclude that
`Petitioner has demonstrated a reasonable likelihood of prevailing on its
`asserted ground of unpatentability that claims 7 and 13 of the ’077 Patent are
`obvious in view of the teachings of Jungck.
`
`21
`
`
`
`IPR2018-01513
`Patent 9,560,077 B2
`
`
`Dependent Claims 2–4, 6, 8–10, 12, 14–16, and 18
`7.
`The Petition sets forth detailed arguments and supporting evidence
`with respect to dependent claims 2–4, 6, 8–10, 12, 14–16, and 18. Pet. 46–
`56. For example, Petitioner relies on Jungck’s disclosures regarding packet
`filtering based on source address to detect and block “forgery” packets as
`teaching the “spoofed source addresses” limitations of claims 2, 8, and 14.
`Pet. 46–48 (citing Ex. 1008 ¶¶ [0111], [0271]; Ex. 1004 ¶¶ 183–184). For
`the “malicious network traffic” and “subscription service” limitations of
`claims 3, 9, and 15, Petitioner relies on Jungck’s teachings regarding
`protecting against “malicious program code” identified by “a third party
`such as a virus watch service.” Pet. 48–52 (citing 1008 ¶¶ [0111], [0153],
`[0157], [0176], [0269]; Ex. 1004 ¶¶ 191–199). With respect to the
`limitations of claims 4, 10, and 16 requiring provisioning one or more rules
`via a communication interface of the device having a network-layer address,
`Petitioner relies on Jungck’s disclosures regarding, for example,
`management interface 722 depicted in Figure 7 and external interface 838
`depicted in Figure 8. Pet. 53–56 (citing 1008 ¶¶ [0153], [0157], [0160],
`[0175], Figs. 7, 8; Ex. 1004 ¶¶ 200–211).
`Claims 6, 12, and 18 depend from claims 1, 7, and 13 respectively,
`and furthe