`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`_______________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`_____________
`
`
`CISCO SYSTEMS INC.,
`Petitioner
`
`_______________
`
`IPR2021-01242
`U.S. Patent No. 9,100,431
`_______________
`
`DECLARATION OF A.L. NARASIMHA REDDY, PH.D.,
`UNDER 37 C.F.R. § 1.68 IN SUPPORT OF PETITION
`FOR INTER PARTES REVIEW
`
`
`
`
`
`
`Ex.1003
`CISCO SYSTEMS, INC. / Page 1 of 134
`
`

`

`
`
`
`Declaration of Narasimha Reddy, Ph.D.
`Inter Partes Review of U.S. 9,100,431
`
`
`
`TABLE OF CONTENTS
`INTRODUCTION ........................................................................................... 4
`I.
`QUALIFICATIONS AND PROFESSIONAL EXPERIENCE ...................... 6
`II.
`III. LEVEL OF ORDINARY SKILL IN THE ART ........................................... 10
`IV. RELEVANT LEGAL STANDARDS ........................................................... 11
`V. OVERVIEW OF THE ’431 PATENT .......................................................... 12
`VI. CLAIM CONSTRUCTION .......................................................................... 13
`VII.
`IDENTIFICATION OF HOW THE CLAIMS ARE UNPATENTABLE .... 14
`VIII. W-L RENDERS OBVIOUS CLAIMS 14 AND 19-20 ................................ 14
`A.
`Summary of W-L ................................................................................. 14
`
`B.
`
`Detailed Analysis of Claims ................................................................ 17
`
`1.
`
`2.
`
`3.
`
`Claim 14 .................................................................................... 17
`
`Claim 19 .................................................................................... 57
`
`Claim 20 .................................................................................... 61
`
`IX. THE COMBINATION OF W-L AND HILL RENDERS OBVIOUS
`CLAIMS 1-12 AND 15-18 ............................................................................ 62
`A.
`Summary of Hill .................................................................................. 62
`
`B.
`
`C.
`
`Reasons to Combine W-L with Hill .................................................... 63
`
`Detailed Analysis of Claims ................................................................ 73
`
`1.
`
`2.
`
`3.
`
`4.
`
`5.
`
`6.
`
`7.
`
`8.
`
`Claim 1 ...................................................................................... 73
`
`Claim 2 ...................................................................................... 82
`
`Claim 4 ...................................................................................... 92
`
`Claim 5 ...................................................................................... 96
`
`Claim 6 ...................................................................................... 99
`
`Claim 7 .................................................................................... 102
`
`Claim 8 .................................................................................... 103
`
`Claim 9 .................................................................................... 107
`
`Ex.1003
`CISCO SYSTEMS, INC. / Page 2 of 134
`
`

`

`
`
`
`Declaration of Narasimha Reddy, Ph.D.
`Inter Partes Review of U.S. 9,100,431
`
`
`
`9.
`
`Claim 10 .................................................................................. 111
`
`10. Claim 11 .................................................................................. 119
`
`11. Claim 12 .................................................................................. 120
`
`12. Claim 15 .................................................................................. 122
`
`13. Claim 16 .................................................................................. 127
`
`14. Claim 17 .................................................................................. 130
`
`15. Claim 18 .................................................................................. 132
`
`X.
`
`
`CONCLUSION ............................................................................................ 134
`
`
`Ex.1003
`CISCO SYSTEMS, INC. / Page 3 of 134
`
`

`

`
`
`
`Declaration of Narasimha Reddy, Ph.D.
`Inter Partes Review of U.S. 9,100,431
`
`
`
`I, Narasimha Reddy, Ph.D., do hereby declare as follows:
`
`I.
`
`INTRODUCTION
`
`1.
`
`I am making this declaration at the request of Cisco Systems, Inc. in the
`
`matter of the Inter Partes Review of U.S. Patent No. 9,100,431 (“the ’431 patent”)
`
`to Oliphant et al.
`
`2.
`
`I am being compensated for my work in this matter at my standard
`
`hourly rate. I am also being reimbursed for reasonable and customary expenses
`
`associated with my work and testimony in this proceeding. My compensation is not
`
`contingent on the outcome of this matter or the specifics of my testimony.
`
`3.
`
`I have been asked to provide my opinions regarding whether the subject
`
`matter of claims 1-2, 4-12, and 14-20 (“the Challenged Claims”) of the ’431 patent
`
`would have been obvious to a person having ordinary skill in the art (“POSITA”) at
`
`the time of the alleged invention, in light of the prior art. It is my opinion that the
`
`Challenged Claims would have been obvious to a POSITA.
`
`4.
`
`In the preparation of this declaration, I have studied:
`
`the ‘431 patent, Ex.1001;
`
`the prosecution history of the ‘431 patent (“’431 File History”),
`
`a.
`
`b.
`
`Ex.1002;
`
`c.
`
`U.S. Patent No. 7,359,962 to Willebeek-LeMair et al. (“W-L”),
`
`Ex.1005; and
`
`Ex.1003
`CISCO SYSTEMS, INC. / Page 4 of 134
`
`

`

`
`
`
`Declaration of Narasimha Reddy, Ph.D.
`Inter Partes Review of U.S. 9,100,431
`
`
`
`d.
`
`U.S. Patent No. 6,088,804 to Hill et al. (“Hill”), Ex.1006.
`
`5.
`
`In forming the opinions expressed below, I have considered: the
`
`documents listed above; the relevant legal standards, including the standard for
`
`obviousness; and my own knowledge and experience based upon my work in the
`
`field of network communications and security as described below, as well as
`
`portions of the following additional materials:
`
`a.
`
`the prosecution history of U.S. Patent No. 9,117,069 (“’069 File
`
`History”), parent of ’431 patent, Ex.1008;
`
`b. Markus Goncalves & Steven Brown, CHECK POINT FIREWALL-1
`
`(McGraw-Hill 2000) (“Goncalves”), Ex.1009;
`
`c.
`
`Plaintiff’s Combined Opening and Responsive Claim
`
`Construction Brief, SecurityProfiling, LLC v. Trend Micro America, Inc. et
`
`al., No. 3:17-cv-01484-N, Dk. #94 (N.D. Tex. Jan. 22, 2018), (“Claim
`
`Construction Brief”), Ex.1010;
`
`U.S. Patent No. 6,856,627 to Saleh et al. (“Saleh”), Ex.1018;
`
`U.S. Patent No. 6,584,093 to Salama et al. (“Salama”), Ex.1019;
`
`U.S. Patent No. 7,398,273 to Dobberpuhl et al. (“Dobberpuhl”),
`
`d.
`
`e.
`
`f.
`
`Ex.1020;
`
`g.
`
`U.S. Publication No. 2003/0093509 to Li et al. (“Li”), Ex.1021;
`
`Ex.1003
`CISCO SYSTEMS, INC. / Page 5 of 134
`
`

`

`
`
`
`Declaration of Narasimha Reddy, Ph.D.
`Inter Partes Review of U.S. 9,100,431
`
`
`
`h.
`
`U.S. Patent No. 6,735,766
`
`to Chamberlain
`
`et
`
`al.
`
`(“Chamberlain”), Ex.1022; and
`
`i.
`
`U.S. Patent No. 6,668,230 to Mansky et al. (“Mansky”),
`
`Ex.1023.
`
`6.
`
`Unless otherwise noted, all emphasis in any quoted material has been
`
`added. Claim terms are italicized.
`
`II. QUALIFICATIONS AND PROFESSIONAL EXPERIENCE
`
`7. My complete qualifications and professional experience are described
`
`in my Curriculum Vitae, a copy of which can be found in Exhibit 1004. The
`
`following is a brief summary of my relevant qualifications and professional
`
`experience.
`
`8.
`
`I am currently the J.W. Runyon Professor of Electrical and Computer
`
`Engineering at Texas A&M University in College Station, Texas. I have over 25
`
`years of experience in a wide variety of technologies and industries relating to data
`
`communications, storage systems, and distributed systems, including packet-
`
`switched network communications.
`
`9. My academic credentials include a Bachelor of Technology degree in
`
`Electronics and Electrical Communications Engineering from the Indian Institute of
`
`Technology, Kharagpur, India, in August 1985. I then received a Master of Science
`
`Ex.1003
`CISCO SYSTEMS, INC. / Page 6 of 134
`
`

`

`
`
`
`Declaration of Narasimha Reddy, Ph.D.
`Inter Partes Review of U.S. 9,100,431
`
`
`
`and a Ph.D. in Computer Engineering from the University of Illinois at Urbana-
`
`Champaign in May 1987 and August 1990, respectively.
`
`10.
`
`I have worked for over 25 years in the field of Electrical Engineering.
`
`My primary focus and research interest has been on computer networks, storage
`
`systems, multimedia systems, and computer architecture. I have authored and co-
`
`authored over a hundred technical papers and several book chapters related to several
`
`of these interests, including on such topics as multipath routing, route control, high-
`
`speed networks, network congestion, packet management, quality of service
`
`regulation, network security, network modeling, differentiated services, storage
`
`system enhancements, caching strategies, and multimedia system enhancements to
`
`name a few examples. I am listed as an inventor on five U.S. patents in the field of
`
`communication networks.
`
`11. My employment history following my graduation from the University
`
`of Illinois at Urbana-Champaign began at the IBM Almaden Research Center in San
`
`Jose, California in 1990. At IBM, I worked on projects related to disk arrays,
`
`multiprocessor communication, hierarchical storage systems and video servers.
`
`12.
`
`In 1995, I joined the faculty of the department of Electrical Engineering
`
`at Texas A&M University initially as an Associate Professor and was later promoted
`
`to full, tenured Professor. At Texas A&M, I am the Associate Agency Director for
`
`Strategic Initiatives and Centers for the Texas A&M Engineering Experiment
`
`Ex.1003
`CISCO SYSTEMS, INC. / Page 7 of 134
`
`

`

`
`
`
`Declaration of Narasimha Reddy, Ph.D.
`Inter Partes Review of U.S. 9,100,431
`
`
`
`Station (TEES), which engages in engineering and technology-oriented research and
`
`educational collaborations. Further, I currently serve as Associate Dean for
`
`Research.
`
`13. At Texas A&M, I have taught dozens of courses related to computer
`
`networking and communications, as well as computer architecture, multimedia
`
`systems and networks, topics in networking security, multimedia storage and
`
`delivery, as well as networking for multimedia applications. I have done research on
`
`various topics of network security including anomaly detection, botnet detection,
`
`building mechanisms in routers and switches to improve security, spammer
`
`detection in social networks and improving security of cyberphysical systems. I have
`
`also served on various committees for the benefit of the scientific community and
`
`the Texas A&M University community.
`
`14.
`
`I am a member of a number of professional societies, including the
`
`Institute of Electrical and Electronic Engineers (IEEE), where I have been elevated
`
`to an IEEE Fellow, and the Association for Computing Machinery (ACM). I have
`
`been responsible for chairing or co-chairing numerous conferences and programs, as
`
`well as presenting research at major IEEE and ACM conferences. For example, I
`
`served as program co-chair for the 2008 5th International Conference on Broadband
`
`Communications, Networks and Systems, panels co-chair for the 2008 3rd
`
`Ex.1003
`CISCO SYSTEMS, INC. / Page 8 of 134
`
`

`

`
`
`
`Declaration of Narasimha Reddy, Ph.D.
`Inter Partes Review of U.S. 9,100,431
`
`
`
`International Conference on Communication Systems Software & Middleware, and
`
`panel chair of the IEEE Conference of High Performance Computer Architecture.
`
`15. My presentations include a Keynote speech at International Conference
`
`on Information Technology-New Generations in 2013, a Keynote speech at IEEE
`
`International Symposium on Computers and Communications 2010, and several
`
`invited talks including at Georgia Tech (2013), COMSNETS Conference (2013),
`
`Int. Conf. on Networking and Communications (2012), Samsung (2011), Korea
`
`University (2011), Aijou University (2011), Catedra Series at University of Carlos
`
`III, Madrid (2009), Thomson Research, Paris (2009), Telefonica Research,
`
`Barcelona (2009), and a Distinguished Seminar at IBM Austin Research Lab (2008).
`
`16.
`
`I have received multiple awards in the field of networks and computer
`
`architecture. I received the NSF Career Award from 1996-2000. I received an
`
`outstanding professor award by the IEEE student branch at Texas A&M during
`
`1997-1998, an outstanding faculty award by the department of Electrical and
`
`Computer Engineering during 2003-2004, a Distinguished Achievement award for
`
`teaching from the former students’ association of Texas A&M University, and a
`
`citation “for one of the most influential papers from the 1st ACM Multimedia
`
`conference.”
`
`Ex.1003
`CISCO SYSTEMS, INC. / Page 9 of 134
`
`

`

`
`
`
`Declaration of Narasimha Reddy, Ph.D.
`Inter Partes Review of U.S. 9,100,431
`
`
`
`III. LEVEL OF ORDINARY SKILL IN THE ART
`
`17.
`
`I understand there are multiple factors relevant to determining the level
`
`of ordinary skill in the pertinent art, including (1) the levels of education and
`
`experience of persons working in the field at the time of the invention; (2) the
`
`sophistication of the technology; (3) the types of problems encountered in the field;
`
`and (4) the prior art solutions to those problems.
`
`18. A POSITA in the field of the ’431 patent, as of its earliest alleged
`
`priority date of July 1, 2003, would have been someone knowledgeable and familiar
`
`with network communications techniques and security methodologies available in
`
`the early-2000s. Such a POSITA would have a bachelor’s degree in computer
`
`science, computer engineering, electrical engineering, or equivalent training, and
`
`approximately two years of experience working in the field of network
`
`communications, or more particularly, network security. Additional work
`
`experience can substitute for specific educational background, and vice versa.
`
`19. For purposes of this Declaration, in general, and unless otherwise noted,
`
`my statements and opinions, such as those regarding my own experience and what a
`
`POSITA would have understood or known generally (and specifically related to the
`
`references I consulted herein), reflect the knowledge that existed in the relevant field
`
`as of the priority date of the ’431 patent.
`
`Ex.1003
`CISCO SYSTEMS, INC. / Page 10 of 134
`
`

`

`
`
`
`Declaration of Narasimha Reddy, Ph.D.
`Inter Partes Review of U.S. 9,100,431
`
`
`
`IV. RELEVANT LEGAL STANDARDS
`
`20.
`
`I am not an attorney. In preparing and expressing my opinions and
`
`considering the subject matter of the ’431 patent, I am relying on certain basic legal
`
`principles that Cisco’s counsel has explained to me.
`
`21.
`
`I understand that prior art to the ’431 patent includes patents and printed
`
`publications in the relevant art that predate the priority date of the ’431 patent. For
`
`purposes of this Declaration, I am applying July 1, 2003, as the priority date of the
`
`’431 patent.
`
`22.
`
`I have been informed by Cisco’s counsel that a claimed invention is
`
`unpatentable under 35 U.S.C. § 103 if the differences between the claimed invention
`
`and the prior art are such that the subject matter as a whole would have been obvious
`
`at the time the invention was made to a POSITA. I have also been informed by
`
`Cisco’s counsel that the obviousness analysis considers factual inquiries, including
`
`the level of ordinary skill in the art, the scope and content of the prior art, and the
`
`differences between the prior art and the claimed subject matter.
`
`23.
`
`I have been further informed by Cisco’s counsel that there are several
`
`recognized rationales for combining references or modifying a reference to show
`
`obviousness. These rationales include: (a) combining prior art elements according to
`
`known methods to yield predictable results; (b) simple substitution of one known
`
`element for another to obtain predictable results; (c) use of a known technique to
`
`Ex.1003
`CISCO SYSTEMS, INC. / Page 11 of 134
`
`

`

`
`
`
`Declaration of Narasimha Reddy, Ph.D.
`Inter Partes Review of U.S. 9,100,431
`
`
`
`improve a similar device (method, or product) in the same way; (d) applying a known
`
`technique to a known device (method, or product) ready for improvement to yield
`
`predictable results; (e) choosing from a finite number of identified, predictable
`
`solutions, with a reasonable expectation of success; and (f) some teaching,
`
`suggestion, or motivation in the prior art that would have led a POSITA to modify
`
`the prior art or to combine prior art teachings to arrive at the claimed invention.
`
`V. OVERVIEW OF THE ’431 PATENT
`
`24. The ’431 patent focuses on the “management of security of computing
`
`and network devices that are connected to other such devices.” ’431 patent at 1:18-
`
`20. To accomplish this, “technology is provided to meet the following market
`
`requirements: integrate network security products to share information; provide
`
`system intelligence; and remediate network vulnerabilities.” ’431 patent, 11:4-7.
`
`Integrating products is done “to intelligently reference and share information from
`
`the same vulnerability data set.” ’431 patent, 11:8-10.
`
`25. The system in the ’431 patent has a “security server 135” which
`
`“collects certain information and provides certain data services.” ’431 patent, 2:20-
`
`28. The server collects data about devices within the network, including operating
`
`system information and other configuration and policy settings. ’431 patent, 2:32-
`
`35. The system in the ’431 patent “may easily integrate with and enable network
`
`security products such as IDS [intrusion detection system], scanners, or firewalls to
`
`Ex.1003
`CISCO SYSTEMS, INC. / Page 12 of 134
`
`

`

`
`
`
`Declaration of Narasimha Reddy, Ph.D.
`Inter Partes Review of U.S. 9,100,431
`
`
`
`intelligently reference and share the same vulnerability data set.” ’431 patent, 7:66-
`
`8:5.
`
`26. The server obtains a list of security vulnerabilities from a vulnerability
`
`remediation database 110. ’431 patent, 2:36-39. The server also includes a database
`
`146, which maintains remediation techniques for vulnerabilities. ’431 patent, 2:46-
`
`47, 4:45-47. When traffic arrives at the network, such as at a firewall 131, the
`
`security server determines whether the traffic “is attempting to take advantage of a
`
`particular known vulnerability” by using the information from the database. ’431
`
`patent, 3:60-62, 4:4-12. If an attack is detected, the security server “selects one or
`
`more remediation techniques from database 146 that remediate the particular
`
`vulnerability.” ’431 patent, 4:45-47.
`
`27. As I will explain below, these concepts were well known as of the
`
`priority date of the ’431 patent.
`
`VI. CLAIM CONSTRUCTION
`
`28.
`
`It is my understanding that in order to properly evaluate the ’431 patent,
`
`the terms of the claims must first be interpreted. It is my understanding that for the
`
`purposes of this inter partes review, the claims are to be construed under the so-
`
`called Phillips standard, under which claim terms are given their ordinary and
`
`customary meaning as would have been understood by a POSITA in light of the
`
`specification and prosecution history, unless the inventor has set forth a special
`
`Ex.1003
`CISCO SYSTEMS, INC. / Page 13 of 134
`
`

`

`
`
`
`Declaration of Narasimha Reddy, Ph.D.
`Inter Partes Review of U.S. 9,100,431
`
`
`
`meaning for a term. I have also been informed that claim terms only need to be
`
`construed to the extent necessary to resolve the obviousness inquiry. I have reviewed
`
`the entirety of the ’431 patent, as well as its prosecution history. It is my opinion that
`
`for purposes of applying the prior art presented herein to evaluate the patentability
`
`of the Challenged Claims, no terms require requires express construction.
`
`VII. IDENTIFICATION OF HOW THE CLAIMS ARE UNPATENTABLE
`
`29. The discussion in this Declaration provides a detailed analysis of how
`
`the asserted prior art references teach each limitation of the Challenged Claims.
`
`30. As part of my analysis, I have considered, and discuss in detail, the
`
`scope and content of the prior art and any differences between the alleged invention
`
`and the prior art.
`
`31.
`
`It is my opinion that the alleged invention recited in the Challenged
`
`Claims would have been obvious in view of the teachings of the asserted prior art
`
`and the knowledge of a POSITA.
`
`VIII. W-L RENDERS OBVIOUS CLAIMS 14 AND 19-20
`
`A.
`
`Summary of W-L
`
`32. U.S. Patent No. 7,359,962 to Willebeek-LeMair et al. (Ex.1005, “W-
`
`L”) was filed April 30, 2002, and issued April 15, 2008. W-L is titled “Network
`
`Security System Integration.”
`
`33. W-L was first cited by Applicant in the parent application, in what
`
`would become the ’069 patent, after the issue fee was paid with a petition to
`
`Ex.1003
`CISCO SYSTEMS, INC. / Page 14 of 134
`
`

`

`
`
`
`Declaration of Narasimha Reddy, Ph.D.
`Inter Partes Review of U.S. 9,100,431
`
`
`
`withdraw from issuance, along with 27 other patents, 23 patent publications, and 11
`
`non-patent literature citations in June 2015. See ’069 File History, pp. 12-18. The
`
`Examiner mailed a new notice of allowance with an Examiner’s Amendment in July
`
`2015. ’069 File History, pp. 28-85 (see also p. 84, commenting that no reason for
`
`allowance is necessary). W-L was cited in the ’431 patent on December 4, 2014,
`
`along with 794 other patent/patent publication prior art (and 17 non-patent literature
`
`references) during prosecution of the ’431 patent (before a different Examiner).
`
`Compare ’069 File History, pp. 84, 93-100 (Examiner Dant Shaifer Harriman) to
`
`’431 File History, pp. 481-514 (IDS filing), 546-579 (IDS considered by Examiner
`
`Madhuri Herzog).1
`
`34. Like the ’431 patent, W-L “relates to network security” that integrates
`
`functionality “to provide for a unified network defense structure.” W-L at 1:7-10.
`
`This includes integrating “the functionalities performed by a firewall, IDS and VAS
`
`[vulnerability assessment scanner] for network security into one system or appliance
`
`supported on a single platform.” W-L at 3:14-18. The unified system includes “an
`
`enterprise resource database” that contains data that identifies “machines (hosts) in
`
`the network, services provided by the hosts, and potential computer system and
`
`network device vulnerabilities associated with those machines and services in the
`
`
`1 I have also reviewed the file histories of U.S. Pat. No. 8,266,699 and U.S. App.
`Nos. 14/499,226, 14/499,227, and 14/499,239, and, to best of my knowledge, neither
`W-L nor Hill was substantively discussed in any of these file histories.
`
`Ex.1003
`CISCO SYSTEMS, INC. / Page 15 of 134
`
`

`

`
`
`
`Declaration of Narasimha Reddy, Ph.D.
`Inter Partes Review of U.S. 9,100,431
`
`
`
`context of the network configuration.” W-L at 5:9-15. The system also includes a
`
`“signature database” that stores “detection signatures” that comprise “security rules,
`
`policies and algorithms” designed to mitigate or avert network damage from
`
`vulnerabilities. W-L at 5:20-24. For example, a detection signature includes, among
`
`other objects, an “action set” which is a “definition of the action or actions” for the
`
`system to perform if a threat is detected. W-L at 10:58-60.
`
`35. The system also includes an “agent” which “functions to configure,
`
`tune and monitor the operation of the intrusion detector functionality 116 and the
`
`firewalling functionality 118” shown in FIG. 2. W-L at 9:36-41. Tuning involves the
`
`agent accessing the enterprise database and tailoring the relevant detection
`
`signature(s) “based on enterprise specific data” to minimizing the chance of false
`
`positives. W-L at 10:3-19. The agent instantiates the tailored detection signature
`
`(which has been determined to be relevant to at least some part of the network) at
`
`the intrusion detector functionality and/or the firewalling functionality “to be
`
`sensitive to the specific recognized vulnerabilities of the network 14 being
`
`protected.” W-L at 11:40-54.
`
`36. With the detection signatures so instantiated, in operation if either (or
`
`both) of the intrusion detector functionality and the firewalling functionality
`
`“subsequently detects traffic that matches the criteria of the detection signature,”
`
`then “the threat response actions defined by that signature are then invoked” in order
`
`Ex.1003
`CISCO SYSTEMS, INC. / Page 16 of 134
`
`

`

`
`
`
`Declaration of Narasimha Reddy, Ph.D.
`Inter Partes Review of U.S. 9,100,431
`
`
`
`to mitigate the effect of any attack. W-L at 13:35-39. Some examples of actions
`
`taken include logging or blocking traffic, generating an alert, terminating a session,
`
`and so forth. W-L at 13:40-42.
`
`B. Detailed Analysis of Claims
`
`1.
`
`Claim 14
`
`a.
`
`[14.0] A computer program product embodied on a non-
`transitory computer readable medium, the computer
`program product comprising:
`
`37. To the extent that the preamble is limiting, W-L renders it obvious.
`
`38. W-L teaches using an appliance with underlying hardware, operating
`
`system (software), and other facilities required to perform the operations of its
`
`disclosure. “The appliance 500 includes a platform 510 supporting its operation.
`
`The platform 510 comprises the underlying hardware, operation system and
`
`core infrastructure facilities necessary to allow the appliance 500 to provide an
`
`execution environment for security application.” W-L at 16:1-5.
`
`39. W-L teaches that the “appliance 500 further includes a security
`
`application functionality 512 that executes on the platform and which, in the
`
`preferred embodiment is implemented as the unified network defense system
`
`10 shown in FIGS. 1 and 2 and described in detail herein.” W-L at 16:11-15. W-L
`
`continues that it “comprises the processes and functions necessary to have the
`
`platform 510 function as a network security appliance 500 as opposed to a generic
`
`network platform.” W-L at 16:15-19; see also FIG. 6:
`
`Ex.1003
`CISCO SYSTEMS, INC. / Page 17 of 134
`
`

`

`
`
`
`Declaration of Narasimha Reddy, Ph.D.
`Inter Partes Review of U.S. 9,100,431
`
`
`
`Computer
`program
`product
`embodied on
`non-transitory
`computer
`readable
`medium
`
`W-L at FIG. 6 (annotated)
`
`
`
`
`
`40.
`
`In other words, W-L teaches that the platform 510 includes the
`
`“operating system … necessary” – as well as the “underlying hardware” - to perform
`
`its operations in support of the “security application functionality 512.” W-L at 16:2-
`
`5. The security application functionality 512 executes on that platform and is
`
`“implemented as the unified network defense system 10.” W-L at 16:11-15.
`
`Therefore, it would have been obvious to a POSITA that the “security application
`
`functionality 512” that W-L discloses is a computer program product that is
`
`embodied on the “platform 510” as the non-transitory computer readable medium,
`
`Ex.1003
`CISCO SYSTEMS, INC. / Page 18 of 134
`
`

`

`
`
`
`Declaration of Narasimha Reddy, Ph.D.
`Inter Partes Review of U.S. 9,100,431
`
`
`
`further since it was well-known and common for executable applications to be stored
`
`on non-transitory computer readable media.2 See, e.g., Chamberlain at Abstract
`
`(computer-readable medium); Mansky at 55:60-64 (computer’s memory device is a
`
`computer readable medium that stores the computer operating system “and any
`
`additional applications used by the computer”).
`
`41. Therefore, W-L renders obvious “[a computer program product
`
`embodied on a non-transitory computer readable medium,” as recited in the
`
`preamble.
`
`b.
`
`[14.1] code for: accessing at least one data structure
`identifying a plurality of mitigation techniques that
`mitigate effects of attacks that take advantage of
`vulnerabilities, where:
`
`42. W-L renders obvious this limitation.
`
`43. First, W-L discloses a data structure that identifies multiple signatures
`
`(“mitigation techniques” as demonstrated further below). W-L teaches a “signature
`
`database 20,” storing a plurality of “signatures”:
`
`The system 10 further includes a signature database 20
`
`that stores detection signatures 22 (comprising, for
`
`example, security rules, policies and algorithms) that
`
`are designed to mitigate or avert network damage from
`
`
`2 As the “security application functionality 512 … is implemented as the unified
`network defense system 10 shown in FIGS. 1 and 2,” W-L at 16:11-15, the
`discussion of network defense system 10 herein applies to security application
`functionality 512 in Figure 5.
`
`Ex.1003
`CISCO SYSTEMS, INC. / Page 19 of 134
`
`

`

`
`
`
`Declaration of Narasimha Reddy, Ph.D.
`Inter Partes Review of U.S. 9,100,431
`
`
`
`detected vulnerabilities. These signatures 22 may be
`
`obtained from any one of a number of well known sources,
`
`including, for example, machine (host) manufacturers,
`
`service suppliers, the Internet, and the like.
`
`W-L, 5:20-27; see also FIG. 1:
`
`Data
`structure
`
`W-L at FIG. 1 (annotated).
`
`
`
`
` W-L further discloses storing a plurality of signatures in “threat
`
`44.
`
`aggregation functionality 128” in FIG. 2:
`
`External to the system 10, a threat aggregation
`
`functionality 128 stores threat information 130 (for
`
`example, worm, virus, trojan, DoS, Access, Failure,
`
`Reconnaissance, other suspicious traffic, and the like)
`
`Ex.1003
`CISCO SYSTEMS, INC. / Page 20 of 134
`
`

`

`
`
`
`Declaration of Narasimha Reddy, Ph.D.
`Inter Partes Review of U.S. 9,100,431
`
`
`
`collected
`
`from around
`
`the world. The collected
`
`information 130 is then analyzed and utilized by the
`
`network administrator 142 to design the detection
`
`signatures 132 (comprising, for example, security rules,
`
`policies and algorithms) that can be used by the system 10
`
`to mitigate or avert network damage from the collected
`
`threats (see, also, signatures 22 and database 20 of FIG. 1).
`
`These
`
`signatures 132 are correlated by
`
`the
`
`functionality 128, for example, in a relational database
`
`structure, to the particular vulnerabilities that they
`
`address. In this way, the agent 126 may operate,
`
`responsive to a network discovery functionality 112
`
`detected vulnerability, to retrieve the correlated one (or
`
`ones) of the signatures 132 stored by the functionality 128.
`
`W-L at 10:36-52; see also FIG. 2:
`
`Ex.1003
`CISCO SYSTEMS, INC. / Page 21 of 134
`
`

`

`
`
`
`Declaration of Narasimha Reddy, Ph.D.
`Inter Partes Review of U.S. 9,100,431
`
`
`
`Data
`structure
`
`W-L at FIG. 2 (annotated).
`
`
`
`
`
`45. W-L teaches that FIG. 2’s embodiment shows “a block diagram for an
`
`exemplary integrated architecture of a unified network defense system 10,” which
`
`system 10 is also illustrated in FIG. 1 as noted above. W-L at 8:39-42. It would have
`
`been obvious to a POSITA to store the signatures of the threat aggregation
`
`functionality 128 within the system 10 according to the combined teachings of W-
`
`L’s FIGs. 1 and 2. W-L teaches that both figures describe the “unified network
`
`defense system 10,” with some options including where the signatures are kept. See
`
`also, e.g., W-L at 16:11-15 (stating that the unified network defense system 10 is
`
`illustrated in both FIGs. 1 and 2). Either option would have been a matter of design
`
`choice to a POSITA.
`
`Ex.1003
`CISCO SYSTEMS, INC. / Page 22 of 134
`
`

`

`
`
`
`Declaration of Narasimha Reddy, Ph.D.
`Inter Partes Review of U.S. 9,100,431
`
`
`
`46. Second, W-L teaches that each signature includes multiple objects
`
`“(comprising, for example, security rules, policies and algorithms) that are
`
`designed to mitigate or avert network damage from detected vulnerabilities.”
`
`W-L at 5:20-24. W-L’s detection signatures include, among those objects, an
`
`“action set: a definition of the action or actions (permit, deny, log, block, terminate,
`
`and the like) to be performed by the system 10 if the threat is detected.” W-L at
`
`10:53-67.
`
`47. The “action set” in a given signature of W-L teaches a “mitigation
`
`technique.” W-L teaches that the actions are applied when a match occurs (i.e., a
`
`threat is detected) as defined in the relevant signature: “[i]n the event that the
`
`comparison 40 operation performed by the inspection agent 28 is satisfied (i.e., there
`
`is a criteria match), any one (or more than one) of a number of possible actions
`
`(specified by an object within the detection signature 22 itself) may be taken by
`
`the system 10.” W-L at 5:59-63. The “action set” is the object that specifies the
`
`possible actions. See W-L at 10:53-67.
`
`48. Therefore, W-L’s database of signatures (each with an “action set”
`
`object) is an example of a “data structure,” with the plurality of signatures’
`
`respective action sets teaching the “plurality of mitigation te