`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`———————
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`———————
`
`CISCO SYSTEMS, INC.,
`Petitioner
`
`———————
`
`IPR2021-01242
`U.S. Patent No. 9,100,431
`
`
`PETITION FOR INTER PARTES REVIEW
`UNDER 35 U.S.C. § 312 AND 37 C.F.R. § 42.104
`
`
`
`
`
`

`

`
`
`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`TABLE OF CONTENTS
`
`Petitioner’s Exhibit List ............................................................................................. 5
`
`I.
`
`II.
`
`Introduction ...................................................................................................... 7
`
`Grounds for standing ....................................................................................... 7
`
`III. Note .................................................................................................................. 7
`
`IV. Summary of the ’431 patent ............................................................................ 8
`
`V.
`
`Prosecution history .......................................................................................... 9
`
`VI. Effective priority date of the ’431 patent ......................................................10
`
`VII. Level of ordinary skill in the art ....................................................................10
`
`VIII. Claim construction .........................................................................................10
`
`IX. Relief requested and reasons therefore ..........................................................11
`
`X.
`
`Identification of how the claims are unpatentable .........................................11
`
`A.
`
`B.
`
`C.
`
`Challenged claims .............................................................................. 11
`
`Statutory grounds for challenges ........................................................ 12
`
`Ground 1 ............................................................................................. 13
`
`1.
`
`2.
`
`3.
`
`4.
`
`Summary of W-L ..................................................................... 13
`
`Claim 14 ................................................................................... 14
`
`Claim 19 ................................................................................... 33
`
`Claim 20 ................................................................................... 35
`
`D. Ground 2 ............................................................................................. 36
`
`1.
`
`Summary of Hill....................................................................... 36
`
`2
`
`

`

`
`
`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`2.
`
`3.
`
`4.
`
`5.
`
`6.
`
`7.
`
`8.
`
`9.
`
`Reasons to combine W-L and Hill ........................................... 37
`
`Claim 1 ..................................................................................... 43
`
`Claim 2 ..................................................................................... 48
`
`Claim 4 ..................................................................................... 53
`
`Claim 5 ..................................................................................... 55
`
`Claim 6 ..................................................................................... 56
`
`Claim 7 ..................................................................................... 59
`
`Claim 8 ..................................................................................... 59
`
`10. Claim 9 ..................................................................................... 61
`
`11. Claim 10 ................................................................................... 64
`
`12. Claim 11 ................................................................................... 69
`
`13. Claim 12 ................................................................................... 70
`
`14. Claim 15 ................................................................................... 72
`
`15. Claim 16 ................................................................................... 72
`
`16. Claim 17 ................................................................................... 73
`
`17. Claim 18 ................................................................................... 75
`
`XI. Discretionary denial is inappropriate .............................................................75
`
`A. Discretionary denial under 35 U.S.C. § 325(d) is not appropriate .... 75
`
`B.
`
`Discretionary denial under the Fintiv factors is not appropriate ........ 78
`
`1.
`
`Potential for stay of co-pending litigation ............................... 78
`
`3
`
`

`

`
`
`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`2.
`
`3.
`
`4.
`
`Estimated trial date vs. deadline for a final written
`decision .................................................................................... 79
`
`Investment in the parallel proceeding ...................................... 80
`
`Overlap of issues ...................................................................... 80
`
`5. Whether the petitioner is a defendant ...................................... 81
`
`6.
`
`Other circumstances that impact the Board’s exercise of
`discretion, including the merits ................................................ 81
`
`XII. Conclusion .....................................................................................................82
`
`XIII. Mandatory notices .........................................................................................83
`
`A.
`
`B.
`
`C.
`
`Real party-in-interest .......................................................................... 83
`
`Related matters ................................................................................... 83
`
`Lead and back-up counsel and service information ........................... 84
`
`XIV. Appendix of Challenged Claims....................................................................85
`
`Certificate of Word Count .......................................................................................96
`
`Certificate of Service ...............................................................................................97
`
`4
`
`

`

`
`
`Ex.1001
`
`Ex.1002
`
`Ex.1003
`
`Ex.1004
`
`Ex.1005
`
`Ex.1006
`Ex.1007
`
`Ex.1008
`
`Ex.1009
`
`Ex.1010
`
`Ex.1011
`
`Ex.1012
`
`Ex.1013
`
`Ex.1014
`Ex.1015
`
`Ex.1016
`
`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`PETITIONER’S EXHIBIT LIST
`
`U.S. 9,100,431
`
`Prosecution History of U.S. 9,100,431
`
`Declaration of A.L. Narasimha Reddy, Ph.D. under 37 C.F.R. §
`1.68
`Curriculum Vitae of A.L. Narasimha Reddy, Ph.D.
`
`U.S. 7,359,962 to Willebeek-LeMair et al.
`
`U.S. 6,088,804 to Hill et al.
`RESERVED
`
`Prosecution History of U.S. 9,117,069 (selected pages)
`
`Markus Goncalves & Steven Brown, Check Point Firewall-1
`(McGraw-Hill 2000)
`Plaintiff’s Combined Opening and Responsive Claim Construction
`Brief, SecurityProfiling, LLC v. Trend Micro America, Inc. et al.,
`No. 3:17-cv-01484-N, Dk. #94 (N.D. Tex. Jan. 22, 2018).
`IPR2017-02191, Granting Request for Adverse Judgment, Paper
`18, September 26, 2018
`IPR2017-02192, Final Written Decision, Paper 31, April 8, 2019
`
`Complaint, SecurityProfiling, LLC v. Cisco Systems, Inc., 6-21-cv-
`00337 (W.D.Tex., April 7, 2021)
`
`RESERVED
`Timing Statistics, U.S. District Court for the Western District of
`Texas (Source: Lex Machina, July 8, 2021).
`
`Markman Order, SecurityProfiling LLC v. Trend Micro America
`Inc et al., 3-17-cv-01484, (N.D.Tex., Sept. 25, 2018)
`
`5
`
`

`

`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`Exhibit 8 to Complaint, SecurityProfiling, LLC v. Cisco Systems,
`Inc., 6-21-cv-00337 (W.D.Tex., April 7, 2021)
`U.S. 6,856,627 to Saleh et al.
`
`U.S. 6,584,093 to Salama et al.
`U.S. 7,398,273 to Dobberpuhl et al.
`
`U.S. Publication 2003/0093509 by Li et al.
`
`U.S. 6,735,766 to Chamberlain et al.
`U.S. 6,668,230 to Mansky et al.
`
`
`
`
`
`
`Ex.1017
`
`Ex.1018
`
`Ex.1019
`Ex.1020
`
`Ex.1021
`
`Ex.1022
`Ex.1023
`
`6
`
`

`

`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`INTRODUCTION
`
`
`I.
`
`Cisco Systems, Inc. (“Petitioner”) respectfully requests that the Board
`
`review and cancel as unpatentable claims 1-2, 4-12, and 14-20 (hereinafter, the
`
`“Challenged Claims”) of U.S. 9,100,431 (the “’431 patent,” Ex.1001).
`
`The ’431 patent “relates to … management of security of computing and
`
`network devices” connected in a network. Ex.1001, 1:18-20. An examiner allowed
`
`the claims because the prior art allegedly “fail[ed] to teach identifying a
`
`remediation technique based on the operating system.” Ex.1002, 780. However,
`
`U.S. 7,359,962 (“W-L,” Ex.1005) teaches addressing operating-system-specific
`
`threats, such as “malicious code intended to exploit a Microsoft IIS web server
`
`running on a Microsoft operating system.” Ex.1005, 12:46-50. This and the other
`
`prior art disclosures render the Challenged Claims obvious, as explained below and
`
`confirmed in the Declaration of Dr. Narasimha Reddy (Ex.1003).
`
`II. GROUNDS FOR STANDING
`
`Petitioner certifies the ’431 patent is IPR-eligible, and Petitioner is not
`
`barred or estopped from requesting IPR challenging the patent claims. 37 C.F.R.
`
`§ 42.104(a).
`
`III. NOTE
`Petitioner cites to exhibits’ original page numbers. Emphasis in quoted
`
`material has been added. Claim terms are italicized. Where not included as a
`
`7
`
`

`

`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`
`heading above the claim analysis, the full claim text is available in the Appendix of
`
`Challenged Claims.
`
`IV. SUMMARY OF THE ’431 PATENT
`
`The ’431 patent “relates to…management of security of computing and
`
`network devices.” Ex.1001, 1:18-20. The ’431 patent part of a family of patents
`
`and applications, including two patents that had claims cancelled in IPRs. See
`
`generally Exs.1011, 1012.
`
`A “security server 135” collects operating system and other configuration
`
`data about devices in the network. Ex.1001, 2:20-28, 32-35; see also Fig.1 below;
`
`Ex.1003, ¶¶24-25. The server determines whether network traffic “is attempting to
`
`take advantage of a particular known vulnerability.” Ex.1001, 3:60-62, 4:4-12. If
`
`so, the server “selects one or more remediation techniques” for the particular
`
`vulnerability. Ex.1001, 4:45-47; Ex.1003, ¶26.
`
`8
`
`

`

`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`
`
`Ex.1001, Fig. 1
`
`
`
`V.
`
`PROSECUTION HISTORY
`
`In response to an Office action, the Applicant amended the independent
`
`claims to include subject matter indicated as allowable. Ex.1002, 763. In the
`
`Notice of Allowance, the Examiner explained that “the prior arts fail to teach
`
`identifying a remediation technique based on the operating system.” Ex.1002, 780.
`
`9
`
`

`

`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`
`VI. EFFECTIVE PRIORITY DATE OF THE ’431 PATENT
`
`The earliest claimed priority date is July 1, 2003. Ex.1001. In prosecution,
`
`the Applicant alleged a reduction to practice on October 15, 2002. Ex.1002, 765-
`
`766. This petition cites prior art predating October 15, 2002, so Petitioner has not
`
`undertaken a priority date analysis. Petitioner does not waive any right or
`
`opportunity it may have to dispute the priority date of the ’431 patent in this or
`
`another forum where the issue is relevant.
`
`VII. LEVEL OF ORDINARY SKILL IN THE ART
`
`A Person of Ordinary Skill in The Art (“POSITA”) in July 2003 would have
`
`had a working knowledge of the network communications art that is pertinent to
`
`the ’431 Patent, including network security. A POSITA would have had a
`
`bachelor’s degree in computer science, computer engineering, or an equivalent,
`
`and two years of professional experience relating to network communications.
`
`Lack of professional experience can be remedied by additional education, and vice
`
`versa. Ex.1003, ¶¶17-19.
`
`VIII. CLAIM CONSTRUCTION
`
`Claims are construed according to the “Phillips standard,” as set forth in
`
`Phillips v. AWH Corp., 415 F.3d 1303 (Fed. Cir. 2005) (en banc). See 83 Fed. Reg.
`
`51341 (Oct. 11, 2018). Petitioner believes that, for purposes of this proceeding and
`
`10
`
`

`

`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`
`the analysis presented herein, no claim term requires express construction.1 Nidec
`
`Motor Corp. v. Zhongshan Broad Ocean Motor Co., 868 F.3d 1013, 1017 (Fed.
`
`Cir. 2017); see also Ex.1003, ¶28.
`
`IX. RELIEF REQUESTED AND REASONS THEREFORE
`
`Petitioner asks that the Board institute a trial for inter partes review and
`
`cancel the Challenged Claims in view of the analysis below.
`
`X.
`
`IDENTIFICATION OF HOW THE CLAIMS ARE UNPATENTABLE
`
`A. Challenged claims
`
`Petitioner challenges claims 1-2, 4-12, and 14-20. Claim 14 is asserted
`
`against Petitioner in copending litigation. Ex.1017. Thus, a finding that the
`
`Challenged Claims are unpatentable in this proceeding will eliminate the need for a
`
`trial regarding the ’431 patent in the copending litigation, substantially reducing
`
`the time and expense of that litigation for all parties.
`
`
`1 A district court previously construed certain claim terms in the ’431 Patent in a
`
`prior lawsuit. See Ex.1016. Petitioner was not a party to that case, and the case
`
`therefore involved different points of dispute from this IPR proceeding. Petitioner
`
`reserves its rights to: (1) respond to assertions by Patent Owner that any claim term
`
`requires construction for the purposes of this IPR proceeding; and (2) seek
`
`construction of any claim term in other forums as appropriate.
`
`11
`
`

`

`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`B.
`
`Statutory grounds for challenges
`
`Grounds
`#1
`#2
`
`Claims
`14, 19, 20
`1-2, 4-12, 15-
`18
`
`Basis
`35 U.S.C. § 103 (Pre-AIA) over U.S. 7,359,962
`35 U.S.C. § 103 (Pre-AIA) over U.S. 7,359,962 and
`U.S. 6,088,804
`
`U.S. 7,359,962 to Willebeek-LeMair (Ex. 1005, “W-L”) was filed on April
`
`
`
`
`
`30, 2002, making W-L prior art under 35 U.S.C. § 102(e) (pre-AIA).
`
`U.S. 6,088,804 to Hill (Ex. 1006, “Hill)” issued July 11, 2000, making Hill
`
`prior art under 35 U.S.C. § 102(b) (pre-AIA).2
`
`Petitioner’s obviousness grounds rely on the combined teachings of the
`
`references and not on a physical incorporation of elements. See In re Mouttet, 686
`
`F.3d 1322, 1332 (Fed. Cir. 2012); Ex.1003, ¶106.
`
`Petitioner and Dr. Reddy cite to additional prior art as evidence of the
`
`background knowledge of a POSITA and to provide contemporaneous context to
`
`support assertions regarding what a POSITA would have understood from the prior
`
`art in the grounds. See Yeda Research v. Mylan Pharm. Inc., 906 F.3d 1031, 1041-
`
`1042 (Fed. Cir. 2018) (affirming the use of “supporting evidence relied upon to
`
`
`2 If Patent Owner argues that the ’431 patent is an AIA patent, W-L and Hill would
`
`still qualify as prior art under post-AIA 35 U.S.C. § 102(a).
`
`12
`
`

`

`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`
`support the challenge”); 37 C.F.R. § 42.104(b); see also K/S HIMPP v. Hear-Wear
`
`Techs., LLC, 751 F.3d 1362, 1365-66 (Fed. Cir. 2014); Arendi S.A.R.L. v. Apple
`
`Inc., 832 F.3d 1355, 1363 (Fed. Cir. 2016).
`
`For example, Exhibit 1009 (Goncalves) is a book published by a well-known
`
`publisher (McGraw-Hill) having a copyright date of 2000, indicating that
`
`Goncalves was publicly available at least one year before the ’431 patent.
`
`C. Ground 1
`Summary of W-L
`1.
`
`Like the ’431 patent, W-L “relates to network security.” Ex.1005, 1:7-10.
`
`W-L describes integrating “the functionalities performed by a firewall, IDS and
`
`[vulnerability assessment scanner] for network security into one system.” Ex.1005,
`
`3:14-18. W-L’s unified system includes “an enterprise resource database” with
`
`data identifying potential “vulnerabilities associated with” hosts in the network.
`
`Ex.1005, 5:9-15. A “signature database” stores “detection signatures,” which
`
`include “security rules, policies and algorithms” to “mitigate or avert network
`
`damage from detected vulnerabilities.” Ex.1005, 5:20-24.; Ex.1003, ¶¶32-36; see
`
`also Figure 1:
`
`13
`
`

`

`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`
`
`Ex.1005, FIG. 1
`
`
`
`
`Claim 14
`
`2.
`[14.0] A computer program product embodied on a non-transitory computer
`readable medium, the computer program product comprising:
`
`W-L teaches using an appliance with “underlying hardware, operating
`
`system [software],” and other facilities to execute a security application. Ex.1005,
`
`16:1-5; Ex.1003, ¶¶37-38. The appliance includes “a security application
`
`functionality 512 that… is implemented as the unified network defense system 10
`
`shown in FIGS. 1 and 2.” Ex.1005, 16:11-15; Fig.6. It would have been obvious to
`
`a POSITA to store the security application on a non-transitory computer readable
`
`14
`
`

`

`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`
`medium, since executable applications were commonly stored in that manner. See,
`
`e.g., Ex.1022, Abstract; Ex.1023, 55:60-64. Therefore, it would have been obvious
`
`to implement W-L’s “security application functionality 512” as a computer
`
`program product that is embodied on the “platform 510” as a non-transitory
`
`computer readable medium.3 Ex. 1003, ¶¶37-41.
`
`
`3 Because the “security application functionality 512 … is implemented as the
`
`unified network defense system 10 shown in FIGS. 1 and 2,” Ex.1005, 16:11-15,
`
`the extensive discussion of network defense system 10 herein applies to security
`
`application functionality 512 in Figure 5.
`
`15
`
`

`

`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`
`
`Computer
`program
`product
`embodied on
`non-transitory
`computer
`readable
`medium
`Ex.1005, FIG. 6 (annotated); Ex.1003, ¶39
`
`
`
`
`
`[14.1] code for: accessing at least one data structure identifying a plurality of
`mitigation techniques that mitigate effects of attacks that take advantage of
`vulnerabilities, where:
`
`First, W-L discloses a “signature database 20” that stores a plurality of
`
`“signatures.” Ex.1005, 5:20-27, FIG.1:
`
`16
`
`

`

`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`
`
`Data
`structure
`
`Ex. 1005, FIG. 1 (annotated); Ex.1003, ¶¶42-43
`
`
`Signatures are also stored in “threat aggregation functionality 128” in FIG.2.
`
`
`
`Ex.1005, 10:36-52. W-L teaches that FIG.2’s embodiment is an example
`
`“integrated architecture of a unified network defense system 10,” such as was
`
`illustrated in FIG.1. Ex.1005, 8:39-42, FIG.2:
`
`17
`
`

`

`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`
`
`Data
`structure
`
`Ex.1005, FIG. 2 (annotated); Ex.1003, ¶¶44-45
`
`Thus, W-L teaches that FIGS. 1 and 2 describe the “unified network defense
`
`
`
`system 10,” with options regarding where the signatures are kept (inside or outside
`
`of system 10). The option selected would have been a mere design choice to a
`
`POSITA. Ex.1003, ¶45.
`
`Second, each signature includes multiple objects “that are designed to
`
`mitigate or avert network damage from detected vulnerabilities.” Ex.1005,
`
`5:20-24. W-L’s detection signatures include, as an object, an “action set…to be
`
`performed by the system 10 if the threat is detected.” Ex.1005, 10:53-67. W-L
`
`teaches that the actions specified by the object (the “action set”) in the relevant
`
`signature are applied when a match occurs (i.e., a threat is detected). Ex.1005,
`
`18
`
`

`

`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`
`5:59-63; 10:53-67. The “action set” in a given signature accordingly teaches a
`
`“mitigation technique.” Ex.1003, ¶¶46-47.
`
`Therefore, W-L’s database of signatures is a “data structure,” with the
`
`plurality of signatures’ respective action sets together teaching the “plurality of
`
`mitigation techniques” identified by the database. Ex.1003, ¶48.
`
`Third, as an alternative mapping to the claimed “mitigation technique,” W-
`
`L’s action (one “mitigation technique”) or actions (“a plurality of mitigation
`
`techniques”) included in a given action set also render obvious “mitigation
`
`techniques.” See infra, [14.6]. These action(s) are in an action set object in a
`
`signature, with the signature stored in W-L’s database. The individual actions in an
`
`action set are, therefore, identified by the database and by a corresponding
`
`signature. Ex.1003, ¶49.
`
`Fourth, W-L’s actions, action sets, and signatures are designed to mitigate
`
`damage from attacks. Ex.1005, 5:59-65, 7:4-9. W-L teaches that the intrusion
`
`detector or firewalling functionality compares criteria included in each signature
`
`against traffic. Ex.1005, 9:49-51. Each signature “further includes response
`
`instructions which the intrusion detector functionality 116 and/or firewalling
`
`functionality 118 follow” when a “match” occurs (which indicates a threat has
`
`been detected). Ex.1005, 9:51-55. The action set object of a signature maintains the
`
`“response instructions” to take one or more actions in response to a detected threat.
`
`19
`
`

`

`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`
`See Ex.1005, 10:54-60; Ex.1003, ¶¶50-52.
`
`Fifth, W-L teaches obtaining the signatures (with action set and defined
`
`actions) from the database 20, an example of “accessing at least one data
`
`structure” for the mitigation techniques “that mitigate the effects of an attack.”
`
`See, e.g., Ex.1005, 5:50-53 (showing comparing traffic against “the detection
`
`signatures 22 obtained from the signature database 20.”), 10:50-52 (retrieving
`
`the signatures from FIG. 2’s functionality 128). W-L further teaches, in response to
`
`discovering a vulnerability, accessing the location where the signatures (with the
`
`action set object, and action(s) in each action set object) are stored. Ex.1005,
`
`13:25-35 (“[T]he agent 126 retrieves from enterprise vulnerabilities database 132
`
`(step 206) a detection signature 132 associated with the discovered vulnerability.”);
`
`Ex.1003, ¶53.
`
`W-L’s database and functionality teachings, whether internal or external to
`
`the system 10, renders obvious accessing the data structure (database) for the
`
`signatures (which identify a plurality of “mitigation techniques”). Considering
`
`each action as a “mitigation technique,” W-L teaches looking at the “action set”
`
`object which identifies the “actions” (“mitigation techniques”) to perform in
`
`response to a detected attack. See Ex.1005, 10:58-60. Thus, W-L further renders
`
`obvious accessing the object containing the actions to be taken (a “plurality of
`
`mitigation techniques”) in response to an attack that is detected. Ex.1003, ¶¶54-55.
`
`20
`
`

`

`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`It would have further been obvious for this functionality and database to be
`
`
`
`stored as part of W-L’s “security application functionality 512” with “the functions
`
`necessary to have the platform 510 function as a network security appliance 500.”
`
`Ex.1005, 16:15-19. It was obvious that the functionality would include the
`
`appropriate “code.” Indeed, as discussed at [14.0], it would have been obvious for
`
`W-L’s security application functionality 512 to include “code” (e.g., as part of the
`
`“functions necessary”) for implementing system 10’s functionality. See Ex.1005,
`
`16:15-19; see also FIG.6; Ex.1003, ¶¶54-56.
`
`Therefore, W-L renders obvious [14.1]. Ex.1003, ¶57.
`
`[14.2] each mitigation technique is capable of mitigating an effect of an attack
`that takes advantage of a corresponding vulnerability, and
`
`First, W-L’s detection signatures include “security rules, policies and
`
`algorithms[] that are designed to mitigate or avert network damage from
`
`detected vulnerabilities.” Ex.1005, 5:20-27; see also 10:46-52 (signatures are
`
`correlated to the vulnerabilities “that they address”). In an example, each signature
`
`is designed to address an attack. Ex. 1005, 11:56-64. Each signature’s action set is
`
`designed to address an attack by defining one or multiple actions including
`
`“permit, deny, log, block, terminate, and the like” that are capable of mitigating an
`
`effect of an attack. See Ex.1005, 10:58-60. Thus, W-L teaches that each signature’s
`
`action set, or actions defined in a set (each an example “mitigation technique”) is
`
`21
`
`

`

`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`
`“capable of mitigating an effect of an attack.” Ex.1003, ¶¶58-61.
`
`Second, W-L teaches that the attacks being mitigated are ones “that take[]
`
`advantage of a corresponding vulnerability.” For example, W-L teaches that
`
`“detection signature[s]” address “vulnerability concern[s].” Ex.1005, 15:37-43. As
`
`another example, W-L describes retrieving a signature associated with a
`
`vulnerability upon discovering a vulnerability. Ex.1005, 14:46-56. The signature is
`
`activated to identify, and implement protective action against, a subsequent attack
`
`that would exploit the vulnerability. Ex.1005, 14:57-15:6, and FIG.4. Thus, W-L
`
`renders obvious [14.2]. Ex.1003, ¶¶62-64.
`
`[14.3] each mitigation technique has a mitigation type including at least one of a
`patch, a policy setting, or a configuration option;
`
`As already noted, W-L teaches a plurality of signatures that include
`
`“security rules, policies and algorithms[].” Ex.1005, 5:20-27. W-L teaches
`
`specifying in an action set of a signature multiple actions including “permit, deny,
`
`log, block, terminate, and the like.” See Ex.1005, 10:58-60, and [14.2]. These are
`
`examples of mitigation techniques. Ex.1003, ¶¶65-66.
`
`As discussed further below, each action and action set has a mitigation type
`
`such as “a patch, a policy setting, or a configuration option.” W-L teaches or renders
`
`obvious each of the recited options, any one of which is sufficient to render the
`
`limitation obvious. Ex.1003, ¶¶67-69.
`
`22
`
`

`

`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`The ’431 patent specification does not define “policy setting” or
`
`
`
`“configuration option;” instead, each term is simply referred to in a list. See
`
`Ex.1001, Abstract, 1:31-35, 5:36-40. A POSITA looking at “policy setting” and
`
`“configuration option” would recognize that there is conceptual overlap between
`
`them, which Patent Owner acknowledged as well in a prior litigation asserting the
`
`’431 patent. See generally Ex.1010, 15-17. For example, Patent Owner
`
`acknowledged that some actions, including dropping or rejecting a connection
`
`request, are considered both a policy setting and a configuration option. Ex.1010,
`
`16-17; Ex.1003, ¶¶70-71.
`
`W-L’s actions defined in an action set are instantiated (by instantiation of
`
`corresponding signature(s)) at an intrusion detector functionality 116 and/or
`
`firewalling functionality 118. Ex.1005, 3:64-66, 9:45-48. Each functionality
`
`applies policy settings and configuration options. For example, W-L teaches an
`
`intrusion detector functionality 116 detecting an attack, and firewalling
`
`functionality 118 “dropping packets or shutting down the session or origin of the
`
`attack.” Ex.1005, 9:31-35. W-L shows both a policy setting and a configuration
`
`option, therefore renders [14.3] obvious. Ex.1003, ¶72.
`
`The action(s) for each detection signature are examples of both a policy
`
`setting and a configuration option. Specifically, W-L discloses an “action set”
`
`selected from the group “permit, deny, log, block, terminate, and the like” for each
`
`23
`
`

`

`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`
`signature, Ex.1005, 10:43-60, which renders also obvious [14.3]. Further, each
`
`claimed “mitigation type” is specifically taught or rendered obvious by W-L, as
`
`explained below. Ex.1003, ¶¶73-74.
`
`Policy Setting
`
`W-L specifically teaches a signature including a policy setting to block
`
`traffic originating from an attacker’s IP address. Ex.1005, 14:46-15:8 (“[T]he agent
`
`126 instantiates a policy on the firewalling functionality 118 in step 318 instructing
`
`the firewall to block all traffic originating from the noted IP address of the
`
`attacker.”); Ex.1005, 15:9-21 (discussing “authorizing activation of a policy by the
`
`firewalling functionality 118 in step 332 that instructs the firewall to block all
`
`traffic originating from the noted IP address of the attacker.”); Ex.1003, ¶¶75-77.
`
`Configuration Option
`
`W-L further teaches signatures that include a configuration option. For
`
`example, W-L teaches “the detection signature 132 specifies block and terminate
`
`actions to be taken,” with “a block action to be taken by the firewalling
`
`functionality 118 to block the attack-related traffic, and a terminate action to be
`
`taken by the intrusion detector functionality 116 to terminate any session
`
`associated with a possible attack.” Ex.1005, 12:33-43; see also 13:35-42 (logging
`
`or blocking traffic, generating an alert, terminating a session); Ex.1003, ¶78.
`
`The actions that the firewall and the intrusion detector functionalities are
`
`24
`
`

`

`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`
`configured to take responsive to attack are both examples of configuration options.
`
`This is consistent with the ’431 patent’s explanation that configuration information
`
`“often determines what and how data is accepted from other devices, sent to other
`
`devices, processed, stored, or otherwise handled” (Ex.1001, 5:26-35), and with
`
`PO’s litigation argument. Ex.1010, 16-17; Ex.1003, ¶79.
`
`Patch
`
`W-L also renders obvious a patch as a “mitigation technique.” In operation,
`
`“vulnerability assessments” are generated which can “include severity assessment
`
`and links to vendor patches and other pertinent data from the web that would
`
`assist in addressing the vulnerability.” Ex.1005, 14:34-42. W-L further teaches
`
`that, in response to detecting a vulnerability, an agent in system 10 updates the
`
`network administrator about the detected vulnerability, retrieves a detection
`
`signature associated with the vulnerability, and activates the signature on the
`
`intrusion detector functionality. See Ex.1005, 14:46-59. Because “vendor patches”
`
`are described as options for network-defending actions, Ex.1005, 14:38-45, it
`
`would have been obvious for at least one detection signature to include as an action
`
`the installation of a vendor patch. Ex.1003, ¶ 81. It would have therefore been
`
`obvious for at least one of the detection signatures (e.g., stored in database 20, see
`
`[14.1]) to include a patch as a mitigation type. For these reasons, W-L teaches, and
`
`renders obvious, [14.3]. Ex.1003, ¶¶80-83.
`
`25
`
`

`

`IPR2021-01242 Petition
`Inter Partes Review of 9,100,431 (Claims 1-2, 4-12, 14-20)
`
`
`[14.4] code for: receiving information in connection with at least one of a
`plurality of devices; and
`
`W-L teaches collecting “network device vulnerabilities” from “machines” in
`
`the network. Ex.1005, 5:9-19; see also Ex.1005, 14:48-51 (describing network
`
`discovery functionality performing a scan of the network 14 and discovering a
`
`vulnerability), 8:39-53 (describing collection of information about network devices
`
`with network discovery functionality). W-L’s disclosure of collecting network
`
`device vulnerabilities is an example of “receiving information in connection with
`
`at least one of a plurality of devices.” Ex.1003, ¶¶84-87.
`
`W-L’s “information” is collected from packets received (and inspected) at
`
`the system 10. W-L teaches having “an inspection agent extract features (for
`
`example, packet features) from entering traffic.” Ex.1005, 3:41-44. The system
`
`10 inspects “traffic 30 that is entering the protected network 14” including “a
`
`header portion 34 and a payload portion 36” of the entering traffic. Ex.1005, 5:37-
`
`41. W-L’s further description of collecting packet traffic information, including the
`
`packet traffic itself, further discloses “receiving information in connection with at
`
`least one of a plurality of devices.” Ex.1003, ¶ 88.
`
`Finally, W-L teaches “code” as claimed. See [14.1]. Therefore, W-L renders
`
`obvious [14.4]. Ex.1003, ¶¶89-90.
`
`[14.5] [code