`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`———————
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`———————
`
`CISCO SYSTEMS, INC.,
`Petitioner
`
`———————
`
`IPR2022-00259
`U.S. Patent No. 10,609,063
`
`
`PETITION FOR INTER PARTES REVIEW
`UNDER 35 U.S.C. § 312 AND 37 C.F.R. § 42.104
`
`
`
`
`
`

`

`
`
`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`TABLE OF CONTENTS
`
`Petitioner’s Exhibit List ............................................................................................. 5
`
`I.
`
`II.
`
`Introduction ...................................................................................................... 7
`
`Grounds for standing ....................................................................................... 7
`
`III. Note .................................................................................................................. 7
`
`IV. Summary of the ’063 patent ............................................................................ 8
`
`V.
`
`Prosecution history .......................................................................................... 9
`
`VI. Effective priority date of the ’063 patent ......................................................10
`
`VII. Level of ordinary skill in the art ....................................................................10
`
`VIII. Claim construction .........................................................................................10
`
`IX. Relief requested and reasons therefore ..........................................................11
`
`X.
`
`Identification of how the claims are unpatentable .........................................11
`
`A.
`
`B.
`
`C.
`
`Challenged claims .............................................................................. 11
`
`Statutory grounds for challenges ........................................................ 12
`
`Ground 1 ............................................................................................. 13
`
`1.
`
`2.
`
`3.
`
`4.
`
`5.
`
`Summary of W-L ..................................................................... 13
`
`Claim 10 ................................................................................... 15
`
`Claim 11 ................................................................................... 44
`
`Claim 39 ................................................................................... 46
`
`Claim 58 ................................................................................... 49
`
`D. Ground 2 ............................................................................................. 49
`
`
`
`2
`
`

`

`
`
`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`1.
`
`2.
`
`3.
`
`4.
`
`5.
`
`6.
`
`7.
`
`8.
`
`Summary of Gupta ................................................................... 49
`
`Summary of Graham ................................................................ 50
`
`Reasons to combine Gupta and Graham .................................. 50
`
`Similarity to IPR2017-02192 (US 8,984,644) ......................... 51
`
`Claim 10 ................................................................................... 54
`
`Claim 11 ................................................................................... 69
`
`Claim 39 ................................................................................... 71
`
`Claim 58 ................................................................................... 75
`
`XI. Discretionary denial is inappropriate .............................................................75
`
`A. Discretionary denial under 35 U.S.C. § 325(d) is not appropriate .... 75
`
`B.
`
`Discretionary denial under the Fintiv factors is not appropriate ........ 78
`
`1.
`
`2.
`
`3.
`
`4.
`
`Potential for stay of co-pending litigation ............................... 79
`
`Estimated trial date vs. deadline for a final written
`decision .................................................................................... 79
`
`Investment in the parallel proceeding ...................................... 80
`
`Overlap of issues ...................................................................... 81
`
`5. Whether the petitioner is a defendant ...................................... 82
`
`6.
`
`Other circumstances that impact the Board’s exercise of
`discretion, including the merits ................................................ 82
`
`C.
`
`Discretionary denial under the General Plastic factors is not
`appropriate .......................................................................................... 83
`
`XII. Conclusion .....................................................................................................84
`
`
`
`3
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`
`XIII. Mandatory notices .........................................................................................85
`
`A.
`
`B.
`
`C.
`
`Real party-in-interest .......................................................................... 85
`
`Related matters ................................................................................... 85
`
`Lead and back-up counsel and service information ........................... 86
`
`Certificate of Word Count .......................................................................................87
`
`Certificate of Service ...............................................................................................88
`
`
`
`4
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`PETITIONER’S EXHIBIT LIST
`
`U.S. 10,609,063
`
`Prosecution History of U.S. 10,609,063
`
`Declaration of A.L. Narasimha Reddy, Ph.D. under 37 C.F.R. §
`1.68
`Curriculum Vitae of A.L. Narasimha Reddy, Ph.D.
`
`U.S. 7,359,962 to Willebeek-LeMair et al.
`
`U.S. Pub. 2003/0004689 to Gupta et al.
`U.S. 7,237,264 to Graham et al.
`
`Prosecution History of U.S. 9,117,069 (selected pages)
`
`Prosecution History of U.S. 9,100,431 (selected pages)
`Prosecution History of U.S. 10,050,988 (selected pages)
`
`IPR2017-02191, Granting Request for Adverse Judgment, Paper 18
`(September 26, 2018)
`
`IPR2017-02192, Final Written Decision, Paper 31 (April 8, 2019)
`Complaint, SecurityProfiling, LLC v. Cisco Systems, Inc., 6-21-cv-
`01106 (W.D. Tex., October 25, 2021)
`U.S. 6,493,871 to Mcguire et al.
`
`Timing Statistics, U.S. District Court for the Western District of
`Texas (Source: Lex Machina, August 27, 2021).
`
`U.S. Pub. 2003/0084340 to Schertz et al.
`Exhibit 7 to the Complaint, SecurityProfiling, LLC v. Cisco
`Systems, Inc., 6-21-cv-01106 (W.D. Tex., October 25, 2021)
`
`Ex.1001
`
`Ex.1002
`
`Ex.1003
`
`Ex.1004
`
`Ex.1005
`
`Ex.1006
`Ex.1007
`
`Ex.1008
`
`Ex.1009
`Ex.1010
`
`Ex.1011
`
`Ex.1012
`Ex.1013
`
`Ex.1014
`
`Ex.1015
`
`Ex.1016
`Ex.1017
`
`Ex.1018
`
`U.S. 6,735,766 to Chamberlain et al.
`
`5
`
`
`
`
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`Ex.1019
`
`Ex.1020
`
`Reserved
`
`U.S. 8,205,161 to King et al.
`
`
`6
`
`
`
`
`
`
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`INTRODUCTION
`
`
`I.
`
`Cisco Systems, Inc. (“Petitioner”) respectfully requests that the Board
`
`review and cancel as unpatentable claims 10, 11, 39 and 58 (hereinafter, the
`
`“Challenged Claims”) of U.S. 10,609,063 (the “’063 patent,” Ex.1001).
`
`This is Petitioner’s second IPR filing on the ’063 patent and is prompted by
`
`the Patent Owner’s filing of a new complaint alleging infringement of different
`
`claims than previously. See Ex.1013; see also IPR2021-01428. Patent Owner now
`
`asserts in litigation claim 11 (among others) which depends from claim 10.
`
`Ex.1017, 19-42. This Petition shows that claims 10 and 11 are unpatentable over
`
`the same prior art addressed in IPR2021-01428. Claims 39 and 58 are
`
`substantially similar to claims 10 and 11, respectively, and are therefore also
`
`challenged in this Petition.
`
`II. GROUNDS FOR STANDING
`
`Petitioner certifies the ’063 patent is IPR-eligible, and Petitioner is not
`
`barred or estopped from requesting IPR challenging the patent claims. 37 C.F.R.
`
`§ 42.104(a).
`
`III. NOTE
`Petitioner cites to exhibits’ original page numbers. Emphasis in quoted
`
`material has been added. Claim terms are italicized.
`
`
`
`7
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`
`IV. SUMMARY OF THE ’063 PATENT
`
`The ’063 patent “relates to… management of security of computing and
`
`network devices.” Ex.1001, 1:23-26. The ’063 patent is part of a family of patents
`
`and applications, including two patents that had claims cancelled in previous IPRs.
`
`See generally Exs.1011, 1012.
`
`A “security server 135” collects operating system and other configuration
`
`data about devices in the network. Ex.1001, 2:30-38, 42-45; see also Fig.1 below;
`
`Ex.1003, ¶¶24-25. The server determines whether network traffic “is attempting to
`
`take advantage of a particular known vulnerability.” Ex.1001, 4:9-11, 4:21-29. If
`
`so, the server “selects one or more remediation techniques” for the particular
`
`vulnerability. Ex.1001, 4:62-64; Ex.1003, ¶¶25-26.
`
`
`
`8
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`
`
`Ex.1001, FIG. 1
`
`
`
`V.
`
`PROSECUTION HISTORY
`
`In response to an Office action, the Applicant amended the independent
`
`claims to include recitation of “utilizing one or more network monitors” and
`
`“based on a packet analysis,” in order to overcome a rejection under 35 U.S.C.
`
`§ 101 and argued against a § 103 rejection. Ex.1002, 527-83. In the Notice of
`
`Allowance, the Examiner explained that the prior arts fail to teach “identifying an
`
`
`
`9
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`
`occurrence, determining that at least one vulnerability is susceptible to being taken
`
`advantage by the occurrence and selectively utilizing diverse mitigation actions
`
`including a firewall.” Ex.1002, 598.
`
`VI. EFFECTIVE PRIORITY DATE OF THE ’063 PATENT
`
`The earliest claimed priority date is July 1, 2003. Ex.1001. In prosecution,
`
`the Applicant alleged a reduction to practice on September 27, 2002. Ex.1002,
`
`289-90. This petition cites prior art predating September 27, 2002, so Petitioner has
`
`not undertaken a priority date analysis. Petitioner does not waive any right or
`
`opportunity it may have to dispute the priority date of the ’063 patent in this or
`
`another forum where the issue is relevant.
`
`VII. LEVEL OF ORDINARY SKILL IN THE ART
`
`A Person of Ordinary Skill in The Art (“POSITA”) in July 2003 would have
`
`had a working knowledge of the network communications art that is pertinent to
`
`the ’063 Patent, including network security. A POSITA would have had a
`
`bachelor’s degree in computer science, computer engineering, or an equivalent,
`
`and two years of professional experience relating to network communications.
`
`Lack of professional experience can be remedied by additional education, and vice
`
`versa. Ex.1003, ¶¶17-19.
`
`VIII. CLAIM CONSTRUCTION
`
`Claims are construed according to the “Phillips standard,” as set forth in
`
`
`
`10
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`
`Phillips v. AWH Corp., 415 F.3d 1303 (Fed. Cir. 2005) (en banc). See 83 Fed. Reg.
`
`51341 (Oct. 11, 2018). Petitioner believes that, for purposes of this proceeding and
`
`the analysis presented herein, no claim term requires express construction.1 Nidec
`
`Motor Corp. v. Zhongshan Broad Ocean Motor Co., 868 F.3d 1013, 1017 (Fed.
`
`Cir. 2017); see also Ex.1003, ¶28.
`
`IX. RELIEF REQUESTED AND REASONS THEREFORE
`
`Petitioner asks that the Board institute a trial for inter partes review and
`
`cancel the Challenged Claims in view of the analysis below.
`
`X.
`
`IDENTIFICATION OF HOW THE CLAIMS ARE UNPATENTABLE
`
`A. Challenged claims
`
`Petitioner challenges claims 10, 11, 39 and 58. At least claims 11, 12 and 16,
`
`which depend from claim 10, are asserted against Petitioner in copending
`
`
`1 The Patent Trial and Appeal Board previously construed certain claim terms in
`
`the related U.S. 8,984,644 in a prior IPR (applying the broadest reasonable
`
`interpretation). See Ex.1012. Petitioner was not a party to that case, and the case
`
`therefore involved different points of dispute from this IPR proceeding. Petitioner
`
`reserves its rights to: (1) respond to assertions by Patent Owner that any claim term
`
`requires construction for the purposes of this IPR proceeding; and (2) seek
`
`construction of any claim term in other forums as appropriate.
`
`
`
`11
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`
`litigation. Ex.1017, 37-53. Infringement contentions have not been served in that
`
`case. Thus, a finding that the Challenged Claims are unpatentable in this
`
`proceeding will reduce the number of possible claims for trial regarding the ’063
`
`patent in the copending litigation, and substantially reduce the time and expense of
`
`that litigation for all parties for any other claims that are asserted with overlapping
`
`subject matter.
`
`B.
`
`Statutory grounds for challenges
`
`Grounds
`#1
`#2
`
`Basis
`Claims
`10, 11, 39, 58 35 U.S.C. § 103 over U.S. 7,359,962 (W-L)
`10, 11, 39, 58 35 U.S.C. § 103 over U.S. 2003/0004689 (Gupta)
`and U.S. 7,237,264 (Graham)
`
`
`
`U.S. 7,359,962 to Willebeek-LeMair (Ex. 1005, “W-L”) was filed on April
`
`30, 2002, making W-L prior art under 35 U.S.C. § 102(e) (pre-AIA) and under 35
`
`U.S.C. § 102(a) (post-AIA).
`
`U.S. 2003/0004689 to Gupta (Ex. 1006, “Gupta)” was filed June 13, 2002,
`
`and published January 2, 2003, making Gupta prior art under 35 U.S.C. §§ 102(a)
`
`and (e) (pre-AIA) and under 35 U.S.C. § 102(a) (post-AIA).
`
`U.S. 7,237,264 to Graham (Ex. 1007, “Graham”) was filed on June 4, 2001,
`
`making Graham prior art under 35 U.S.C. § 102(e) (pre-AIA) and under 35 U.S.C.
`
`§ 102(a) (post-AIA).
`
`
`
`12
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`Petitioner’s obviousness grounds rely on the combined teachings of the
`
`
`
`references and not on a physical incorporation of elements. See In re Mouttet, 686
`
`F.3d 1322, 1332 (Fed. Cir. 2012); Ex.1003, ¶154.
`
`Petitioner and Dr. Reddy cite to additional prior art as evidence of the
`
`background knowledge of a POSITA and to provide contemporaneous context to
`
`support assertions regarding what a POSITA would have understood from the prior
`
`art in the grounds. See Yeda Research v. Mylan Pharm. Inc., 906 F.3d 1031, 1041-
`
`1042 (Fed. Cir. 2018) (affirming the use of “supporting evidence relied upon to
`
`support the challenge”); 37 C.F.R. § 42.104(b); see also K/S HIMPP v. Hear-Wear
`
`Techs., LLC, 751 F.3d 1362, 1365-66 (Fed. Cir. 2014); Arendi S.A.R.L. v. Apple
`
`Inc., 832 F.3d 1355, 1363 (Fed. Cir. 2016).
`
`C. Ground 1
`Summary of W-L
`1.
`
`Like the ’063 patent, W-L “relates to network security.” Ex.1005, 1:7-10.
`
`W-L describes integrating “the functionalities performed by a firewall, IDS
`
`[intrusion detection system] and VAS [vulnerability assessment scanner] for
`
`network security into one system.” Ex.1005, 3:14-18. W-L’s unified system 10 is
`
`illustrated in Figure 1, and an “exemplary integrated architecture” of W-L’s unified
`
`system 10 is illustrated in Figure 2, Ex. 1005, 4:37-39. W-L’s unified system 10
`
`includes “an enterprise resource database” with data identifying potential
`
`
`
`13
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`
`“vulnerabilities associated with” hosts in the network. Ex.1005, 5:9-15. A
`
`“signature database” stores “detection signatures,” which include “security rules,
`
`policies and algorithms” to “mitigate or avert network damage from detected
`
`vulnerabilities.” Ex.1005, 5:20-24; Ex.1003, ¶¶32-35; see also Figure 1:
`
`Ex.1005, FIG. 1.
`
`
`As shown in Figure 2, reproduced below, the system 10 includes an “agent
`
`
`
`126 that functions to configure, tune and monitor the operation of the intrusion
`
`detector functionality 116 and the firewalling functionality 118.” Ex.1005, 9:36-41.
`
`
`
`14
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`
`
`Ex.1005, FIG. 2.
`
`
`
`
`Claim 10
`
`2.
`[10.0] A non-transitory computer-readable media storing instructions that, when
`executed by one or more processors, cause the one or more processors to:
`
`W-L teaches using an appliance with “underlying hardware, operating
`
`system [software],” and other facilities to execute a security application. Ex.1005,
`
`16:1-5; Ex.1003, ¶41. The appliance includes “a security application functionality
`
`512 that… is implemented as the unified network defense system 10 shown in
`
`FIGS. 1 and 2.” Ex.1005, 16:11-15; Fig.6. W-L’s “security application
`
`functionality 512” includes “the processes and functions necessary to have the
`
`
`
`15
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`
`platform 510 function as a network security appliance 500.”2 Ex.1005, 16:15-19;
`
`Ex. 1003, ¶42.
`
`non-transitory
`computer
`readable media
`storing
`instructions
`executed by
`one or more
`processors
`
`Ex.1005, FIG. 6 (annotated); Ex.1003, ¶42.
`
`
`
`
`
`
`2 This petition’s analysis of network defense system 10 applies to security
`
`application functionality 512. W-L explains that “security application
`
`functionality 512 [of Figure 6] … is implemented as the unified network defense
`
`system 10 shown in FIGS. 1 and 2.” Ex.1005, 16:11-15.
`
`
`
`16
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`It would have been obvious to a POSITA that W-L’s platform 510, which
`
`
`
`includes the necessary operating system and underlying hardware, would include
`
`one or more processors to execute the security application functionality 512. See
`
`Ex.1005, 16:2-5; Ex.1018, 4:20-43 (multiprocessor systems and processing units
`
`were known); Ex.1003, ¶43. Further, it would have been obvious that the security
`
`application functionality 512, embodied and executed on the platform 510, would
`
`have been in a non-transitory computer readable medium of the platform 510, since
`
`it was well-known to store executable applications in that way. See Ex.1018,
`
`Abstract; Ex.1003, ¶¶44-45.
`
`[10.1] receive first vulnerability information from at least one first data storage
`that is generated utilizing second vulnerability information from at least one
`second data storage that is used to identify a plurality of potential vulnerabilities;
`
`Claim element [10.1] is rendered obvious in two different ways: (1) by the
`
`embodiment illustrated in Figure 2 of W-L along with the associated description;
`
`and (2) by the embodiment illustrated in Figure 1 of W-L along with the associated
`
`description. Figure 2 of W-L is addressed first, followed by Figure 1. Ex.1003,
`
`¶46.
`
`W-L’s Figure 2 and associated discussion renders obvious [10.1]
`
`First, W-L’s threat aggregation functionality 128 and the information it
`
`stores is an example of “at least one second data storage that is used to identify a
`
`plurality of potential vulnerabilities.” Ex.1003, ¶47.
`
`
`
`17
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`The “threat aggregation functionality 128 stores threat information 130
`
`
`
`(for example worm, virus, trojan, DoS, Access, Failure, Reconnaissance, other
`
`suspicious traffic, and the like) collected from around the world.” Ex.1005, 10:36-
`
`40. This “threat information” is “analyzed and utilized by the network
`
`administrator 142 to design the detection signatures 132,” (see Ex.1005, 10:40-42),
`
`and therefore is an example of “second vulnerability information” stored by “threat
`
`aggregation functionality 128” (“at least one second data storage”). Ex.1003, ¶48.
`
`The “detection signatures 132,” also stored by the threat aggregation
`
`functionality 128, include “security rules, policies and algorithms… that can be
`
`used by the system 10 to mitigate or avert network damage from the collected
`
`threats (see, also, signatures 22 and database 20 of FIG. 1)” and are another
`
`example of “second vulnerability information.” Ex.1005, 10:42-46; Ex.1003, ¶¶49-
`
`51.
`
`
`
`18
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`
`
`Second
`data
`storage
`
`Ex.1005, FIG. 2 (annotated); Ex.1003, ¶49.
`
`
`
`The threat information 130 and detection signatures 132 are stored in the
`
`threat aggregation functionality 128, and each is “used to identify a plurality of
`
`potential vulnerabilities.” “Before the detection signature 132… is installed in the
`
`intrusion detector functionality 116 and/or firewalling functionality 118, the agent
`
`126 may first query 134 the network discovery functionality 112” and evaluate
`
`“for the purpose of determining whether the detection signature 132 is relevant to
`
`the particular network 14 being protected.” Ex.1005, 11:11-29. It would have been
`
`obvious to a POSITA that the information stored in the threat aggregation
`
`functionality 128 identifies potential vulnerabilities, since it is unknown whether
`
`
`
`19
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`
`the detection signature 132 (by extension also the threat information 130) pertains
`
`to a vulnerability that is present in the network before evaluation. Ex.1003, ¶50.
`
`Second, W-L teaches security management agent 126 generating first
`
`vulnerability information by utilizing the second vulnerability information from the
`
`threat aggregation functionality 128 (“second data storage”). Ex.1003, ¶53.
`
`The security management agent 126 generates tailored detection signatures
`
`to particular threats in the network based on information received from the threat
`
`aggregation functionality. Ex.1005, 9:37-48. The “agent 126 confers with the
`
`network discovery functionality 112 to ensure that the detection signatures… are
`
`tailored to the collected enterprise (i.e., network 14) specific data.” Ex.1005,
`
`10:5-9. The agent considers “the enterprise specific data… so that the signature…
`
`is designed in a way that minimizes the likelihood that false positive alarms
`
`will be generated.” Ex.1005, 10:9-14; Ex.1003, ¶54.
`
`These tailored signatures render obvious “first vulnerability information.”
`
`The tailored signatures are “generated utilizing second vulnerability information”
`
`because they are tailored to the enterprise specific data. It would have further been
`
`obvious that the tailored signatures would have been stored by the agent 126 at
`
`least temporarily (a “first data storage”). Ex.1003, ¶55. For example, W-L’s agent
`
`126 evaluates enterprise specific data “for the purpose of determining whether the
`
`detection signature 132 is relevant.” Ex.1005, 11:11-29. It would have been
`
`
`
`20
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`
`obvious for agent 126 to retain (and thus store) detection signatures that are
`
`determined relevant. Ex.1003, ¶55; see also Ex.1005, 13:8-11, 13:27-35 (agent 126
`
`tailoring a signature database 132).
`
`Further, W-L’s platform 510 includes the “underlying hardware” necessary
`
`to perform its operations in support of the “security application functionality 512,”
`
`including the agent 126. Ex.1005, 16:2-5, 16:11-14. It would have therefore been
`
`obvious that the platform 510’s “underlying hardware” would include a data
`
`storage to store the detection signatures while and after evaluating their relevance
`
`and tailoring them to enterprise specific data. Ex.1003, ¶56. Thus, W-L teaches a
`
`“first data storage” for the “first vulnerability information” that is “generated
`
`utilizing second vulnerability information.” See Ex.1005, FIGs. 2, 6:
`
`
`
`21
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`First data
`storage
`
`Ex.1005, FIGs. 2 and 6 (annotated); Ex.1003, ¶56.
`
`
`
`
`
`
`
`22
`
`
`
`
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`Third, W-L teaches receiving detection signatures (“receiving first
`
`
`
`vulnerability information”) from the storage of platform 510 supporting agent 126
`
`(“first data storage”). Ex.1003, ¶59.
`
`The intrusion detector functionality, alone or together with firewalling
`
`functionality, receives the tailored signatures from the agent 126. After tailoring
`
`the detection signatures at agent 126 (based on enterprise data), the tailored
`
`detection signatures are “supplied to the intrusion detector functionality 116 and/or
`
`firewalling functionality 118 to effectuate the tuning of the system 10 against a
`
`certain perceived threat by filtering of the packets (traffic).” Ex.1005, 11:1-10; see
`
`also 11:11-29. The receipt of the tailored signature at either the intrusion detector
`
`functionality 116 or the firewalling functionality 118 renders obvious receiving
`
`“first vulnerability information” (tailored signatures) from a “first data storage”
`
`(storage of platform 510 executing the agent 126).
`
`
`
`23
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`First data
`storage
`
`Second
`data
`storage
`
`Receiving first
`vulnerability
`information from
`first data storage
`
`Ex.1005, FIGs. 2 and 6 (annotated); Ex.1003, ¶61.
`
`
`
`
`
`24
`
`
`
`
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`Therefore, W-L’s system 10 of Figure 2 (together with associated Figure 6)
`
`
`
`and associated discussion renders obvious [10.1]. Ex.1003, ¶46.
`
`W-L’s system 10 of Figure 1 and associated discussion renders obvious [10.1].
`
`
`
`First, W-L’s entity 26 and the information it stores is an example of “at
`
`least one second data storage that is used to identify a plurality of potential
`
`vulnerabilities.” Ex.1003, ¶¶51-52.
`
`W-L teaches that the entity 26 can be an entity “in the business of signature
`
`creation,” operating “to collect threat information (for example, worm, virus,
`
`trojan, DoS, Access, Failure, Reconnaissance, other suspicious traffic, and the like)
`
`from around the world.” Ex.1005, 5:29-33. The entity 26 analyzes the information
`
`and designs detection signatures 22 that can be supplied to database 20. Ex.1005,
`
`5:24-36 (signatures obtained from multiple possible external sources). These
`
`signatures 22 from entity 26 have been created with respect to “potential
`
`vulnerabilities” (before being stored in database 20) because they have not yet
`
`taken into account the “detected vulnerabilities” of the network 14. Therefore, it
`
`was obvious to a POSITA that the system 10 would obtain those signatures from a
`
`data storage (at entity 26) storing “a plurality of potential vulnerabilities”:
`
`
`
`25
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`
`
`Second
`data
`storage
`
`Ex.1005, FIG. 1 (annotated); Ex.1003, ¶¶51-52.
`
`
`
`Second, W-L teaches generating first vulnerability information by utilizing
`
`the second vulnerability information from the second data storage, with respect to
`
`database 20. Ex.1003, ¶57.
`
`W-L further teaches generating the first vulnerability information with the
`
`database 20. The signature database 20 “stores detection signatures 22… that are
`
`designed to mitigate or avert network damage from detected vulnerabilities.”
`
`Ex.1005, 5:20-24. The signatures 22 thus stored in the database 20 “may be
`
`obtained from any one of a number of well-known sources, including… a[n] entity
`
`26.” Ex.1005, 5:24-36; Ex.1003, ¶57.
`
`
`
`26
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`It would have been obvious that a detection signature 22 in database 20,
`
`
`
`designed to mitigate damage from “detected vulnerabilities” from signatures
`
`obtained from entity 26, is an example of “first vulnerability information… that is
`
`generated utilizing second vulnerability information.” The signatures 22 in
`
`database 20 are limited to those for “detected vulnerabilities,” not just any “threat
`
`information… from around the world.” Ex.1005, 5:20-36. Thus, W-L teaches a
`
`“first data storage” for the “first vulnerability information” that is “generated
`
`utilizing second vulnerability information.”
`
`First data
`storage
`
`Ex.1005, FIG. 1 (annotated); Ex.1003, ¶58.
`
`
`
`Third, W-L teaches receiving detection signatures (“first vulnerability
`
`
`
`27
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`
`information”) from the database 20 (“first data storage”). Ex.1003, ¶59.
`
`The agent 28 of FIG. 1 receives detection signatures 22 from database 20.
`
`“The inspection operation performed by the inspection agent 28 next involves
`
`comparing 40 the extracted packet features against the detection signatures 22
`
`obtained from the signature database 20.” Ex.1005, 5:50-53; 6:5-7 (apply
`
`signatures as they are obtained); Ex.1003, ¶62. As another example, the agent 28
`
`instantiates detection signatures 22 at the “comparison functionality 40 and/or the
`
`sentry’s comparison functionality 44.” Ex.1005, 8:7-11. The signatures are
`
`downloaded to one or both of the agent 28 and “entrance sentry 42” to compare
`
`against traffic. Ex.1005, 6:50-53 (signatures obtained from database), 6:54-58
`
`(signatures downloaded to entrance sentry 42 via agent 28 or from database 20).
`
`Receipt of the signatures at either the agent 28 or the entrance sentry 42 from the
`
`database 20 (either directly or indirectly), renders obvious receiving “first
`
`vulnerability information” (signatures 22) from a “first data storage” (database
`
`20).
`
`
`
`28
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`
`
`First data
`storage
`
`Receiving
`first
`vulnerability
`information
`from first
`data storage
`
`Second
`data
`storage
`
`Ex.1005, FIG. 1 (annotated); Ex.1003, ¶¶63-64.
`
`
`
`Therefore, W-L’s system 10 of Figure 1 and associated discussion renders
`
`obvious [10.1]. Ex.1003, ¶¶46, 65.
`
`[10.2] said first vulnerability information generated utilizing the second
`vulnerability information, by:
`
`As already explained at [10.1], W-L renders obvious “first vulnerability
`
`information… that is generated utilizing second vulnerability information.”
`
`Ex.1003, ¶66.
`
`[10.3] identifying at least one configuration associated with a plurality of devices
`including a first device, a second device, and a third device, and
`
`
`
`29
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`First, W-L teaches checking the conditions of the network (obtained from
`
`
`
`the enterprise specific data). See [10.1] above. Referring to FIG. 2, when tuning a
`
`signature, “the detection signatures… are tailored to the collected enterprise (i.e.,
`
`network 14) specific data.” Ex.1005, 10:3-9. The agent 126 considers “the
`
`enterprise specific data… when issuing a detection signature so that the
`
`signature… is designed in a way that minimizes the likelihood that false positive
`
`alarms will be generated.” Ex.1005, 10:9-19; Ex.1003, ¶68. A POSITA would
`
`have recognized that an obvious example of a false positive alarm would be an
`
`alarm based on a signature that corresponds to a vulnerability that does not apply
`
`to any machine in the network. Ex.1003, ¶68.
`
`W-L further discloses checking the conditions of the network includes
`
`determining an operating system configuration of machines in the network. See
`
`Ex.1005, 12:44-61 (“identifying the machines of the network using Microsoft IIS
`
`web servers and/or Microsoft operating systems”); Ex.1003, ¶69.
`
`The embodiments of FIG. 1 also check a configuration of the network. The
`
`system 10 obtains specifically those signatures “that are designed to mitigate or
`
`avert network damage from detected vulnerabilities.” Ex.1005, 5:20-24. Such
`
`“detected vulnerabilities” include the enterprise specific data. See, e.g., Ex.1005,
`
`5:9-15 (enterprise specific data), 5:15-19 (vulnerability assessments to obtain
`
`enterprise specific data). And it would have been obvious for the enterprise
`
`
`
`30
`
`

`

`IPR2022-00259 Petition
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`
`specific data to include operating system configuration information since it is a
`
`well-known type of information about the enterprise and, as noted above, is
`
`relevant to tailoring detection signatures to a particular enterprise’s network.
`
`Ex.1003, ¶70.
`
`Second, W-L teaches identifying the configuration as associated with a
`
`plurality of devices. The agent 126 identifies whether the operating sys