`
`
`
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`———————
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`———————
`
`FORCEPOINT LLC,
`Petitioner
`
`v.
`
`SECURITY PROFILING, LLC,
`Patent Owner
`
`———————
`
`IPR2023-00989
`U.S. Patent No. 10,609,063
`
`PETITION FOR INTER PARTES REVIEW
`UNDER 35 U.S.C. § 312 AND 37 C.F.R. § 42.104
`
`
`DM2\17991706.1
`
`

`

`TABLE OF CONTENTS
`
` UNITED STATES PATENT AND TRADEMARK OFFICE ......................................... 1
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD ............................................. 1
`
`PETITIONER’S EXHIBIT LIST .................................................................................... 4
`
`I.
`
`II.
`
`INTRODUCTION .................................................................................................. 6
`
`GROUNDS FOR STANDING ............................................................................... 6
`
`III. NOTE ...................................................................................................................... 6
`
`IV. SUMMARY OF THE ’063 PATENT .................................................................... 7
`
`V.
`
`PROSECUTION HISTORY ................................................................................... 8
`
`VI. EFFECTIVE PRIORITY DATE OF THE ’063 PATENT ..................................... 9
`
`VII. LEVEL OF ORDINARY SKILL IN THE ART .................................................... 9
`
`VIII. CLAIM CONSTRUCTION .................................................................................... 9
`
`IX. RELIEF REQUESTED AND REASONS THEREFORE .................................... 10
`
`X.
`
`IDENTIFICATION OF HOW THE CLAIMS ARE UNPATENTABLE ........... 10
`
`A.
`
`B.
`
`1.
`
`2.
`
`3.
`
`4.
`
`5.
`DM2\17991706.1
`
`Statutory grounds for challenges ................................................................ 10
`
`Ground 1 ..................................................................................................... 12
`
`Summary of W-L ........................................................................................ 12
`
`Claim 10 ..................................................................................................... 14
`
`Claim 11 ..................................................................................................... 43
`
`Claim 39 ..................................................................................................... 45
`
`Claim 58 ..................................................................................................... 48
`
`

`

`D. Ground 2 ..................................................................................................... 48
`
`1.
`
`2.
`
`3.
`
`4.
`
`5.
`
`6.
`
`7.
`
`8.
`
`Summary of Gupta ...................................................................................... 48
`
`Summary of Graham .................................................................................. 49
`
`Reasons to Modify the Teaching of Gupta with the Teachings of Graham 49
`
`Similarity to IPR2017-02192 (US 8,984,644) ............................................ 51
`
`Claim 10 ..................................................................................................... 53
`
`Claim 11 ..................................................................................................... 68
`
`Claim 39 ..................................................................................................... 70
`
`Claim 58 ..................................................................................................... 74
`
`XI. DISCRETIONARY DENIAL IS INAPPROPRIATE .......................................... 74
`
`A. Discretionary denial under 35 U.S.C. § 325(d) is not appropriate ............. 74
`
`B.
`
`Discretionary denial under the Fintiv factors is not appropriate ................ 78
`
`XII. MANDATORY NOTICES ................................................................................... 82
`
`A.
`
`B.
`
`C.
`
`Real party-in-interest .................................................................................. 82
`
`Related matters ........................................................................................... 82
`
`Lead and back-up counsel and service information .................................... 83
`
`XIII. CONCLUSION ..................................................................................................... 84
`
`CERTIFICATE OF WORD COUNT ............................................................................. 85
`
`CERTIFICATE OF SERVICE ....................................................................................... 86
`
`
`
`
`
`DM2\17991706.1
`
`

`

`
`
`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`PETITIONER’S EXHIBIT LIST
`
`EX-1001
`
`U.S. 10,609,063
`
`EX-1002
`
`Prosecution History of U.S. 10,609,063
`
`EX-1003
`
`EX-1004
`EX-1005
`
`EX-1006
`EX-1007
`
`EX-1008
`EX-1009
`EX-1010
`
`EX-1011
`
`Declaration of A.L. Narasimha Reddy, Ph.D. under 37 C.F.R. §
`1.68
`Curriculum Vitae of A.L. Narasimha Reddy, Ph.D.
`U.S. 7,359,962 to Willebeek-LeMair et al.
`
`U.S. Pub. 2003/0004689 to Gupta et al.
`U.S. 7,237,264 to Graham et al.
`
`Prosecution History of U.S. 9,117,069 (selected pages)
`Prosecution History of U.S. 9,100,431 (selected pages)
`Prosecution History of U.S. 10,050,988 (selected pages)
`
`IPR2017-02191, Granting Request for Adverse Judgment, Paper 18
`(September 26, 2018)
`
`EX-1012
`EX-1013
`
`IPR2017-02192, Final Written Decision, Paper 31 (April 8, 2019)
`Intentionally Left Blank
`
`EX-1014
`
`U.S. 6,493,871 to McGuire et al.
`
`EX-1015
`
`Intentionally Left Blank
`
`EX-1016
`EX-1017
`
`U.S. Pub. 2003/0084340 to Schertz et al.
`Intentionally Left Blank
`
`EX-1018
`
`U.S. 6,735,766 to Chamberlain et al.
`
`DM2\17991706.1
`
`4
`
`

`

`
`
`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`EX-1019
`
`IPR2022-00259 Paper 7 (June 14, 2022 )
`
`EX-1020
`
`U.S. 8,205,161 to King et al.
`
`DM2\17991706.1
`
`5
`
`

`

`
`
`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`I.
`
`INTRODUCTION
`
`Forcepoint LLC (“Petitioner”) respectfully requests that the Board review
`
`and cancel as unpatentable claims 10, 11, 39 and 58 (hereinafter, the “Challenged
`
`Claims”) of U.S. 10,609,063 (the “’063 Patent,” EX-1001).
`
`This Petition is substantially identical to the Petition filed in IPR2022-00259
`
`(“259 IPR”) by a different petitioner challenging claims 10, 11, 39 and 58 of the
`
`’063 Patent based on the same grounds. The Board instituted the review of the ‘063
`
`Patent, and the 259 IPR was subsequently terminated by the joint request of the
`
`parties upon settlement, and before the Board issued a final written decision.
`
`Petitioner respectfully submits that the Challenged Claims of the ’063 Patent
`
`are unpatentable under 35 U.S.C. §103 in view of the prior art references discussed
`
`herein, for the same reason as in the 259 IPR. This Petition demonstrates by a
`
`preponderance of the evidence that there is a reasonable likelihood that Petitioner
`
`will prevail with respect to at least one of these claims.
`
`
`
`II. GROUNDS FOR STANDING
`Petitioner certifies the ‘063 Patent is IPR-eligible, and Petitioner is not
`
`barred or estopped from requesting IPR challenging the patent claims. 37 C.F.R.
`
`
`
`
`
`§ 42.104(a).
`
`III. NOTE
`Petitioner cites to exhibits’ original page numbers. Emphasis in quoted
`
`DM2\17991706.1
`
`6
`
`

`

`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`material has been added. Claim terms are italicized.
`
`
`
`IV. SUMMARY OF THE ’063 PATENT
`
`The ‘063 Patent “relates to… management of security of computing and
`
`network devices.” EX-1001, 1:23-26. The ‘063 Patent is part of a family of
`
`patents and applications, including two patents that had claims cancelled in
`
`previous IPRs. See generally Exs.1011, 1012.
`
`A “security server 135” collects operating system and other configuration
`
`data about devices in the network. EX-1001, 2:30-38, 42-45; see also Fig.1 below;
`
`EX-1003, ¶¶24-25. The server determines whether network traffic “is attempting
`
`to take advantage of a particular known vulnerability.” EX-1001, 4:9-11, 4:21-29.
`
`If so, the server “selects one or more remediation techniques” for the particular
`
`vulnerability. EX-1001, 4:62-64; EX-1003, ¶¶25-26.
`
`DM2\17991706.1
`
`7
`
`

`

`
`
`
`
`
`
`
`
`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`EX-1001, FIG. 1
`
`
`
`V.
`
`PROSECUTION HISTORY
`
`In response to an Office action, the Applicant amended the independent
`
`claims to include recitation of “utilizing one or more network monitors” and
`
`“based on a packet analysis,” in order to overcome a rejection under 35 U.S.C.
`
`§ 101 and argued against a § 103 rejection. EX-1002, 527-83. In the Notice of
`
`Allowance, the Examiner explained that the prior arts fail to teach “identifying an
`
`occurrence, determining that at least one vulnerability is susceptible to being taken
`8
`DM2\17991706.1
`
`

`

`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`advantage by the occurrence and selectively utilizing diverse mitigation actions
`
`including a firewall.” EX-1002, 598.
`
`
`
`VI. EFFECTIVE PRIORITY DATE OF THE ’063 PATENT
`The earliest claimed priority date is July 1, 2003. EX-1001. In prosecution,
`
`the Applicant alleged a reduction to practice on September 27, 2002. EX-1002,
`
`289-90. This petition cites prior art predating September 27, 2002, so
`
`Petitioner has not undertaken a priority date analysis. Petitioner does not
`
`waive any right or opportunity it may have to dispute the priority date of the
`
`’063 Patent in this or another forum where the issue is relevant.
`
`
`
`VII. LEVEL OF ORDINARY SKILL IN THE ART
`A Person of Ordinary Skill in The Art (“POSITA”) in July 2003 would have
`
`had (i) a working knowledge of the network communications art pertinent to the
`
`’063 patent, including network security and (ii) (a) a bachelor’s degree in computer
`
`science, computer engineering, or an equivalent and two years of professional
`
`experience relating to network communications, (b) a higher relevant level of
`
`education (e.g., a Master’s degree) with less professional experience or, (c) more
`
`professional experience and less education. This is consistent with the Board’s
`
`finding in the 259 IPR. EX-1019 p. 12. EX-1003, ¶¶17-19.
`
`
`
`VIII. CLAIM CONSTRUCTION
`Petitioner proposes that each claim term in the Challenged Claims be given
`
`DM2\17991706.1
`
`9
`
`

`

`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`its plain and ordinary meaning in this proceeding, and that no specific construction
`
`of any claim term is required because the prior art relied on in this Petition meets
`
`each of the claim terms under any reasonable construction.
`
`
`
`
`
`IX. RELIEF REQUESTED AND REASONS THEREFORE
`Petitioner asks that the Board institute a trial for inter partes review and
`
`cancel the Challenged Claims in view of the analysis below.
`
`
`
`
`
`
`
`X.
`
`IDENTIFICATION OF HOW THE CLAIMS ARE UNPATENTABLE
`
`A.
`
`Statutory grounds for challenges
`
`Grounds
`1
`
`Claims
`10, 11, 39, 58
`
`2
`
`10, 11, 39, 58
`
`Basis
`35 U.S.C. § 103
`
`35 U.S.C. § 103
`
`
`Reference
`Willebeek-LeMair (W-L)
`
`Graham and Gupta
`
`U.S. Pat. No. 7,359,962 titled “Network Security System Integration” issued
`
`on April 15, 2008 based on Application No. 10/136,889 filed on April 30, 2002
`
`(“W-L”)(EX-1005). W-L is prior art under 35 U.S.C. § 102(e) (pre-AIA) and was
`
`cited by the examiner during prosecution.
`
`U.S. Pat. Publication No. 2003/0004689 titled “Hierarchy-Based Method and
`
`Apparatus for Detecting Attacks on a Computer System” published on January 2,
`
`2003 based on Application No. 10/172,764 filed June 13, 2002 (“Gupta”)(EX-1006).
`
`Gupta is prior art under 35 U.S.C. §§ 102(a) and (e) (pre-AIA) and was not cited by
`
`DM2\17991706.1
`
`10
`
`

`

`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`the examiner during prosecution.
`
`U.S. Pat. No. 7,237,264 titled “System and Method for Preventing Network
`
`Misuse” issued on June 26, 2007 based on Application no. 09/874,574 filed June 4,
`
`2001 (“Graham”)(EX-1007). Graham is prior art under 35 U.S.C. § 102(e) (pre-
`
`AIA) and was not cited by the examiner during prosecution.
`
`
`
`DM2\17991706.1
`
`11
`
`

`

`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`Petitioner’s obviousness grounds rely on the combined teachings of the
`
`references and not on a physical incorporation of elements. See In re Mouttet, 686
`
`F.3d 1322, 1332 (Fed. Cir. 2012); EX-1003, ¶153.
`
`Petitioner and Dr. Reddy cite to additional prior art as evidence of the
`
`background knowledge of a POSITA and to provide contemporaneous context to
`
`support assertions regarding what a POSITA would have understood from the prior
`
`art in the grounds. See Yeda Research v. Mylan Pharm. Inc., 906 F.3d 1031, 1041-
`
`1042 (Fed. Cir. 2018) (affirming the use of “supporting evidence relied upon to
`
`support the challenge”); 37 C.F.R. § 42.104(b); see also K/S HIMPP v. Hear-Wear
`
`Techs., LLC, 751 F.3d 1362, 1365-66 (Fed. Cir. 2014); Arendi S.A.R.L. v. Apple
`
`
`
`
`
`
`
`Inc., 832 F.3d 1355, 1363 (Fed. Cir. 2016).
`
`B. Ground 1
`Summary of W-L
`1.
`Like the ’063 Patent, W-L “relates to network security.” EX-1005, 1:7-10.
`
`W-L describes integrating “the functionalities performed by a firewall, IDS
`
`[intrusion detection system] and VAS [vulnerability assessment scanner] for
`
`network security into one system.” EX-1005, 3:14-18. W-L’s unified system 10 is
`
`illustrated in Figure 1, and an “exemplary integrated architecture” of W-L’s unified
`
`system 10 is illustrated in Figure 2, EX- 1005, 4:37-39. W-L’s unified system 10
`
`includes “an enterprise resource database” with data identifying potential
`
`DM2\17991706.1
`
`12
`
`

`

`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`“vulnerabilities associated with” hosts in the network. EX-1005, 5:9-15. A
`
`“signature database” stores “detection signatures,” which include “security rules,
`
`policies and algorithms” to “mitigate or avert network damage from detected
`
`vulnerabilities.” EX-1005, 5:20-24; EX-1003, ¶¶32-35; see also Figure 1:
`
`
`
`
`
`
`EX-1005, FIG. 1.
`
`As shown in Figure 2, reproduced below, the system 10 includes an “agent
`
`126 that functions to configure, tune and monitor the operation of the intrusion
`
`detector functionality 116 and the firewalling functionality 118.” EX-1005, 9:36-
`
`41; EX-1003, ¶¶36-38.
`
`DM2\17991706.1
`
`13
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`EX-1005, FIG. 2.
`
`
`
`Claim 10
`
`2.
`[10.0] A non-transitory computer-readable media storing instructions that, when
`executed by one or more processors, cause the one or more processors to:
`
`W-L teaches using an appliance with “underlying hardware, operating system
`
`[software],” and other facilities to execute a security application. EX-1005, 16:1-5;
`
`EX-1003, ¶41. The appliance includes “a security application functionality 512 that
`
`is implemented as the unified network defense system 10 shown in FIGS. 1 and 2.”
`
`EX-1005, 16:11-15; Fig.6. W-L’s “security application functionality 512” includes
`
`“the processes and functions necessary to have the platform 510 function as a
`
`network security appliance 500.”1 EX-1005, 16:15-19; EX- 1003, ¶¶39-42.
`
`
`1 This petition’s analysis of network defense system 10 applies to security
`
`DM2\17991706.1
`
`14
`
`

`

`
`
`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`non-transitory
`computer
`readable media
`storing
`instructions
`executed by
`one or more
`processors
`
`EX-1005, FIG. 6 (annotated); EX-1003, ¶42.
`
`
`application functionality 512. W-L explains that “security application functionality
`
`512 [of Figure 6] … is implemented as the unified network defense system 10
`
`shown in FIGS. 1 and 2.” EX-1005, 16:11-15.
`
`
`DM2\17991706.1
`
`15
`
`

`

`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`A POSITA understood that W-L’s platform 510, which includes the
`
`necessary operating system and underlying hardware, would include one or more
`
`processors to execute the security application functionality 512. See EX-1005,
`
`16:2-5; EX-1018, 4:20-43 (multiprocessor systems and processing units were
`
`known); EX-1003, ¶43. Further, a POSITA understood that the security application
`
`functionality 512, embodied and executed on the platform 510, would have been in
`
`a non-transitory computer readable medium of the platform 510, since it was well-
`
`known to store executable applications in that way. See EX-1018, Abstract; EX-
`
`1003, ¶¶44-45.
`
`[10.1] receive first vulnerability information from at least one first data
`storage that is generated utilizing second vulnerability information from at
`least one second data storage that is used to identify a plurality of potential
`vulnerabilities;
`
`Claim element [10.1] is rendered obvious in two different ways: (1) by the
`
`
`
`embodiment illustrated in Figure 2 of W-L along with the associated description;
`
`and (2) by the embodiment illustrated in Figure 1 of W-L along with the associated
`
`description. Figure 2 of W-L is addressed first, followed by Figure 1. EX-1003,
`
`¶46.
`
`W-L’s Figure 2 and associated discussion renders obvious [10.1]
`
`First, W-L’s threat aggregation functionality 128 and the information it
`
`stores is an example of “at least one second data storage that is used to identify a
`
`plurality of potential vulnerabilities.” EX-1003, ¶47.
`
`DM2\17991706.1
`
`16
`
`

`

`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`The “threat aggregation functionality 128 stores threat information 130 (for
`
`example worm, virus, trojan, DoS, Access, Failure, Reconnaissance, other
`
`suspicious traffic, and the like) collected from around the world.” EX-1005, 10:36-
`
`40. This “threat information” is “analyzed and utilized by the network
`
`administrator 142 to design the detection signatures 132,” (see EX-1005, 10:40-
`
`42), and therefore is an example of “second vulnerability information” stored by
`
`“threat aggregation functionality 128” (“at least one second data storage”). EX-
`
`1003, ¶48.
`
`The “detection signatures 132,” also stored by the threat aggregation
`
`functionality 128, include “security rules, policies and algorithms… that can be
`
`used by the system 10 to mitigate or avert network damage from the collected
`
`threats (see, also, signatures 22 and database 20 of FIG. 1)” and are another
`
`example of “second vulnerability information.” EX-1005, 10:42-46; EX-1003,
`
`¶¶49- 51.
`
`DM2\17991706.1
`
`17
`
`

`

`
`
`
`
`
`
`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`Second
`data
`storage
`
`
`
`EX-1005, FIG. 2 (annotated); EX-1003, ¶49.
`The threat information 130 and detection signatures 132 are stored in the
`
`threat aggregation functionality 128, and each is “used to identify a plurality of
`
`potential vulnerabilities.” “Before the detection signature 132… is installed in the
`
`intrusion detector functionality 116 and/or firewalling functionality 118, the agent
`
`126 may first query 134 the network discovery functionality 112” and evaluate
`
`“for the purpose of determining whether the detection signature 132 is relevant to
`
`the particular network 14 being protected.” EX-1005, 11:11-29. It would have
`
`been obvious to a POSITA that the information stored in the threat aggregation
`
`functionality 128 identifies potential vulnerabilities, since it is unknown whether
`
`the detection signature 132 (by extension also the threat information 130) pertains
`
`DM2\17991706.1
`
`18
`
`

`

`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`to a vulnerability that is present in the network before evaluation. EX-1003, ¶50.
`
`Second, W-L teaches security management agent 126 generating first
`
`vulnerability information by utilizing the second vulnerability information from the
`
`threat aggregation functionality 128 (“second data storage”). EX-1003, ¶53.
`
`The security management agent 126 generates tailored detection signatures
`
`to particular threats in the network based on information received from the threat
`
`aggregation functionality. EX-1005, 9:37-48. The “agent 126 confers with the
`
`network discovery functionality 112 to ensure that the detection signatures… are
`
`tailored to the collected enterprise (i.e., network 14) specific data.” EX-1005,
`
`10:5-9. The agent considers “the enterprise specific data… so that the signature…is
`
`designed in a way that minimizes the likelihood that false positive alarms will
`
`be generated.” EX-1005, 10:9-14; EX-1003, ¶54.
`
`These tailored signatures render obvious “first vulnerability information.”
`
`The tailored signatures are “generated utilizing second vulnerability information”
`
`because they are tailored to the enterprise specific data. It would have further been
`
`obvious that the tailored signatures would have been stored by the agent 126 at
`
`least temporarily (a “first data storage”). EX-1003, ¶55. For example, W-L’s
`
`agent 126 evaluates enterprise specific data “for the purpose of determining
`
`whether the detection signature 132 is relevant.” EX-1005, 11:11-29. It would
`
`have been obvious for agent 126 to retain (and thus store) detection signatures that
`
`DM2\17991706.1
`
`19
`
`

`

`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`are determined relevant. EX-1003, ¶55; see also EX-1005, 13:8-11, 13:27-35
`
`(agent 126 tailoring a signature database 132).
`
`Further, W-L’s platform 510 includes the “underlying hardware” necessary
`
`to perform its operations in support of the “security application functionality 512,”
`
`including the agent 126. EX-1005, 16:2-5, 16:11-14. It would have therefore been
`
`obvious that the platform 510’s “underlying hardware” would include a data
`
`storage to store the detection signatures while and after evaluating their relevance
`
`and tailoring them to enterprise specific data. EX-1003, ¶56. Thus, W-L teaches a
`
`“first data storage” for the “first vulnerability information” that is “generated
`
`utilizing second vulnerability information.” See EX-1005, FIGs. 2, 6:
`
`DM2\17991706.1
`
`20
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`First data
`storage
`
`EX-1005, FIGs. 2 and 6 (annotated); EX-1003, ¶56.
`
`
`
`DM2\17991706.1
`
`21
`
`

`

`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`Third, W-L teaches receiving detection signatures (“receiving first
`
`vulnerability information”) from the storage of platform 510 supporting agent 126
`
`(“first data storage”). EX-1003, ¶59.
`
`The intrusion detector functionality, alone or together with firewalling
`
`functionality, receives the tailored signatures from the agent 126. After tailoring
`
`the detection signatures at agent 126 (based on enterprise data), the tailored
`
`detection signatures are “supplied to the intrusion detector functionality 116 and/or
`
`firewalling functionality 118 to effectuate the tuning of the system 10 against a
`
`certain perceived threat by filtering of the packets (traffic).” EX-1005, 11:1-10;
`
`see also 11:11-29. The receipt of the tailored signature at either the intrusion
`
`detector functionality 116 or the firewalling functionality 118 renders obvious
`
`receiving “first vulnerability information” (tailored signatures) from a “first data
`
`storage” (storage of platform 510 executing the agent 126). EX-1003, ¶60.
`
`DM2\17991706.1
`
`22
`
`

`

`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`First data
`storage
`
`Second
`data
`storage
`
`Receiving first
`vulnerability
`information from
`first data storage
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`EX-1005, FIGs. 2 and 6 (annotated); EX-1003, ¶61.
`
`DM2\17991706.1
`
`23
`
`

`

`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`Therefore, W-L’s system 10 of Figure 2 (together with associated Figure 6)
`
`and associated discussion renders obvious [10.1]. EX-1003, ¶46.
`
`W-L’s system 10 of Figure 1 and associated discussion renders obvious [10.1].
`
`
`
`First, W-L’s entity 26 and the information it stores is an example of “at least
`
`one second data storage that is used to identify a plurality of potential
`
`vulnerabilities.” EX-1003, ¶¶51-52.
`
`W-L teaches that the entity 26 can be an entity “in the business of signature
`
`creation,” operating “to collect threat information (for example, worm, virus,
`
`trojan, DoS, Access, Failure, Reconnaissance, other suspicious traffic, and the like)
`
`from around the world.” EX-1005, 5:29-33. The entity 26 analyzes the
`
`information and designs detection signatures 22 that can be supplied to database
`
`20. EX-1005, 5:24-36 (signatures obtained from multiple possible external
`
`sources). These signatures 22 from entity 26 have been created with respect to
`
`“potential vulnerabilities” (before being stored in database 20) because they have
`
`not yet taken into account the “detected vulnerabilities” of the network 14.
`
`Therefore, it was obvious to a POSITA that the system 10 would obtain those
`
`signatures from a data storage (at entity 26) storing “a plurality of potential
`
`vulnerabilities”:
`
`DM2\17991706.1
`
`24
`
`

`

`
`
`
`
`
`
`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`Second
`data
`storage
`
`EX-1005, FIG. 1 (annotated); EX-1003,
`¶¶51-52.
`
`
`
`Second, W-L teaches generating first vulnerability information by utilizing
`
`the second vulnerability information from the second data storage, with respect to
`
`database 20. EX-1003, ¶57.
`
`W-L further teaches generating the first vulnerability information with the
`
`database 20. The signature database 20 “stores detection signatures 22… that are
`
`designed to mitigate or avert network damage from detected vulnerabilities.”
`
`EX-1005, 5:20-24. The signatures 22 thus stored in the database 20 “may be
`
`obtained from any one of a number of well-known sources, including… a[n] entity
`
`26.” EX-1005, 5:24-36; EX-1003, ¶57.
`DM2\17991706.1
`
`25
`
`

`

`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`It would have been obvious that a detection signature 22 in database 20,
`
`designed to mitigate damage from “detected vulnerabilities” from signatures
`
`obtained from entity 26, is an example of “first vulnerability information… that is
`
`generated utilizing second vulnerability information.” The signatures 22 in database
`
`20 are limited to those for “detected vulnerabilities,” not just any “threat
`
`information… from around the world.” EX-1005, 5:20-36. Thus, W-L teaches a
`
`“first data storage” for the “first vulnerability information” that is “generated
`
`utilizing second vulnerability information.”
`
`
`
`
`
`
`
`
`First data
`storage
`
`EX-1005, FIG. 1 (annotated); EX-1003, ¶58.
`
`Third, W-L teaches receiving detection signatures (“first vulnerability
`
`DM2\17991706.1
`
`26
`
`

`

`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`information”) from the database 20 (“first data storage”). EX-1003, ¶59.
`
`The agent 28 of FIG. 1 receives detection signatures 22 from database 20.
`
`“The inspection operation performed by the inspection agent 28 next involves
`
`comparing 40 the extracted packet features against the detection signatures 22
`
`obtained from the signature database 20.” EX-1005, 5:50-53; 6:5-7 (apply
`
`signatures as they are obtained); EX-1003, ¶62. As another example, the agent 28
`
`instantiates detection signatures 22 at the “comparison functionality 40 and/or the
`
`sentry’s comparison functionality 44.” EX-1005, 8:7-11. The signatures are
`
`downloaded to one or both of the agent 28 and “entrance sentry 42” to compare
`
`against traffic. EX-1005, 6:50-53 (signatures obtained from database), 6:54-58
`
`(signatures downloaded to entrance sentry 42 via agent 28 or from database 20).
`
`Receipt of the signatures at either the agent 28 or the entrance sentry 42 from the
`
`database 20 (either directly or indirectly), renders obvious receiving “first
`
`vulnerability information” (signatures 22) from a “first data storage” (database
`
`20).
`
`DM2\17991706.1
`
`27
`
`

`

`
`
`
`
`
`
`
`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`First data
`storage
`
`Receiving
`first
`vulnerability
`information
`from first
`data storage
`
`Second
`data
`storage
`
`EX-1005, FIG. 1 (annotated); EX-1003, ¶¶63-64.
`
`
`
`Therefore, W-L’s system 10 of Figure 1 and associated discussion renders
`
`obvious [10.1]. EX-1003, ¶¶46, 65.
`
`[10.2] said first vulnerability information generated utilizing the second
`vulnerability information, by:
`
`As already explained at [10.1], W-L renders obvious “first vulnerability
`
`
`
`information… that is generated utilizing second vulnerability information.” EX-
`
`1003, ¶66.
`
`[10.3] identifying at least one configuration associated with a plurality of
`devices including a first device, a second device, and a third device, and
`
`DM2\17991706.1
`
`28
`
`

`

`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`First, W-L teaches checking the conditions of the network (obtained from
`
`the enterprise specific data). See [10.1] above.
`
`Referring to the embodiment of FIG. 2, when tuning a signature, “the
`
`detection signatures… are tailored to the collected enterprise (i.e., network 14)
`
`specific data.” EX-1005, 10:3-9. The agent 126 considers “the enterprise
`
`specific data… when issuing a detection signature so that the signature… is
`
`designed in a way that minimizes the likelihood that false positive alarms will be
`
`generated.” EX-1005, 10:9-19; EX-1003, ¶68. A POSITA would have
`
`recognized that an obvious example of a false positive alarm would be an alarm
`
`based on a signature that corresponds to a vulnerability that does not apply to any
`
`machine in the network. EX-1003, ¶68.
`
`W-L further discloses checking the conditions of the network includes
`
`determining an operating system configuration of machines in the network. See
`
`EX-1005, 12:44-61 (“identifying the machines of the network using Microsoft IIS
`
`web servers and/or Microsoft operating systems”); EX-1003, ¶69.
`
`The embodiments of FIG. 1 also check a configuration of the network. The
`
`system 10 obtains specifically those signatures “that are designed to mitigate or
`
`avert network damage from detected vulnerabilities.” EX-1005, 5:20-24. Such
`
`“detected vulnerabilities” include the enterprise specific data. See, e.g., EX-1005,
`
`5:9-15 (enterprise specific data), 5:15-19 (vulnerability assessments to obtain
`
`DM2\17991706.1
`
`29
`
`

`

`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`enterprise specific data). And it would have been obvious for the enterprise
`
`specific data to include operating system configuration information since it is a
`
`well-known type of information about the enterprise and, as noted above, is
`
`relevant to tailoring detection signatures to a particular enterprise’s network. EX-
`
`1003, ¶70.
`
`Second, W-L teaches identifying the configuration as associated with a
`
`plurality of devices. With respect to the embodiment of Figure 2, the agent 126
`
`identifies whether the operating system configuration relevant to a detection
`
`signature is associated with any machines (“devices”). See EX-1005, 12:61-13:17
`
`(“If the data 136 indicates that there are no machines in the network 14 that are
`
`susceptible to the threat (for example, there are no machines with using Microsoft
`
`IIS web servers and/or Microsoft operating systems)…); see also 8:54-58
`
`(applicable to FIG. 1’s embodiment as well); EX-1003, ¶¶71-72. A POSITA
`
`would have recognized that W-L’s disclosure of identifying whether a
`
`configuration is associated with machines in a network as teaching at least a “first
`
`device, a second device, and a third device.” It was well- known that enterprise
`
`networks, such W-L’s network, commonly included hundreds or thousands of
`
`computers, and that Microsoft operating systems were one of the most commonly
`
`used operating systems for computers in enterprise networks. EX-1003, ¶73. Thus,
`
`W-L teaches identifying “at least one configuration” (the operating system
`
`DM2\17991706.1
`
`30
`
`

`

`
`
`Inter Partes Review of 10,609,063 (Claims 10, 11, 39, 58)
`
`configuration) associated with a “first device, a second device, and a third device.”
`
`Other enterprise specific data examples of “at least one configuration” include IP
`
`ports, hosts, and related machine data. EX-1005, 12:9-15; EX-1003, ¶74.
`
`W-L further teaches that the agent 126 decides whether to instantiate a
`
`signature based on the supplied enterprise specific data and whether there is a risk
`
`from an attack. E