UNITED STATES PATENT AND TRADEMARK OFFICE
`
`———————
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`———————
`
`FORCEPOINT LLC,
`Petitioner
`
`
`v.
`
`SECURITY PROFILING, LLC,
`Patent Owner
`
`
`———————
`
`IPR2023-00990
`U.S. Patent No. 10,893,066
`
`PETITION FOR INTER PARTES REVIEW
`UNDER 35 U.S.C. § 312 AND 37 C.F.R. § 42.104
`
`
`
`
`
`
`
`
`
`
`DM2\17991333.1
`
`

`

`
`
` I.
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`
`TABLE OF CONTENTS
`
`INTRODUCTION ................................................................................................. 7
`
`II.
`
`GROUNDS FOR STANDING .............................................................................. 8
`
`III. NOTE ..................................................................................................................... 8
`
`IV. SUMMARY OF THE ’066 PATENT ................................................................... 8
`
`V.
`
`PROSECUTION HISTORY .................................................................................. 9
`
`VI. EFFECTIVE PRIORITY DATE OF THE ’066 PATENT .................................. 10
`
`VII. LEVEL OF ORDINARY SKILL IN THE ART ................................................. 10
`
`VIII. STATE OF THE ART ......................................................................................... 11
`
`A. Network System Security .......................................................................... 11
`
`B.
`
`The Use of Mobile Agents ........................................................................ 13
`
`VIII. CLAIM CONSTRUCTION ................................................................................. 14
`
`IX. RELIEF REQUESTED AND REASONS THEREFORE ................................... 14
`
`X.
`
`IDENTIFICATION OF HOW THE CLAIMS ARE UNPATENTABLE .......... 14
`
`A.
`
`B.
`
`1.
`
`2.
`
`Statutory Grounds for Challenges .............................................................. 14
`
`Ground 1 .................................................................................................... 16
`
`Summary of Gupta ..................................................................................... 16
`
`Summary of Graham ................................................................................. 23
`
`3. Motivation to Modify the Teachings of Gupta with the Teachings of
`Graham ...................................................................................................... 24
`
`DM2\17991333.1
`
`2
`
`

`

`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`
`4.
`
`Claim 1 ...................................................................................................... 25
`
`[1.0] A non-transitory computer-readable media storing instructions that,
`when executed by one or more processors, cause the one or more
`processors to: ................................................................................... 25
`
`EX-1006, FIG. 1 (annotated); EX-1003, ¶61 ....................................................... 27
`
`[1.1] receive first vulnerability information from at least one first data
`storage that is generated utilizing second vulnerability information
`from at least one second data storage that is used to identify a
`plurality of potential vulnerabilities; ............................................... 30
`
`EX-1006, FIG. 15 (annotated); EX-1003, ¶71. .................................................... 31
`
`[1.2] said first vulnerability information generated utilizing the second
`vulnerability information, by: ......................................................... 37
`
`[1.3] identifying at least one configuration associated with a plurality of
`devices including a first device, a second device, and a third device,
`and ................................................................................................... 37
`
`[1.4] determining that the plurality of devices is actually vulnerable to at
`least one actual vulnerability based on the identified at least one
`configuration, utilizing the second vulnerability information that is
`used to identify the plurality of potential vulnerabilities; ............... 38
`
`[1.5] identify an occurrence in connection with at least one of the plurality
`of devices; ....................................................................................... 40
`
`[1.6] determine that the at least one actual vulnerability of the at least one
`of the plurality of devices is susceptible to being taken advantage of
`by the occurrence identified in connection with the at least one of
`the plurality of devices, utilizing the first vulnerability information;
`and ................................................................................................... 40
`
`[1.7] cause utilization of different occurrence mitigation actions of diverse
`occurrence mitigation types, including a firewall-based occurrence
`mitigation type and a other occurrence mitigation type, across the
`plurality of devices for occurrence mitigation by preventing
`
`DM2\17991333.1
`
`3
`
`

`

`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`
`advantage being taken of actual vulnerabilities utilizing the
`different occurrence mitigation actions of the diverse occurrence
`mitigation types across the plurality of devices; ............................. 42
`
`[1.8] wherein the at least one configuration involves at least one operating
`system. ............................................................................................. 46
`
`C.
`
`Ground 2 .............................................................................................................. 47
`
`1.
`
`Summary Of Hill ....................................................................................... 47
`
`2. Motivation to Modify the Teachings of Gupta with the Teachings of Hill
` ................................................................................................................... 49
`
`3.
`
`Claim 2 ...................................................................................................... 52
`
`XI. DISCRETIONARY DENIAL IS INAPPROPRIATE ......................................... 80
`
`A. Discretionary denial under 35 U.S.C. § 325(d) is not appropriate ............ 80
`
`B.
`
`Discretionary denial under the Fintiv factors is not appropriate ................ 83
`
`I.
`
`MANDATORY NOTICES .................................................................................. 86
`
`A.
`
`B.
`
`C.
`
`Real party-in-interest ................................................................................. 86
`
`Related matters .......................................................................................... 86
`
`Lead and back-up counsel and service information ................................... 86
`
`XII. CONCLUSION .................................................................................................... 88
`
`CERTIFICATE OF WORD COUNT ............................................................................ 89
`
`CERTIFICATE OF SERVICE ...................................................................................... 90
`
`
`
`
`
`DM2\17991333.1
`
`4
`
`

`

`
`
`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`PETITIONER’S EXHIBIT LIST
`
`EX-1001
`
`U.S. 10,893,066
`
`EX-1002
`
`Prosecution History of U.S. 10,893,066
`
`EX-1003
`
`EX-1004
`EX-1005
`
`EX-1006
`EX-1007
`EX-1008
`
`EX-1009
`EX-1010
`
`EX-1011
`
`Declaration of A.L. Narasimha Reddy, Ph.D. under 37 C.F.R. §
`1.68
`Curriculum Vitae of A.L. Narasimha Reddy, Ph.D.
`U.S. 7,359,962 to Willebeek-LeMair et al.
`
`U.S. Pub. 2003/0004689 to Gupta et al.
`U.S. 7,237,264 to Graham et al.
`Intentionally Left Blank
`
`Intentionally Left Blank
`Intentionally Left Blank
`
`IPR2017-02191, Granting Request for Adverse Judgment, Paper
`18, September 26, 2018
`
`EX-1012
`EX-1013
`
`IPR2017-02192, Final Written Decision, Paper 31, April 8, 2019
`Intentionally Left Blank
`
`EX-1014
`
`IPR2022-00035, Institution Decision, Paper 7,(April 19, 2022)
`
`EX-1015
`
`Intentionally Left Blank.
`
`EX-1016
`EX-1017
`
`U.S. Pat. No. 6,088,804 (Hill)
`Intentionally Left Blank.
`
`EX-1018
`
`Intentionally Left Blank
`
`DM2\17991333.1
`
`5
`
`

`

`
`
`
`
`EX-1019
`
`Intentionally Left Blank
`
`EX- 1020
`
`Intentionally Left Blank
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`
`EX-1021
`
`Applying Mobile Agents to Intrusions Detection and Response
`Jansen, et al, NIST Interim Report (IR) (October 1999) (“Jansen”)
`
`DM2\17991333.1
`
`6
`
`

`

`
`
`I.
`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`
`INTRODUCTION
`
`Forcepoint LLC, (“Petitioner”) respectfully requests that the Board review
`
`and cancel as unpatentable Claims 1 and 2 (hereinafter, the “Challenged Claims”)
`
`of U.S. 10,893,066 (the “’066 Patent,” EX-1001).
`
`The ’066 Patent “relates to … management of security of computing and
`
`network devices” connected in a network. EX-1001, 1:18-20. An examiner
`
`allowed the claims because the prior art allegedly failed to teach “identifying an
`
`occurrence, determining that at least one vulnerability is susceptible to being taken
`
`advantage by the occurrence and selectively utilizing diverse mitigation actions
`
`including a firewall.” EX-1002, 564.
`
`However, the Board previously instituted review of Claim 1 of the ’066
`
`Patent in IPR2022-00035 because Gupta in combination with Graham teaches this
`
`alleged point of novelty by identifying an occurrence of a packet arriving at a
`
`network and determining an associated vulnerability to threats. EX-1014 PP. 37-
`
`38 (“Thus, we determine, based on the current record, Gupta teaches ‘a other
`
`occurrence mitigation type’ and Graham teaches ‘a firewall-based occurrence
`
`mitigation type.’ Moreover, on this record, we determine both Gupta and Graham
`
`teach ‘caus[ing] utilization’ of different occurrence mitigation actions receiving
`
`packets in traffic and inspecting”).
`
`This Petition also challenges Claim 2, which was not previously challenged
`
`DM2\17991333.1
`
`7
`
`

`

`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`in IPR2022-00035. Claim 2 depends from Claim 1 and is directed to identifying
`
`occurrences and taking mitigation actions at devices distributed throughout the
`
`network. Claim 2 is obvious over the combination of Gupta and Graham in further
`
`view of Hill which discloses the use of security agents distributed throughout the
`
`network at computer devices for detecting and mitigating security occurrences.
`
`II.
`
`
`GROUNDS FOR STANDING
`
`Petitioner certifies the ’066 Patent is IPR-eligible, and Petitioner is not
`
`barred or estopped from requesting IPR challenging the patent claims. 37 C.F.R.
`
`§ 42.104(a).
`
`
`III. NOTE
`
`Petitioner cites to exhibits’ original page numbers. Emphasis in quoted
`
`material has been added. Claim terms are italicized. Color annotations are added
`
`to the figures.
`
`IV.
`
`
`SUMMARY OF THE ’066 PATENT
`
`The ’066 Patent “relates to…management of security of computing and
`
`network devices.” EX-1001, 1:23-25. The ’066 Patent is part of a family of patents
`
`and applications, including two patents that had claims cancelled in IPRs. See
`
`generally EX-1011, 1012.
`
`A “security server 135” collects operating system and other configuration
`
`data about devices in the network. EX-1001, 2:30-38, 43-45; see also Fig.1 below.
`
`DM2\17991333.1
`
`8
`
`

`

`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`The server determines whether network traffic “is attempting to take advantage of a
`
`particular known vulnerability.” EX-1001, 4:9-11, 4:21-29. If so, the server
`
`“selects one or more remediation techniques” for the particular vulnerability. EX-
`
`1001, 4:62-64; EX-1003, ¶¶25-27.
`
`
`
`
`V.
`
`
`
`
`EX-1001, Fig. 1
`
`PROSECUTION HISTORY
`
`The Applicant amended the independent claim for clarification, in order to
`
`overcome a rejection under 35 U.S.C. § 101. EX-1002, 538-55. The examiner
`
`DM2\17991333.1
`
`9
`
`

`

`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`indicated the allowablity of Claim 1 (Claim 54 during prosecution) explaining that
`
`the prior art fails to teach “identifying an occurrence, determining that at least one
`
`vulnerability is susceptible to being taken advantage by the occurrence and
`
`selectively utilizing diverse mitigation actions including a firewall.” EX-1002,
`
`564.
`
`The Applicant subsequently filed an RCE with multiple IDS filings and an
`
`amendment cancelling all dependent claims and substituting new claims dependent
`
`from Claim 1, including Claim 2. The examiner issued a Notice of Allowance
`
`identifying the same reason for the allowance of Claim 1 and did not identify any
`
`independent reason for the allowance of the newly added dependent claims stating
`
`only that they were “allowed by virtue of their dependency.” EX-1002 790.
`
`VI. EFFECTIVE PRIORITY DATE OF THE ’066 PATENT
`
`The earliest claimed priority date is July 1, 2003. EX-1001. In prosecution,
`
`the Applicant alleged a reduction to practice on October 15, 2002. EX-1002, 281-
`
`82. This petition cites prior art predating October 15, 2002. Petitioner does not
`
`waive any right or opportunity it may have to dispute the priority date of the ’066
`
`Patent in this or another forum where the issue is relevant.
`
`VII. LEVEL OF ORDINARY SKILL IN THE ART
`
`A Person of Ordinary Skill in The Art (“POSITA”) in July 2003 would have
`
`
`
`had a working knowledge of the network communications art that is pertinent to
`
`DM2\17991333.1
`
`10
`
`

`

`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`the ’066 Patent, including network security. A POSITA would have had a
`
`bachelor’s degree in computer science, computer engineering, or an equivalent,
`
`and two years of professional experience relating to network communications.
`
`Lack of professional experience can be remedied by additional education, and vice
`
`versa. EX-1003, ¶¶17-19.
`
`VIII. STATE OF THE ART
`
`The following section describes the state of the art for network security
`
`systems as of July 2003. The prior art references, and the discussions of what was
`
`known to a POSA, provide the factual support for the general description of the
`
`state of the art at the time of the invention, provide contemporaneous context to
`
`support assertions regarding what a POSITA would have understood from the prior
`
`art in the grounds and provide the motivation to modify or combine the references.
`
`Accordingly, these references should be considered by the Board. See Yeda
`
`Research v. Mylan Pharm. Inc., 906 F.3d 1031, 1041- 1042 (Fed. Cir. 2018)
`
`(affirming the use of “supporting evidence relied upon to support the challenge”);
`
`37 C.F.R. § 42.104(b); see also K/S HIMPP v. Hear-Wear Techs., LLC, 751 F.3d
`
`1362, 1365-66 (Fed. Cir. 2014); Arendi S.A.R.L. v. Apple Inc., 832 F.3d 1355, 1363
`
`(Fed. Cir. 2016).
`
`A. Network System Security
`
`
`
`By July 2003 it was known that network security included “the
`
`DM2\17991333.1
`
`11
`
`

`

`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`functionalities performed by a firewall, IDS [intrusion detection system] and
`
`[vulnerability assessment scanner] for network security into one system.” EX-
`
`1005 3:14-18. Such a unified system 10 is illustrated in Figure 1. EX-1005 4:37-
`
`39. It includes “an enterprise resource database” with data identifying potential
`
`“vulnerabilities associated with” hosts in the network. EX-1005 5:9-15. A
`
`“signature database” stores “detection signatures,” which include “security rules,
`
`policies and algorithms” to “mitigate or avert network damage from detected
`
`vulnerabilities.” EX-1005, 5:20-24; EX-1003, ¶¶29.
`
`
`
`As shown in Figure 2, reproduced below, the system 10 includes an “agent
`
`DM2\17991333.1
`
`12
`
`
`
`

`

`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`126 that functions to configure, tune and monitor the operation of the intrusion
`
`detector functionality 116 and the firewalling functionality 118.” EX-1005 9:36-41:
`
`EX-1003, ¶30.
`
`
`
`B. The Use of Mobile Agents
`
`
`By July 2003, intrusion detection systems had adopted the use of mobile
`
`agents. A mobile agent is a software agent that is distributed at each host to
`
`provide intrusion detection and automatic response. EX-1021 pp. 2, 7-8. A POSA
`
`understood that the use of mobile agents in an architecture for highly distributed
`
`intrusion detection systems provided several advantages over centralized intrusion
`
`detection systems including overcoming network latency, reducing network load,
`
`executing asynchronously and autonomously, adapting dynamically, operating in
`
`heterogeneous environments, and having robust and fault-tolerant behavior. EX-
`
`DM2\17991333.1
`
`13
`
`

`

`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`1021 pp. 10-14. In addition, a layered approach in which a hierarchical IDS where
`
`a mobile agent backs each node up and restores any lost functionality provides
`
`redundancy for the security of the network. EX-1021 p. 21; EX-1003 ¶31
`
`VIII. CLAIM CONSTRUCTION
`
`Petitioner believes that, for purposes of this proceeding and the analysis
`
`presented herein, the terms should be given their plain and ordinary meaning. In
`
`IPR2022-00035, the Board construed “instructions that…cause the one or more
`
`processors to… cause utilization of different occurrence mitigation actions of diverse
`
`occurrence mitigation types, including a firewall-based occurrence mitigation type
`
`and a other occurrence mitigation type, across the plurality of devices as recited in
`
`Claim 1, includes network defense systems which provide firewall functionality. We
`
`do not exclude those other mitigation types that may be separate from a vulnerable or
`
`attacked device.” EX-1014 p. 20. Petitioner agrees that this construction is within
`
`the plain and ordinary meaning of the recited limitation.
`
`IX. RELIEF REQUESTED AND REASONS THEREFORE
`
`Petitioner asks that the Board institute a trial for inter partes review and
`
`cancel the Challenged Claims in view of the analysis below.
`
`X.
`
`
`
`IDENTIFICATION OF HOW THE CLAIMS ARE UNPATENTABLE
`
`Statutory Grounds for Challenges
`
`A.
`
`Grounds
`
`Claims
`
`Basis
`
`References
`
`DM2\17991333.1
`
`14
`
`

`

`
`
`
`
`1
`2
`
`1
`2
`
`§103
`§103
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`Gupta in view of Graham
`Gupta in view of Graham in
`view of Hill
`
`U.S. Pat. Publication No. 2003/0004689 titled “Hierarchy-Based Method and
`
`Apparatus for Detecting Attacks on a Computer System” published on January 2,
`
`2003 based on Application No. 10/172,764 filed June 13, 2002 (“Gupta”)(EX-1006).
`
`Gupta is prior art under 35 U.S.C. §§ 102(a) and (e) (pre-AIA) and was not cited by
`
`the examiner during prosecution.
`
`U.S. Pat. No. 7,237,264 titled “System and Method for Preventing Network
`
`Misuse” issued on June 26, 2007 based on Application No. 09/874,574 filed June 4,
`
`2001 (“Graham”)(EX-1007). Graham is prior art under 35 U.S.C. § 102(e) (pre-
`
`AIA) and was not cited by the examiner during prosecution.
`
`U.S. Pat. No. 6,088,804 titled “Adaptive System and Method for
`
`Responding to Computer Network Security Attacks” issued on Jul, 11, 2000 from
`
`Application No. 09/006,056 filed January 12, 1998 (“(Hill”)(EX-1016). Hill is
`
`prior art under 35 U.S.C. § 102(a) (pre-AIA) and was not cited by the examiner
`
`during prosecution.
`
`Petitioner’s obviousness grounds rely on the combined teachings of the
`
`references and not on a physical incorporation of elements. See In re Mouttet, 686
`
`F.3d 1322, 1332 (Fed. Cir. 2012); EX-1003, ¶116.
`
`DM2\17991333.1
`
`15
`
`

`

`
`
`
`
`
`
`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`
`B. Ground 1
`
`Summary of Gupta
`
`1.
`Gupta discloses a security system that determines actual vulnerabilities,
`
`detects occurrences in network traffic that may take advantage of those
`
`vulnerabilities, and provides that multiple options for mitigation of those
`
`occurrences, including dropping TCP connections, are provided. EX-1006, [0151],
`
`[0154], [0164]-[0165]; EX-1003, ¶¶36-48.
`
`Gupta describes “provisioning a computer against computer attacks” by
`
`“constructing a hierarchy characterizing different computer attacks and counter
`
`measures, and traversing this hierarchy to identify computer attacks and counter
`
`measures relevant to a target platform.” EX-1006 [0008], Abstract; EX-1003,
`
`¶¶36-39. Gupta explains that its system provides “security operations” via network
`
`security sensors 22 in a computer network 20 incorporating network security
`
`devices and processes associated with the invention. The combination of the
`
`sensor 22 (green), redundant sensor 24, and sensor management system 26 (pink)
`
`is referred to as a local sensor security module 27. As shown in FIG. 1, local
`
`sensor security modules 27 may be distributed throughout a network. In this
`
`example, a local sensor (green) in a local sensor security module 27-0 is positioned
`
`between the enterprise network 30 (blue) and a protected server 32 (red). EX-
`
`1006. [0030],[0032]; EX-1003, ¶39.
`
`DM2\17991333.1
`
`16
`
`

`

`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`
`EX-1006 Fig. 1
`
`The update server 38 (purple) is used to coordinate the delivery of signature
`
`and software updates to the local sensor security modules 27. EX-1006 [0034].
`
`
`
`DM2\17991333.1
`
`17
`
`

`

`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`The update server 38 is notifies users of new software or network intrusion
`
`signature updates and provides them for download to the sensors. The sensor 22
`
`performs signature matching against network traffic and generates responses in
`
`case of intrusions. A sensor 22 accepts configuration and control messages and
`
`sends intrusion alerts and/or events to the sensor management system 26. EX-1006
`
`[0138] ; EX-1003, ¶40.
`
`As shown in FIG. 2, network security sensors include a “memory 50, which
`
`includes primary and/or secondary memory” and “memory 50 stores a set of
`
`executable programs utilized to implement functions of the invention.” EX-1006
`
`[0036],[0037] ; EX-1003, ¶41.
`
`DM2\17991333.1
`
`18
`
`

`

`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`
`
`
`EX-1006 FIG. 2.
`
`Further, “memory 50 also stores a classification and pattern-matching
`
`module 68” which “has an associated set of intrusion signatures 70” (EX-1006
`
`DM2\17991333.1
`
`19
`
`

`

`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`[0042]) and those intrusion signatures 70 are stored in an “attack file” which
`
`“specifies attacks and counter measures.” EX-1006 [0151] ; EX-1003, ¶42.
`
`As illustrated in FIG. 17, the attack file is generated by the hierarchical
`
`categorization module in the update server, which initially constructs a hierarchy
`
`characterizing different computer attacks and countermeasures (block 160) ; EX-
`
`1003, ¶43.
`
`
`
`DM2\17991333.1
`
`20
`
`

`

`
`
`EX-1006 FIG. 17.
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`
`The hierarchy is then traversed to identify computer attacks and
`
`countermeasures relevant to the target platform (block 162). Detection and
`
`protection measures for the target platform are then collected (block 164). This
`
`can result in an attack file 149 and a sensor is then supplied, through a download,
`
`with the protective software (e.g., the attack file) for the target platform (block
`
`166). EX-1006 [0164] ; EX-1003, ¶44.
`
`To detect an attack the sensor uses, a “signature processing system . . .
`
`look[s] for signatures that are specific combinations of patterns (e.g., numerical
`
`field values, string matches, and the like) existing in monitored network traffic.”
`
`EX-1006 [0083]. When an attack is found, “response processor 54 . . . attempts to
`
`prevent the attack. Short-term responses include terminating TCP connections.
`
`Long-term responses include packet logging for further analysis to improve
`
`detection and response.” EX-1006 [0087]; EX-1003, ¶45.
`
`As shown in FIG. 13, the sensor management system 26 includes a virtual
`
`intrusion detection system (VIDS) provisioning module 110 and a real-time
`
`signature update module 112; EX-1003, ¶46.
`
`DM2\17991333.1
`
`21
`
`

`

`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`
`
`
`This realtime signature update module coordinates the delivery of intrusion
`
`signatures 70 to sensors 22. This module is responsive to control signals from the
`
`update server 38. EX-1006 [0132] ; EX-1003, ¶47.
`
`The VIDS provisioning module operates in conjunction with a sensor 22 and
`
`the update server 38. As previously discussed, the sensor 22 performs signature
`
`matchings against network traffic and generates responses in case of intrusions. A
`
`DM2\17991333.1
`
`22
`
`

`

`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`sensor 22 accepts configuration and control messages and sends intrusion alerts
`
`and/or events to the sensor management system 26. Since each VIDS can
`
`customize the response in the face of an intrusion, a sensor must be able to
`
`generate VIDS specific responses. In addition, the sensor 22 labels all alerts and
`
`events sent to the sensor management system 34 with VIDS identifiers so that the
`
`sensor management system 34 does not have to spend extra computer resources in
`
`filtering VIDS events. EX-1006 [0138] ; EX-1003, ¶48.
`
`
`
`Summary of Graham
`
`2.
`Graham is directed to “analyzing and preventing unauthorized use of data
`
`network resources” by “evaluat[ing] potential network misuse signatures” to make
`
`a “misuse determination.” EX-1007 1:7-10, 2:51-56. For example, “several
`
`successive transmissions of an invalid user ID or password from a suspect node to
`
`a target may indicate that an unauthorized user is attempting to gain access to [a]
`
`target.” EX-1007 4:40-43. Graham describes identifying potential vulnerability
`
`information and deriving actual vulnerability data from it, by correlating “target
`
`fingerprint data … with the context-based and/or state-based data signature (as
`
`indicated at 255) to determine whether the target is actually vulnerable to the
`
`suspicious data signature.” EX-1007, 7:14-19. Graham also discloses using
`
`firewall-based mitigation actions to prevent an attack from taking advantage of an
`
`actual vulnerability, including taking “certain precautionary measures” such as
`
`DM2\17991333.1
`
`23
`
`

`

`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`attempting “to block incoming data transmissions from the suspect node (e.g., by
`
`commanding the firewall to do so).” EX-1007, 7:58-67; EX-1003, ¶¶49-50.
`
`Graham further discloses that a factor considered by the system is “the
`
`target’s response to the detected data signature to further evaluate the probability
`
`of network misuse.” EX-1007 8:3-5. Thus, Graham teaches occurrence mitigation
`
`actions, one of which is a firewall-based occurrence mitigation type –– the firewall
`
`blocking incoming data transmission from a suspect node.” EX-1007 7:65-67;
`
`EX-1003, ¶50.
`
`3. Motivation to Modify the Teachings of Gupta with the
`Teachings of Graham
`
`A POSITA would have been motivated to modify the teachings of Gupta
`
`
`
`with the teachings of Graham because both Gupta and Graham are directed to
`
`identifying vulnerabilities and applying corrective actions to protect against
`
`identified vulnerabilities. More specifically, Gupta discloses a security system that
`
`identifies devices with actual vulnerabilities, determines attacks directed to the
`
`identified devices, and presents options to a user for mitigating the attacks. EX-
`
`1006, [0151], [0154], [0164]-[0165]. Graham discloses a security system that
`
`identifies attacks against vulnerable systems and takes precautionary measures
`
`including blocking data transmissions with a firewall. EX-1007, 7:58-67. EX-
`
`1003, ¶¶ 51-55.
`
`Gupta does not expressly recite that it uses firewall functionality, but a
`
`DM2\17991333.1
`
`24
`
`

`

`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`POSITA understood that firewall functionality was a well-known mitigation
`
`technology for preventing attacks, as discussed in the State of the Art section. EX
`
`1005 9:36-41. Thus, a POSITA would have been motivated to modify the
`
`teachings of Gupta to implement the additional corrective actions disclosed in
`
`Graham of using a firewall for any identified vulnerabilities by combining the
`
`teachings according to known methods to yield predictable results. KSR Int’l Co.
`
`v. Teleflex, Inc., 550 U.S. 398, 416 (2007). In other words, such a combination is
`
`merely applying a known technique (implementing firewall functionality for
`
`identified vulnerabilities) to a known method (identifying vulnerabilities) with the
`
`predictable outcome of identifying and implementing corrective action for the
`
`identified vulnerabilities. KSR, 550 U.S. at 417. The combination also merely
`
`represents using a known technique (firewall functionality) to improve a similar
`
`system (Gupta’s network of devices) in the same way (“preventing unauthorized
`
`use of data network resources,” EX-1007, 1:7-10). KSR, 550 U.S. at 417; EX-1003,
`
`¶54.
`
`
`
`
`
`Claim 1
`
`4.
`[1.0] A non-transitory computer-readable media storing instructions that, when
`executed by one or more processors, cause the one or more processors to:
`
`Gupta discloses several examples of a non-transitory computer-readable
`
`media that stores instructions. For example, Gupta’s FIG. 1 depicts a local
`
`security module 27 which includes a sensor 22 and a sensor management system
`
`DM2\17991333.1
`
`25
`
`

`

`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`26, and a global sensor management system 34, all of which are connected to an
`
`update server 38, each of which include processors executing instructions stored on
`
`non-transitory computer readable media. EX-1006, FIG. 1, [0032]-[0033]. Gupta
`
`further discloses that the update server 38 includes “standard computer
`
`components” including a CPU 140 and a “memory 146” storing “a set of
`
`executable programs to implement the functions of the update server.” EX-1006,
`
`[0150] ; EX-1003, ¶¶56-68
`
`DM2\17991333.1
`
`26
`
`

`

`
`
`
`
`
`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`
`
`
`EX-1006, FIG. 1 (annotated); EX-1003, ¶61
`
`Gupta further discloses instructions stored at the update server 38 are
`
`DM2\17991333.1
`
`27
`
`

`

`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`downloaded to the local security module 27 and global sensor management system
`
`34. For example, Gupta discloses the update server 38 “coordinate[s] the
`
`delivery” of “software updates to the local sensor security module 27.” EX-1006
`
`[0034] ; EX-1003, ¶63.
`
`Gupta further discloses the update server is “used to notify customers of new
`
`software,” and “provides the software images and signature files for download.”
`
`EX-1006 [0138]. It is well known in the art that computing devices can download
`
`and install software from a software update server (a “download server downloads
`
`updating files to the client” computer and the “desired revised software product is
`
`then installed on the client computer”). EX-1014, Abstract; EX-1003, ¶64.
`
`Therefore, a POSITA would understand that Gupta’s update server 38 stores
`
`software (instructions) that is downloadable by local security module 27 and global
`
`management system 34. EX-1003, ¶65.
`
`Gupta further discloses executing the instructions downloaded from update
`
`server 38 by “processor[s] 40_1 through 40_N,” CPU 100 of the sensor
`
`management system 26, and CPU 120 of the global management system 34. EX-
`
`1006, [0036], [0129], [0133]. As illustrated in FIG. 2, the processors 40 are
`
`connected to the memory 50 (storing the downloaded software from update server
`
`38) via a system bus, and therefore the executable programs in memory 50 are
`
`executed by “one or more processors” 40. EX-1006, [0036]-[0037]. E X- 1 0 0 3 ,
`
`DM2\17991333.1
`
`28
`
`

`

`
`
`¶ 6 6 .
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`
`
`
`Similarly, as illustrated in FIG. 13, Gupta discloses the “sensor management
`
`system 26” is in the “form of a general-purpose computer, including a central
`
`processing unit 100” and a “memory 106” storing “a set of executable programs
`
`utilized to implement features of the invention,” which are connected via a “system
`
`bus 104.” EX-1006, [0129]-[0130]. Likewise, as illustrated in FIG. 14, the
`
`DM2\17991333.1
`
`29
`
`

`

`
`
`IPR2023-00990 Petition
`Inter Partes Review of 10,893,066
`“global sensor management system 34” is also “in the form of a general-purpose
`
`computer, including a central processing unit 120” and a “memory 126.” EX-
`
`1006, [0133]-[0134]