PTAB

IPR2014-00344

Finjan Inc v. FireEye Inc

Log In
Key Events
Petition
petition Intelligence

1. Case Identification

2. Patent Overview

  • Title: System and Method for Intrusion Detection
  • Brief Description: The ’499 patent discloses an intrusion detection system (IDS) that operates by copying network data and comparing it to a policy. If the data is deemed suspicious, it is flagged for replay and analysis in a separate environment to identify unauthorized activity, such as a computer worm.

3. Grounds for Unpatentability

Ground 1: Claims 19, 25, 28, and 30 are anticipated by Venezia under 35 U.S.C. §102.

  • Prior Art Relied Upon: Venezia (Paul Venezia, NetDetector Captures Intrusions, InfoWorld Issue 27, July 14, 2003).
  • Core Argument for this Ground:
    • Prior Art Mapping: Petitioner argued that Venezia, an article describing the "NetDetector" IDS product, discloses every limitation of independent claim 19. Venezia's system copies network data ("stores every packet"), compares it against policies using a Snort IDS engine to detect characteristics of a worm (e.g., a "CodeRed attack"), flags suspicious data by making it available for replay ("every packet comprising that event is available"), and replays the data to a destination device to reconstruct the attack.
    • Key Aspects: Petitioner contended Venezia explicitly teaches the core inventive concept, including the "flagging for replay" limitation that was the basis for the patent's allowance.

Ground 2: Claims 1-6, 8, 19, 23-24, 26-27, 29, and 30 are obvious over Kaeo in view of Venezia under 35 U.S.C. §103.

  • Prior Art Relied Upon: Kaeo (Merike Kaeo, Designing Network Security, Nov. 2003) and Venezia.
  • Core Argument for this Ground:
    • Prior Art Mapping: Petitioner asserted that Kaeo, a foundational textbook on network security, teaches the basic elements of an IDS as recited in independent claim 1, including using a "tap" (e.g., cable taps or SPAN ports) to copy network data and a "controller" to receive and compare the data against policies (rule-based analysis) to detect worm characteristics. Petitioner argued Venezia supplies the missing element: flagging suspicious data for replay in an analysis environment.
    • Motivation to Combine: Petitioner argued a person of ordinary skill in the art (POSITA) would combine Kaeo's standard IDS architecture with Venezia's well-known replay functionality. The combination would enhance Kaeo's system by providing a method for further verification of suspicious packets, thereby minimizing "false positives," which Kaeo identifies as a common problem.
    • Expectation of Success: A POSITA would have had a reasonable expectation of success, as the combination merely integrates two known, compatible technologies—network monitoring and session replay—for their intended purpose of improving intrusion detection accuracy.

Ground 3: Claims 1, 9-15, 17-18, 20, and 22 are obvious over Kaeo and Venezia in view of Dunlap.

  • Prior Art Relied Upon: Kaeo, Venezia, and Dunlap (George W. Dunlap, et al., ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay, Dec. 9, 2002).

  • Core Argument for this Ground:

    • Prior Art Mapping: This ground targets claims requiring a virtual machine (VM) analysis environment, including independent claim 9. Petitioner contended that Kaeo and Venezia provide the foundational IDS with a replay function, as argued in Ground 2. Dunlap was asserted to teach the specific implementation of this replay within a VM. Dunlap's "ReVirt" system explicitly describes capturing system activity, including network data, and replaying it within a VM to "diagnose the method and effects of the intrusion." This directly teaches retrieving a VM and replaying the suspicious activity to it for analysis.
    • Motivation to Combine: Petitioner argued a POSITA would be motivated to implement the replay taught by Venezia within the VM environment taught by Dunlap. Using a VM for analysis was a known technique to create an isolated, safe environment for examining potentially malicious code without risk to the production network. This would be a predictable improvement to the Kaeo/Venezia system.
    • Expectation of Success: A POSITA would expect this combination to work, as it involves applying a known analysis technique (VM-based replay) to a standard IDS to achieve the predictable benefit of safer and more thorough intrusion analysis.

  • Additional Grounds: Petitioner asserted additional obviousness challenges based on combinations including Liljenstam (teaching flagging for replay to track worm infections) and Chen (teaching VM-based intrusion detection and analysis).

4. Key Claim Construction Positions

  • "flag" or "flagging": Petitioner proposed this term be construed simply as "identify." This broad construction was central to their argument that prior art references, which identified and recorded suspicious data for later replay, met this claim limitation.
  • "controller": Petitioner proposed this term means "any digital device or software that receives network data." This construction supports applying the claims to general-purpose computer systems running IDS software as described in the prior art.
  • "virtual machine pool": Petitioner proposed this term means "any storage capable of storing one or more virtual machines." This broad interpretation was used to argue that systems described by references like Chen and Dunlap, which could run or create VMs as needed, met this limitation.

5. Key Technical Contentions (Beyond Claim Construction)

  • Petitioner's central technical contention was that the "flagging for replay" limitation, which the patent examiner relied upon for allowance, was not novel or non-obvious. Petitioner argued this was a well-known, conventional technique used by intrusion detection systems long before the patent's priority date. References such as Venezia, Liljenstam, and Chen were presented as evidence that a POSITA would have been aware of, and routinely implemented, systems that identified, recorded, and replayed suspicious network traffic for forensic analysis.

6. Relief Requested

  • Petitioner requests the institution of an inter partes review and the cancellation of claims 1-30 of the ’499 patent as unpatentable.