PTAB

IPR2014-00492

Finjan Inc v. FireEye Inc

Log In
Key Events
Petition
petition Intelligence

1. Case Identification

2. Patent Overview

  • Title: Unauthorized Activity Capture System and Method
  • Brief Description: The ’553 patent discloses an intrusion detection system (IDS) for network security. The system operates by using a tap to copy network data, analyzing the copied data with a heuristic to detect characteristics of a computer worm, and flagging suspicious data for replay and further analysis in a separate environment, potentially a virtual machine.

3. Grounds for Unpatentability

Ground 1: Claims 17, 22, 24-26, and 28 are anticipated by Venezia under 35 U.S.C. §102.

  • Prior Art Relied Upon: Venezia (Paul Venezia, NetDetector Captures Intrusions, InfoWorld, July 14, 2003).
  • Core Argument for this Ground:
    • Prior Art Mapping: Petitioner argued that Venezia, an article describing the "NetDetector" product, disclosed every limitation of the challenged claims. Venezia’s system was described as capturing and storing every network packet ("copying network data"), using the Snort IDS engine to analyze traffic based on filtering rules ("analyzing with a heuristic"), and identifying specific attacks or signatures. Crucially, Petitioner asserted Venezia taught the "flagging for replay" limitation by disclosing that once an attack is identified, every packet from that event is recorded and made available for replay to reconstruct the attack keystroke-by-keystroke.
    • Key Aspects: This ground targeted the core inventive concept identified during prosecution—flagging for replay—and argued it was explicitly taught by a single prior art reference that was not considered by the Examiner.

Ground 2: Claims 1-7, 17, 21-22, and 25-30 are obvious over Kaeo in view of Venezia under 35 U.S.C. §103.

  • Prior Art Relied Upon: Kaeo (Merike Kaeo, Designing Network Security, Nov. 2003) and Venezia.
  • Core Argument for this Ground:
    • Prior Art Mapping: Petitioner contended that Kaeo, a foundational network security textbook, taught the basic architecture of a modern IDS as claimed in the ’553 patent. Kaeo explicitly disclosed using a network tap to copy data for an IDS (the "tap" and "controller" of claim 1) and analyzing that data with rule-based and statistical heuristics to detect worms and other intrusions ("analyze with a heuristic"). Petitioner argued that Venezia supplemented Kaeo by teaching the specific step of flagging suspicious network data for subsequent replay and analysis. By adding Venezia's recording and replaying capabilities to Kaeo's fundamental IDS, all limitations of the independent claims were met.
    • Motivation to Combine: A person of ordinary skill in the art (POSITA) would combine Kaeo's general IDS framework with Venezia's specific replay functionality to improve intrusion detection. Kaeo itself recommended strategies for minimizing false positives, and Venezia's system, which allowed for detailed reconstruction and verification of suspicious events via replay, was a known technique to achieve this goal. Both references shared the common purpose of enhancing network security.
    • Expectation of Success: A POSITA would have a high expectation of success, as the combination merely involved applying a known analysis technique (Venezia's replay) to data gathered by a standard IDS architecture (Kaeo's tapped system).

Ground 3: Claims 1, 8-16, 18, 20-22, and 29 are obvious over Kaeo and Venezia in view of Dunlap.

  • Prior Art Relied Upon: Kaeo, Venezia, and Dunlap (George W. Dunlap, et al., ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay, Dec. 9, 2002).

  • Core Argument for this Ground:

    • Prior Art Mapping: This ground built upon the combination of Kaeo and Venezia to address claims requiring a virtual machine (VM) environment. While Kaeo and Venezia provided the core IDS and replay functionality, Dunlap was introduced to teach the use of VMs for intrusion analysis. Dunlap’s "ReVirt" system was specifically designed to capture unauthorized activity by running a target system within a VM and replaying network data to that VM to analyze how an attack occurred. Dunlap taught retrieving a VM and replaying suspicious network transmissions to it, directly mapping to the limitations of claims 8 and 18.
    • Motivation to Combine: A POSITA, having combined Kaeo and Venezia to create an IDS that flags data for replay, would be motivated to incorporate Dunlap's VM-based analysis environment. Using a VM for replay, as taught by Dunlap, was a known technique to create a safe, isolated "sandbox" for analyzing potentially malicious code without risk to the live network, a clear and desirable improvement.
    • Expectation of Success: The combination would have been straightforward, as it involved directing the suspicious data stream identified by the Kaeo/Venezia system to a known type of analysis environment taught by Dunlap.

  • Additional Grounds: Petitioner asserted additional obviousness challenges based on combinations including Liljenstam (teaching flagging suspicious ICMP messages for replay to track worm infections) and Chen (teaching the use of cloned VMs to test suspicious packets), but relied on similar motivations to combine these known security techniques to improve the functionality of a standard IDS.

4. Key Claim Construction Positions

  • "flag" or "flagging": Petitioner proposed this term means to "identify." This construction was central to its argument that prior art systems which identified suspicious packets and made them available for replay met the "flagging for replay" limitation that was key to the patent's allowance.
  • "replay in an analysis environment": Petitioner argued this phrase should be given its plain meaning, encompassing any environment used for analysis, including the replay systems described in Venezia that allowed for session reconstruction, and the VM-based sandboxes described in Dunlap and Chen.

5. Relief Requested

  • Petitioner requested institution of an inter partes review and cancellation of claims 1-30 of the ’553 patent as unpatentable.