Microsoft Corp v. VirnetX Inc

1. Case Identification

• Case #: IPR2014-00610
• Patent #: 7,490,151
• Filed: April 10, 2014
• Petitioner(s): Microsoft Corporation
• Challenged Claims: 1, 2, 6-8, and 12-14

2. Patent Overview

• Title: Establishment of a Secure Communication Link Based on a Domain Name Service (DNS) Request
• Brief Description: The ’151 patent discloses a system for creating secure communication channels over the internet. The system uses a domain name service (DNS) proxy to intercept a client's DNS request, determine if the request is for a secure server, and automatically initiate an encrypted channel to that server if it is secure, or otherwise forward the request to a standard DNS function.

3. Grounds for Unpatentability

Ground 1: Anticipation by Kiuchi - Claims 1, 2, 6-8, and 12-14 are anticipated by Kiuchi under 35 U.S.C. §102.

• Prior Art Relied Upon: Kiuchi (Takahiro Kiuchi and Shigekoto Kaihara, “C-HTTP – The Development of a Secure, Closed HTTP-based Network on the Internet,” IEEE 1996).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Kiuchi discloses every element of the challenged claims. Kiuchi describes a "C-HTTP" system for creating a secure virtual network using client-side and server-side proxies. The client-side proxy functions as a DNS proxy module by intercepting HTTP requests (which Petitioner asserted are DNS requests under the proper construction) from a user agent (the client). This proxy then queries a C-HTTP name server to determine if the request's hostname corresponds to a secure server within the "closed network." If it does, the system automatically initiates an encrypted C-HTTP connection. If not, the client-side proxy performs a standard DNS lookup for the non-secure host. This process directly maps to the steps recited in independent claims 1, 7, and 13.
  • Key Aspects: Petitioner asserted that Kiuchi's client-side proxy avoids sending the true IP address of the secure origin server to the client application, instead providing the IP address of the server-side proxy, thus anticipating the limitations of dependent claims 6 and 12.

Ground 2: Obviousness over Kiuchi and RFC 1034 - Claims 1, 2, 6-8, and 12-14 are obvious over Kiuchi in view of RFC 1034.

• Prior Art Relied Upon: Kiuchi and RFC 1034 (Mockapetris, P., "Domain Names – Concepts and Facilities," Nov. 1987).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground was presented as an alternative in case the Board adopted a narrower construction of "DNS request." Petitioner argued Kiuchi's client-side proxy sends a request to a C-HTTP name server for an IP address corresponding to a hostname. RFC 1034 discloses fundamental DNS concepts, including the distinction between "iterative" and "recursive" resolution. Kiuchi's system, where the client-side proxy performs a separate lookup for non-secure sites after receiving an error, is an iterative approach. The combination taught by Kiuchi and RFC 1034 discloses a DNS proxy module (the modified C-HTTP name server) that intercepts DNS requests from a client (the client-side proxy) and determines if they correspond to a secure server.
  • Motivation to Combine: A person of ordinary skill in the art (POSITA) would have been motivated to modify Kiuchi’s iterative system to use the recursive approach taught by RFC 1034. RFC 1034 describes the recursive mode as the "simplest mode for the client." This modification would streamline Kiuchi’s system by having the C-HTTP name server directly perform the standard DNS lookup for non-secure sites on behalf of the client proxy, rather than returning an error and requiring the proxy to initiate a second lookup.
  • Expectation of Success: A POSITA would have had a high expectation of success in implementing this modification, as it involved applying a well-known, alternative DNS resolution method to improve system efficiency.

Ground 3: Anticipation by Aventail - Claims 1, 2, 6-8, and 12-14 are anticipated by Aventail under §102.

• Prior Art Relied Upon: Aventail (Aventail Connect and Aventail Extranet Center Administrator's Guides, publicly distributed by Jan. 1999).

• Core Argument for this Ground:

  • Prior Art Mapping: Petitioner contended that if the Patent Owner argued Kiuchi does not involve DNS, the claims were nonetheless anticipated by Aventail. Aventail discloses a client/server VPN solution where "Aventail Connect" software acts as a Layered Service Provider (LSP) on a client computer. This LSP functions as a DNS proxy module by intercepting all DNS lookup requests from client applications. Aventail Connect uses redirection rules to determine if a requested domain name corresponds to a secure server on a private network. If a rule is matched, it automatically initiates a secure, encrypted VPN connection to the secure server via an Aventail Extranet Server (AES). If no rule is matched, it passes the request to the operating system for a standard DNS lookup. This functionality was argued to disclose all limitations of the challenged claims.

• Additional Grounds: Petitioner asserted additional obviousness challenges, including combinations of Kiuchi with RFC 2660 (Secure HTTP), and Aventail with RFC 2660, primarily to address potential claim construction disputes regarding the scope of the "encrypted channel" and whether it must be end-to-end.

4. Key Claim Construction Positions

Petitioner argued for constructions based on the broadest reasonable interpretation standard, often adopting positions previously asserted by the Patent Owner in other proceedings.

• DNS Request: Petitioner argued for construing this term as "a request for a resource corresponding to a domain name," a definition the Patent Owner had previously advanced. This broad construction allows the initial HTTP request in Kiuchi to qualify as a "DNS request."
• Secure Server: Petitioner adopted the Patent Owner's prior assertion that this means "a server that requires authorization for access and that can communicate in an encrypted channel."
• Automatically Initiating...: Petitioner adopted the Patent Owner's construction of "initiating/creating the encrypted/secure channel without involvement of a user."
• Between [A] and [B]: Petitioner argued, based on the Patent Owner's prior litigation positions, that an encrypted channel "between" a client and server need only cover the public communication paths and does not have to extend completely from the client endpoint to the server endpoint.

5. Relief Requested

• Petitioner requested the institution of an inter partes review (IPR) and the cancellation of claims 1, 2, 6-8, and 12-14 of the ’151 patent as unpatentable.