McAfee Inc v. Cap Co Ltd

1. Case Identification

• Case #: IPR2015-01876
• Patent #: 8,544,078
• Filed: September 4, 2015
• Petitioner(s): McAfee, Inc.
• Patent Owner(s): CAP Co., Ltd.
• Challenged Claims: 1-5, 16, and 18-20

2. Patent Overview

• Title: Flexible Network Security System and Method for Permitting Trusted Process
• Brief Description: The ’078 patent discloses a network security system that dynamically manages firewall rules to permit trusted programs to access a network. The system automatically identifies ports used by permitted applications and updates firewall rules, removing the need for users to manually configure port access.

3. Grounds for Unpatentability

Ground 1: Claims 1-5, 16, and 18-20 are obvious over Yadav in view of Freund.

• Prior Art Relied Upon: Yadav (Patent 7,174,566) and Freund (Patent 5,987,611).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Yadav and Freund collectively disclose every element of the challenged claims. Yadav taught a "dynamic firewall" system for integrated network intrusion detection that used application-specific rules to authorize or block network requests. Yadav's system comprised an Application Rule Enforcer (ARE) that identified invoked applications and compared their network requests against stored policies, and a Network Traffic Enforcer (NTE) that maintained an "authorization list" of permitted communication channels and blocked unauthorized traffic. Petitioner contended Yadav's ARE functions as the claimed "port monitoring unit" by intercepting application requests (e.g., "listen" requests) to determine which ports to open.
  • Petitioner asserted that Freund, which describes a client-based firewall in greater detail, remedies any potential deficiencies in Yadav. Freund disclosed storing a database of permitted programs, identified by name, path, and hash value, which maps directly to the claimed "internal permitted program storage storing a list of programs." Freund also taught using WinSock hooking to intercept network requests, a mechanism compatible with Yadav's system. The combination of Yadav's framework for policy enforcement (ARE/NTE) with Freund's detailed implementation of an application-aware firewall—including its program database and user interface for adding programs—renders the claimed invention obvious. For example, Yadav's ARE and NTE together perform the functions of the claimed "firewall flexible device," which determines program registration and manages port permissions. The combination further taught storing extracted server port information in an "authorization list" (the "internal permitted port storage") only after a program is confirmed to be on the permitted list.
  • Motivation to Combine (for §103 grounds): Petitioner asserted that a person of ordinary skill in the art (POSITA) would combine Yadav and Freund because they addressed the same well-known problem of simplifying firewall management by automating port configuration for specific applications. Both references relied on compatible end-point filtering architectures on Windows-based systems and used identical implementation details like WinSock hooking. Yadav described a firewall as part of a larger intrusion detection system, and a POSITA seeking to implement Yadav's firewall component would have naturally looked to a detailed firewall-focused reference like Freund.
  • Expectation of Success (for §103 grounds): A POSITA would have had a reasonable expectation of success in combining the references because their compatible architectures and use of standard Windows APIs would lead to a predictable and functional system. Integrating Freund's detailed database management into Yadav's policy enforcement framework was presented as a straightforward application of known techniques.

4. Key Claim Construction Positions

• internal permitted program storage: Petitioner proposed the construction "internal storage of information identifying programs permitted by the firewall." This broad interpretation was argued to encompass both the policy repositories in Yadav and the more explicit application database disclosed in Freund.
• firewall flexible device: Petitioner proposed the construction "device for making the firewall flexible." This interpretation, based on language in the specification, is not limited to a single unitary component. It supported Petitioner's argument that the combined functionalities of Yadav's separate ARE and NTE components could satisfy this single claim limitation.
• a port of a packet of inbound traffic: Petitioner proposed the construction "the destination port of a packet of inbound traffic." This construction was argued to be consistent with the patent's disclosure of checking inbound traffic against registered server ports on the host machine.

5. Key Technical Contentions (Beyond Claim Construction)

• Mapping Multiple Prior Art Components to a Single Claim Element: A central technical-legal argument was that the functions of the claimed "firewall flexible device" do not need to reside in a single, unitary prior-art component. Petitioner argued that the distinct ARE (user space) and NTE (kernel space) components in Yadav collectively perform the functions of the "firewall flexible device" and that such a mapping is appropriate because the claims do not require a unitary structure.

6. Relief Requested

• Petitioner requested institution of an inter partes review (IPR) and cancellation of claims 1-5, 16, and 18-20 of Patent 8,544,078 as unpatentable.