Trend Micro Inc v. SecurityProfiling LLC

1. Case Identification

• Patent #: 8,266,699
• Filed: September 27, 2017
• Petitioner(s): Trend Micro, Inc.
• Patent Owner(s): SecurityProfiling, LLC
• Challenged Claims: 7

2. Patent Overview

• Title: Multiple-Path Remediation
• Brief Description: The ’699 patent relates to methods for responding to computer security vulnerabilities. The claimed method involves receiving a query for a specific vulnerability at a database, where the database associates vulnerabilities with a plurality of remediation techniques (e.g., patches, policy settings, configuration options). The system then transmits a response describing at least two alternative techniques and applies a technique selected by a user via a user interface.

3. Grounds for Unpatentability

Ground 1: Anticipation over NIST - Claim 7 is anticipated by NIST under 35 U.S.C. §102(b).

• Prior Art Relied Upon: NIST (NIST Special Publication 800-40).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that NIST, a government publication on patch management, discloses every element of claim 7. NIST describes using vulnerability databases, specifically the ICAT Metabase, which function as the claimed database. These databases associate vulnerabilities, identified by unique CVE numbers (the "vulnerability identifier"), with multiple remediation solutions, including patches and configuration changes. Petitioner asserted that NIST discloses a user querying the database via hyperlinks (the "query signal") and receiving an automatically generated webpage (the "response signal") that describes multiple alternative remediation techniques (e.g., hyperlinks to different patches or vendor sites) for selection and application by the user.

Ground 2: Obviousness over CVE-Crosstalk and NIST - Claim 7 is obvious over CVE-Crosstalk in view of NIST.

• Prior Art Relied Upon: CVE-Crosstalk ("The Vulnerabilities of Developing on the Net," CrossTalk Magazine, Apr. 2001) and NIST (NIST Special Publication 800-40).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner contended that CVE-Crosstalk teaches a comprehensive framework for responding to security vulnerabilities using a standardized list of Common Vulnerabilities and Exposures (CVE). It explicitly discloses using a CVE-compatible database like the ICAT Metabase to identify the location of a "fix" for a given CVE entry. Petitioner argued that to the extent CVE-Crosstalk does not detail the user interaction or the presentation of alternative fixes, NIST provides these missing elements. NIST describes the specific functionality of the ICAT Metabase, including how it provides links to multiple patches and mitigation techniques for a single vulnerability.
  • Motivation to Combine: A POSITA would combine these references because CVE-Crosstalk expressly recommends using databases like the ICAT Metabase. NIST simply provides the publicly available, detailed implementation guide for the very database CVE-Crosstalk suggests using. The combination represents applying the specific teachings of NIST to the general framework of CVE-Crosstalk.
  • Expectation of Success: The combination would have yielded the predictable result of a functional vulnerability management system, as it merely involves using a known database (NIST) in the manner suggested by a known methodology (CVE-Crosstalk).

Ground 3: Obviousness over Gaul, CVE-Crosstalk, and Riordan - Claim 7 is obvious over Gaul, CVE-Crosstalk, and Riordan.

• Prior Art Relied Upon: Gaul (Application # 2001/0034847), CVE-Crosstalk, and Riordan (Application # 2002/0112179).

• Core Argument for this Ground:

  • Prior Art Mapping: Petitioner argued that Gaul discloses a security testing system that uses a CVE database to identify vulnerabilities and associated corrective actions. CVE-Crosstalk was cited to supply the well-known, standardized use of CVE names as vulnerability identifiers to organize such a database. Riordan was introduced to supply the teaching of presenting multiple, alternative remediation techniques for a single vulnerability. Riordan discloses that for any given threat, a system can present various actions (e.g., shutting down a service, reconfiguring the system, installing a patch) from which an administrator can choose.
  • Motivation to Combine: A POSITA would be motivated to improve Gaul’s disclosed system. Incorporating the standardized nomenclature from CVE-Crosstalk into Gaul's CVE database would be a logical step for interoperability. Furthermore, a POSITA would integrate Riordan’s teaching of offering alternative actions to make Gaul's system more flexible and robust, a known goal in network security.
  • Expectation of Success: Combining these known elements—a vulnerability database from Gaul, standard identifiers from CVE-Crosstalk, and alternative remediation options from Riordan—would predictably result in the claimed invention with no change to their respective functions.

• Additional Grounds: Petitioner asserted an additional obviousness challenge to claim 7 over Girouard (Application # 2004/0064726) in view of CVE-Crosstalk. This ground relied on a similar theory of combining a vulnerability management system (Girouard) with the standardized CVE identifiers from CVE-Crosstalk to achieve the claimed method.

4. Key Claim Construction Positions

Petitioner argued for specific constructions of several claim terms under the Broadest Reasonable Interpretation (BRI) standard, asserting they were critical for mapping the prior art.

• "receiving a query signal at a database": Petitioner proposed this means "receiving by a database an electronic communication that prompts or enables performing a query of the database."
• "each vulnerability has a vulnerability identifier": Proposed as "data that identifies a particular vulnerability," such as a CVE number.
• "a response signal...that describes at least two alternative remediation techniques": Petitioner argued this means "an electronic communication that contains two or more techniques for remediating the same vulnerability." This construction, supported by prosecution history, emphasizes that the techniques must be true alternatives for a single problem, not merely sequential steps in one larger fix.

5. Key Technical Contentions (Beyond Claim Construction)

• Contention Regarding Priority Date: A central argument of the petition was that claim 7 is not entitled to the filing date of its provisional application (the '085 Provisional). Petitioner contended that the '085 Provisional fails to provide written description support for key limitations, including "offering the at least two alternative remediation techniques for selection by a user via a user interface" and "accepting a selection by the user." Petitioner argued the provisional described a fully automated remediation process, not one involving user choice between alternatives. This argument is critical to establishing the effective filing date of claim 7 as July 1, 2004, thereby making all asserted prior art references available under §102 and §103.

6. Relief Requested

• Petitioner requests institution of an inter partes review of claim 7 of Patent 8,266,699 and cancellation of the claim as unpatentable.