Trend Micro Inc v. SecurityProfiling LLC

1. Case Identification

• Case #: IPR2017-02192
• Patent #: 8,984,644
• Filed: September 27, 2017
• Petitioner(s): Trend Micro, Inc.
• Patent Owner(s): SecurityProfiling, LLC
• Challenged Claims: 1, 7, and 14

2. Patent Overview

• Title: Anti-vulnerability System, Method, and Computer Program Product
• Brief Description: The ’644 patent discloses a computer program product designed to enhance network security. The system receives "actual vulnerability information," identifies a security "occurrence" (e.g., an attack), determines if the occurrence can exploit an existing vulnerability, and provides a user with options to select different mitigation actions.

3. Grounds for Unpatentability

Ground 1: Anticipation of Claim 1 - Claim 1 is unpatentable under 35 U.S.C. §102 over Shah.

• Prior Art Relied Upon: Shah (Application # 2004/0073800).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Shah disclosed every element of claim 1. Shah described an intrusion detection management server that receives vulnerability information by loading a "currently updated list of vulnerabilities" to determine which devices are susceptible to specific exploits. Shah further taught identifying "specific traffic that is destined for a computer with a specific software defect," which meets the "occurrence" limitation. Finally, Shah disclosed providing a user with mitigation options via an Internet-based web interface to configure firewall policies or instruct a firewall to "disconnect (or block) malicious communication traffic."

Ground 2: Obviousness of Claims 1, 7, and 14 - Claims are obvious over Gupta in view of Girouard.

• Prior Art Relied Upon: Gupta (Application # 2003/0004689) and Girouard (Application # 2004/0064726).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner asserted that Gupta disclosed a security system that determines device vulnerabilities using a hierarchical "attack file" and detects attacks ("occurrences") using signature processing. Gupta also provided a user with options to manage the system and provided for "short-term responses" like terminating TCP connections (an intrusion prevention system action). Petitioner argued that Girouard supplemented Gupta by explicitly teaching the use of firewall techniques as a mitigation option, disclosing that a "firewall policy or security rule may be loaded to a firewall that prevents traffic conforming to a threatening profile from reaching the server."
  • Motivation to Combine: A POSITA would combine Gupta and Girouard to improve Gupta's vulnerability management system with the well-known and varied mitigation techniques taught by Girouard. Adding Girouard’s explicit teaching of firewall policies to Gupta’s system, which already provided for user-selectable mitigation options, was merely the application of a known technique to a known system to yield predictable results.
  • Expectation of Success: A POSITA would have a high expectation of success, as both references operated in the same field of network security and addressed the common problem of responding to identified threats.

Ground 3: Obviousness of Claims 1, 7, and 14 - Claims are obvious over Gleichauf in view of Hill.

• Prior Art Relied Upon: Gleichauf (Patent 6,301,668) and Hill (Patent 6,088,804).

• Core Argument for this Ground:

  • Prior Art Mapping: Petitioner argued that Gleichauf taught a network security system that identified potential vulnerabilities, confirmed them by executing exploits, and used this data to create a "network map" (actual vulnerability information). Gleichauf's system then detected attacks ("occurrences") using protocol and signature engines. While Gleichauf disclosed making attack detection results available to a system administrator, Hill taught the specific implementation of presenting mitigation options to a user. Hill described generating a "mitigation list" which cataloged actions a network manager could take, such as disconnecting nodes (a firewall action) or establishing false targets (an intrusion prevention action).
  • Motivation to Combine: A POSITA implementing Gleichauf’s attack detection system would be motivated to incorporate Hill’s user interface for mitigation to make the system more effective. Providing an operator with a menu of actionable responses to a detected threat, as taught by Hill, was a logical and predictable improvement to the detection system of Gleichauf.
  • Expectation of Success: The combination involved applying a known user interface solution (Hill) to a known problem (responding to attacks detected by Gleichauf), ensuring a high expectation of success.

• Additional Grounds: Petitioner asserted that claim 1 is obvious over Shah in view of Hill.

4. Key Claim Construction Positions

• "occurrence": Petitioner proposed this term be construed to mean "a presently occurring attempt to exploit a vulnerability." This construction was argued to be critical, as it frames the event that triggers the mitigation options, aligning it with the active threat detection described in the prior art.
• "firewall-based occurrence mitigation type" and "intrusion prevention system-based occurrence mitigation type": Petitioner argued these terms should be construed according to their generic technological functions: a firewall action involves "blocking an attempted connection," while an intrusion prevention system action involves "dropping an existing connection." This distinction was central to mapping the varied mitigation techniques disclosed in the prior art references onto the claim limitations.

5. Key Technical Contentions (Beyond Claim Construction)

• Priority Date Challenge: A central contention of the petition was that claims 1, 7, and 14 were not entitled to the priority date of the '085 Provisional or the '852 Application. Petitioner argued that the key limitation—"code for providing a user with one or more options to selectively utilize different occurrence mitigation actions"—was first introduced in a preliminary amendment on November 12, 2014. According to Petitioner, the earlier applications only disclosed automated or pre-selected remediation and lacked any disclosure of providing a user with a choice between different types of mitigation actions (e.g., firewall vs. IPS) in response to an occurrence. This argument, if successful, would establish a later effective filing date for the challenged claims, making more prior art available under §102 and §103.

6. Relief Requested

• Petitioner requested institution of an inter partes review and cancellation of claims 1, 7, and 14 of Patent 8,984,644 as unpatentable.