PTAB
IPR2018-00913
Zscaler Inc v. Symantec Corp
Key Events
Petition
Table of Contents
petition
1. Case Identification
- Case #: IPR2018-00913
- Patent #: 8,316,429
- Filed: April 10, 2018
- Petitioner(s): Zscaler, Inc.
- Patent Owner(s): Symantec Corporation
- Challenged Claims: 10-12
2. Patent Overview
- Title: Methods and Systems for Obtaining URL Filtering Information
- Brief Description: The ’429 patent discloses methods for a proxy server to police network communications, particularly encrypted SSL sessions, between a client on a private network and an internet host. The technology allows the proxy to categorize a referring URL and, based on that category, determine whether to pass the encrypted traffic without inspection or to decrypt it for examination against security policies.
3. Grounds for Unpatentability
Ground 1: Claims 10-12 are obvious over Levow, Toneguzzo, and O'Laughlen.
- Prior Art Relied Upon: Levow (Application # 2006/0248575), Toneguzzo (Application # 2003/0182573), and O'Laughlen (Application # 2005/0015442).
- Core Argument for this Ground:
- Prior Art Mapping: Petitioner argued that the combination of the three references taught every limitation of the challenged claims. Independent claim 10 recites a method at a proxy that involves receiving a client hello message, requesting a digital certificate from a "referring source," categorizing that referring source, and then determining whether to pass encrypted communication without decryption or to decrypt it for examination.
- Levow was argued to disclose the core proxy framework: a security system that intercepts encrypted client requests and determines whether to decrypt the communication or pass it through untouched based on a pre-defined "ignore list" (e.g., for sensitive categories like banking).
- Toneguzzo was asserted to teach categorizing websites based on information extracted directly from a digital certificate, such as a URL, domain name, or content rating, rather than just relying on a simple list.
- O'Laughlen was argued to teach the concept of a "referring source" in the context of embedded objects on a webpage. It disclosed that when a client requests an embedded object (e.g., an image), the security policy should be based on the category of the main webpage (the referring source) from which the object request originated, rather than the object's host itself.
- The combination allegedly taught a proxy (Levow) that categorizes a referring source (O'Laughlen) using information from its digital certificate (Toneguzzo) to decide whether to decrypt traffic to an embedded object's host. Dependent claims 11 and 12, which add limitations related to extracting identifying information (like a URL) from a client's request and using it to retrieve category information from a data structure, were argued to be taught by the combination of Levow's use of lists and O'Laughlen's use of the referring URL.
- Motivation to Combine: Petitioner contended a person of ordinary skill in the art (POSITA) would combine these references to create a more robust and efficient security system.
- A POSITA would combine Levow and Toneguzzo to improve Levow's categorization method. Instead of relying on a potentially incomplete list of server names or IP addresses, using information from the digital certificate as taught by Toneguzzo would provide a more reliable and secure basis for categorization that is available regardless of how the initial request was made (URL vs. IP address).
- A POSITA would further incorporate O'Laughlen's teachings to efficiently handle web pages with numerous embedded objects from different hosts. Applying the security determination of the main "referring page" to all its embedded objects, as taught by O'Laughlen, is a lightweight and logical method that avoids the unmanageable task of categorizing every individual embedded object's URL. This extends trust from the verified referring source to its associated content.
- Expectation of Success: Petitioner argued a POSITA would have had a reasonable expectation of success in combining the references. The integration involved applying known techniques for their intended purposes: using certificate data for filtering (Toneguzzo) and applying referring-page rules to embedded objects (O'Laughlen) within a standard proxy architecture (Levow). Since each element was known to work for its respective function, their combination to achieve the claimed method would have yielded predictable results.
- Prior Art Mapping: Petitioner argued that the combination of the three references taught every limitation of the challenged claims. Independent claim 10 recites a method at a proxy that involves receiving a client hello message, requesting a digital certificate from a "referring source," categorizing that referring source, and then determining whether to pass encrypted communication without decryption or to decrypt it for examination.
4. Key Claim Construction Positions
- "proxy" (claim 10): Petitioner argued this term should be construed according to the patent's explicit definition: "a device that enforces a set of rules on network traffic by intercepting the network traffic that flows between a client and a server, parsing and analyzing the messages being sent in both directions, and modifying the traffic based on a collection of 'if-then' rules."
- "uniform resource locator (URL)" (claim 12): Petitioner proposed that the broadest reasonable construction of this term includes either a full path URL (e.g., http://www.hostname.com) or a truncated URL (e.g., www.hostname.com or hostname alone), consistent with the specification's examples.
5. Relief Requested
- Petitioner requested institution of an inter partes review (IPR) and cancellation of claims 10-12 of the ’429 patent as unpatentable.
Analysis metadata