PTAB

IPR2018-01506

Cisco Systems, Inc. v. Centripetal Networks, Inc.

Log In

1. Case Identification

2. Patent Overview

  • Title: Layer 4-7 Threat Intelligence Gateway
  • Brief Description: The ’205 patent describes systems and methods for network security using "packet security gateways" (PSGs) located at the boundaries between networks. The PSGs are configured to receive dynamic security policies from a central "security policy management server" (SPMS) and apply rules from those policies to inspect, filter, modify, or route incoming network packets.

3. Grounds for Unpatentability

Ground 1: Obviousness over Jungck, Ingate, and RFC 2003 - Claims 49, 61-63, 75-77, and 89-90 are obvious over Jungck in view of Ingate and RFC 2003.

  • Prior Art Relied Upon: Jungck (Application # 2009/0262741), Ingate (Firewall/SIParator® SIP Security Best Practice, Sep. 2008), and RFC 2003 (IETF Request for Comment, Oct. 1996).
  • Core Argument for this Ground:
    • Prior Art Mapping: Petitioner argued that Jungck disclosed the core system of the independent claims: a packet interceptor apparatus (the claimed PSG) that applies dynamically modified rules received from an external management device (the claimed SPMS). Jungck’s system can reroute packets to alternate destinations. Petitioner asserted that Ingate, which teaches filtering VoIP traffic based on Session Initiation Protocol (SIP) Uniform Resource Identifier (URI) parameters to block malicious packets, supplied the missing SIP-specific filtering limitation. The combination of Jungck and Ingate allegedly taught a PSG receiving a dynamic policy with rules specifying network addresses and SIP URIs. RFC 2003 was cited for its standardized method of rerouting packets via "IP in IP" encapsulation, which allegedly rendered obvious the claimed packet transformation function of encapsulating a packet with a new header for routing to an intermediate device.
    • Motivation to Combine: A Person of Ordinary Skill in the Art (POSA) would combine Jungck’s flexible packet interceptor framework with Ingate’s well-known "best practices" for SIP security to protect common VoIP systems. A POSA would then look to an industry standard like RFC 2003 to implement Jungck's rerouting function in a predictable way that preserves original header information for subsequent forwarding to the packet's final destination.
    • Expectation of Success: The combination involved applying well-understood techniques (SIP filtering, encapsulation) to a known type of system (a dynamic packet filter), which would have yielded predictable results.

Ground 2: Obviousness over Jungck, Ingate, RFC 2003, and Ahn - Claims 50-51, 56, 64-65, 70, 78-79, and 84 are obvious over the combination of Jungck, Ingate, RFC 2003, and Ahn.

  • Prior Art Relied Upon: Jungck, Ingate, RFC 2003, and Ahn (Application # 2011/0055916).
  • Core Argument for this Ground:
    • Prior Art Mapping: This ground built upon the base combination from Ground 1, adding Ahn to address claims requiring at least two PSGs configured in series. Petitioner argued that Ahn taught distributing rules across multiple, pipelined firewall processors to improve packet filtering efficiency. Ahn explicitly discloses a first firewall analyzing packets with a first rule set and forwarding a portion of those packets to a second, serially-connected firewall for analysis with a second rule set. This allegedly rendered obvious the limitations of forwarding packets between a first and second PSG, with each applying different rules. Further, Ahn’s disclosure of using 5-tuple rules (source/destination IP/port and protocol) was argued to render obvious the claims requiring rules based on a "five-tuple."
    • Motivation to Combine: A POSA would have been motivated to modify the system of Jungck with the well-known pipelined architecture of Ahn to improve packet filtering throughput and efficiency. Since Ahn explicitly teaches combining its techniques with other firewall technologies, a POSA would readily combine its serial processing with the functionalities taught by Jungck and Ingate.
    • Expectation of Success: Serial rule processing was a known technique for increasing network device throughput, and its application to the firewall system of Jungck would have been a predictable and routine design modification.

Ground 3: Obviousness over Jungck, Ingate, RFC 2003, and Ke - Claims 54, 68, and 82 are obvious over the combination of Jungck, Ingate, RFC 2003, and Ke.

  • Prior Art Relied Upon: Jungck, Ingate, RFC 2003, and Ke (Patent 7,095,716).

  • Core Argument for this Ground:

    • Prior Art Mapping: This ground also built on the base combination from Ground 1, adding Ke to address claims requiring packet queuing. Petitioner contended that Ke taught an internet security device that uses priority queuing to ensure quality of service (QoS) and manage network bottlenecks. Ke’s system places certain packets (e.g., session control packets) into a high-priority queue with a higher forwarding rate than other "normal" packets. This was argued to render obvious the claim limitations specifying that a dynamic security policy places different portions of packets into first and second forwarding queues with different forwarding rates.
    • Motivation to Combine: A POSA would readily recognize the benefit of integrating Ke’s explicit queuing features into the screening technologies of Jungck and Ingate. This combination would allow for differentiated service levels and would resolve network traffic bottlenecks, both common and sought-after objectives in network management.
    • Expectation of Success: Integrating known QoS queuing mechanisms into a packet filtering system was a standard design choice to manage traffic predictably and offered clear advantages.

  • Additional Grounds: Petitioner asserted an additional obviousness challenge (Ground 4) relying on the core combination plus RFC 2474. This combination was used to argue the obviousness of claims requiring a rule with a Differentiated Service Code Point (DSCP) selector, as RFC 2474 teaches using the DSCP field to implement differentiated service offerings.

4. Key Claim Construction Positions

  • "Dynamic Security Policy": Petitioner argued that this term should be construed according to its explicit definition in the ’205 patent: "any rule, message, instruction, file, data structure, or the like that specifies criteria..." Petitioner noted that even under the Patent Owner's narrower construction proposed in litigation ("a non-static set of one or more rules..."), the challenged claims remained obvious.
  • "Packet Transformation Function": Petitioner contended this term means "an action taken on a packet," such as forwarding, dropping, or routing, as described throughout the ’205 patent. Petitioner argued that the Patent Owner’s litigation position—which sought to exclude forwarding and dropping—was directly contradicted by the specification and claim language of the patent itself.

5. Arguments Regarding Discretionary Denial

  • Petitioner argued that discretionary denial under §325(d) or §314(a) was not warranted. The petition asserted that it presented different claim groupings and novel combinations of prior art not previously considered by the USPTO. Specifically, it was argued that the primary reference, Jungck, was not considered during prosecution, and that the petition was supported by a new expert declaration from Dr. Kevin Jeffay, whose analysis had not been previously presented.

6. Relief Requested

  • Petitioner requests the institution of an inter partes review and cancellation of claims 49-51, 54, 56-57, 61-65, 68, 70-71, 75-79, 82, 84-85, and 89-90 of the ’205 patent as unpatentable.