PTAB

IPR2018-01654

Cisco Systems, Inc. v. Centripetal Networks, Inc.

Log In

1. Case Identification

2. Patent Overview

  • Title: Correlating Packets in Communications Networks
  • Brief Description: The ’176 patent describes a computing system and method for correlating network data packets that traverse a network device, such as a Network Address Translation (NAT) firewall. The system addresses the problem of tracking packet flows when a network device alters packet information (e.g., source/destination IP addresses), by generating and comparing log entries for received and transmitted packets to identify related flows and then generating rules based on that correlation.

3. Grounds for Unpatentability

Ground 1: Claims 1, 4-7, 11, 14-17, 21, and 24-27 are obvious over Ivershen in view of Rajan, Briggs, and Bloch.

  • Prior Art Relied Upon: Ivershen (Patent 8,219,675), Rajan (Patent 8,271,645), Briggs (Application # 2008/0320116), and Bloch (Patent 7,849,502).
  • Core Argument for this Ground:
    • Prior Art Mapping: Petitioner argued that the combination of references teaches all limitations of the challenged claims. Ivershen, the primary reference, was asserted to teach a method for correlating IP flows across a NAT firewall by capturing packets on both sides, calculating an invariant checksum key (CHKEY) for each flow, and comparing the keys to identify related pre-NAT and post-NAT packets. However, Ivershen stores the entire captured data packet. To meet the claim limitation of generating "log entries," Petitioner combined Ivershen with Rajan, which was cited for its teaching of creating "trace logs" that store only portions of a network packet in data structures, rather than the entire packet. To supply the claimed step of generating rules responsive to the correlation, Petitioner combined the system with Briggs and Bloch. Briggs was argued to teach analyzing network traffic to identify malicious activity (e.g., spam) and using mapping information to identify the specific device sending the malicious packets, while Bloch was argued to teach a system that generates or updates firewall rules to block or redirect traffic from identified malicious IP addresses.
    • Motivation to Combine: A POSITA would combine Ivershen with Rajan to achieve the predictable benefits of reduced memory usage and processing overhead by storing only partial packet data instead of full packets. A POSITA would further combine this system with Briggs and Bloch to enhance its security functionality. After using Ivershen’s correlation and Briggs’s analysis to identify a malicious host, it would be a logical and obvious step to implement Bloch’s teaching of automatically generating a firewall rule to mitigate the threat, thereby protecting the network.
    • Expectation of Success: Petitioner contended that a POSITA would have a high expectation of success, as the combination involves applying known security and data management techniques to Ivershen’s network monitoring framework. The proposed modifications were argued to be within the ordinary skill in the art and would yield the predictable result of a more efficient and secure network analysis system.

Ground 2: Claims 9, 10, 19, 20, 29, and 30 are obvious over Ivershen in view of Rajan, Briggs, Bloch, and Copeland.

  • Prior Art Relied Upon: Ivershen (Patent 8,219,675), Rajan (Patent 8,271,645), Briggs (Application # 2008/0320116), Bloch (Patent 7,849,502), and Copeland (Patent 7,185,368).
  • Core Argument for this Ground:
    • Prior Art Mapping: This ground builds upon the four-way combination in Ground 1 and adds Copeland to address limitations in claims 9 and 10 concerning intrusion detection and response. Petitioner argued that Copeland teaches a flow-based intrusion detection system that analyzes network flows to determine if a host is associated with a malicious entity (e.g., a hacker), assigns a "concern index" (CI), and takes action if the CI exceeds a threshold. Specifically, Copeland was cited for its disclosure of generating messages to a firewall manager to drop packets from an offending host (addressing claim 9) and generating alert messages to a system administrator that identify the malicious host (addressing claim 10).
    • Motivation to Combine: Petitioner asserted that a POSITA, having already built the base system from Ground 1, would be motivated to incorporate Copeland's more sophisticated intrusion detection and response methods. Copeland’s flow-based analysis provides an improved method for identifying malicious activity, even if individual packets do not appear malicious. A POSITA would combine Copeland to enhance the system’s ability to detect threats and to provide specific, automated remedial actions like dropping packets, which provides more robust network protection than just redirection.
    • Expectation of Success: The combination was presented as the integration of a known intrusion detection system (Copeland) with a known network monitoring and rule-generation system (Ivershen/Rajan/Briggs/Bloch). Petitioner argued a POSITA would expect this combination to work predictably, resulting in a system that could not only correlate flows and identify malicious sources but also automatically block threats and alert administrators, a common goal in network security design.

4. Relief Requested

  • Petitioner requested the institution of an inter partes review and the cancellation of claims 1, 4-7, 9-11, 14-17, 19-21, 24-27, and 29-30 of the ’176 patent as unpatentable.