Cisco Systems Inc v. Centripetal Networks Inc

1. Case Identification

• Case #: IPR2018-01654
• Patent #: 9,560,176
• Filed: September 17, 2018
• Petitioner(s): Cisco Systems, Inc.
• Patent Owner(s): Centripetal Networks, Inc.
• Challenged Claims: 1, 4-7, 9-11, 14-17, 19-21, 24-27, and 29-30

2. Patent Overview

• Title: System and Method for Correlating Packets in Communications Networks
• Brief Description: The ’176 patent discloses a computing system that correlates network data packets that have been altered by an intermediate network device, such as one performing Network Address Translation (NAT). The system generates log entries for packets received and transmitted by the network device, correlates them, and generates rules to identify and filter future packets based on the correlation.

3. Grounds for Unpatentability

Ground 1: Obviousness over Ivershen, Rajan, Briggs, and Bloch - Claims 1, 4-7, 11, 14-17, 21, and 24-27 are obvious over Ivershen in view of Rajan, Briggs, and Bloch.

• Prior Art Relied Upon: Ivershen (Patent 8,219,675), Rajan (Patent 8,271,645), Briggs (Application # 2008/0320116), and Bloch (Patent 7,849,502).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that the primary reference, Ivershen, teaches the core concept of the challenged claims: a network monitoring system that captures and correlates IP packet flows across a NAT firewall. Ivershen’s system captures packets on both sides of the firewall and uses invariant data (like a checksum key) to correlate the pre-NAT and post-NAT flows. Petitioner contended that while Ivershen discloses storing captured data packets, Rajan teaches the claimed concept of generating "log entries" by storing only portions of the packets in data structures. This modification addresses the logging limitations of independent claim 1. To meet the rule-generation limitations, Petitioner asserted that Briggs teaches analyzing network traffic to identify malicious packets (e.g., spam) and using mapping information to trace them to a specific device behind a NAT firewall. Briggs and Bloch both teach taking a mitigation step by generating and sending updated rules to a firewall to block or redirect traffic from the identified malicious host.
  • Motivation to Combine: A POSITA would combine Ivershen with Rajan to achieve the well-known benefits of reducing memory usage and processing overhead by logging only essential packet portions rather than entire packets. A POSITA would then be motivated to improve the security of Ivershen's monitoring system by incorporating the teachings of Briggs and Bloch. After using Ivershen’s correlation to identify a malicious host, it would have been a logical and necessary next step to implement a mitigation procedure, such as generating a rule to block or redirect the malicious traffic, to protect the network.
  • Expectation of Success: Petitioner asserted that combining these known network monitoring and security techniques would have been a straightforward application of common elements to yield the predictable result of a more efficient and secure network monitoring system.

Ground 2: Obviousness over Ivershen, Rajan, Briggs, Bloch, and Copeland - Claims 9, 10, 19, 20, 29, and 30 are obvious over Ivershen in view of Rajan, Briggs, Bloch, and Copeland.

• Prior Art Relied Upon: Ivershen (Patent 8,219,675), Rajan (Patent 8,271,645), Briggs (Application # 2008/0320116), Bloch (Patent 7,849,502), and Copeland (Patent 7,185,368).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground builds upon the combination asserted in Ground 1, adding Copeland to address limitations in claims requiring a determination that a host is "associated with a malicious entity" and subsequent actions like generating alerts or dropping packets. Petitioner argued that Copeland teaches a flow-based intrusion detection system that analyzes flow statistics (not just packet content) to identify hosts engaged in suspicious intrusion activity, such as an external hacker controlling an internal host. Copeland explicitly teaches analyzing flows to identify hosts associated with a "hacker/cracker/misuser" (a malicious entity) and, upon detection, generating messages to a firewall to drop packets from the offending host or sending alert notifications to a system administrator. This supplies the teachings for the specific limitations of claims 9 and 10.
  • Motivation to Combine: A POSITA would be motivated to add Copeland’s teachings to the base combination from Ground 1 to provide more robust security. Ivershen’s system provides detailed end-to-end analysis, and Copeland teaches that such analysis can be used to identify potential intrusion activity. This combination would improve the system by enabling the detection of suspicious traffic patterns that might not be identified as simple malware or spam, thereby providing additional protection against more sophisticated attacks, like an external hacker controlling an internal server to exfiltrate data. Once an intrusion is detected via Copeland’s methods, taking remedial action like dropping packets or alerting an administrator would be an obvious and necessary step.
  • Expectation of Success: Petitioner argued that integrating Copeland’s flow-based intrusion detection logic into the Ivershen-based monitoring system would be a predictable enhancement for a POSITA seeking to improve network security.

4. Relief Requested

• Petitioner requests the institution of an inter partes review and the cancellation of claims 1, 4-7, 9-11, 14-17, 19-21, 24-27, and 29-30 of the ’176 patent as unpatentable.