PTAB

IPR2018-01760

Cisco Systems Inc v. Centripetal Networks Inc

Log In
Key Events
Petition

1. Case Identification

2. Patent Overview

  • Title: Rule-Based Network-Threat Detection
  • Brief Description: The ’722 patent describes a packet-filtering system that inspects network traffic according to a set of rules. The system logs filtering activity, displays the results in a user interface, and allows a user to modify a rule's operator through the interface (e.g., changing from "allow" to "block") to alter the handling of subsequent packets.

3. Grounds for Unpatentability

Ground 1: Obviousness over Sourcefire - Claims 1-25 are obvious over Sourcefire in view of the knowledge of a POSA.

  • Prior Art Relied Upon: Sourcefire (Sourcefire 3D System User Guide Version 4.10).
  • Core Argument for this Ground:
    • Prior Art Mapping: Petitioner argued that the Sourcefire 3D System, a well-known commercial intrusion prevention system (IPS), disclosed every limitation of the challenged claims. The Sourcefire system's "3D Sensors" function as the claimed packet-filtering device, receiving rules from a central "Defense Center." These sensors inspected network packets against intrusion rules, which contained criteria corresponding to network-threat indicators (e.g., 5-tuple data, URI content). Independent claim 1 recites a method where a first packet matching a rule is allowed to pass, its disposition is displayed to a user, the user then modifies the rule via an interface to block traffic, and a subsequent second packet matching the rule is blocked. Petitioner asserted Sourcefire performed this exact method.
    • Sourcefire rules could be set with an alert (pass) or drop (block) operator. When a packet triggered an alert rule, Sourcefire generated an intrusion event but allowed the packet to continue. This event data, including the rule triggered and packet information, was communicated for display in a user interface. The interface's event log showed an "Inline Result" icon (a blank or gray arrow) indicating the packet was allowed, satisfying the patent's requirement for displaying data on packet disposition.
    • The Sourcefire UI further provided an expandable "Rule Actions" menu for any given event. Through this menu, a user could issue an instruction to modify the operator of the triggered rule, such as selecting the option to "Set this rule to drop the triggering packet." This action reconfigured the rule on the 3D Sensor. When a subsequent packet matching the same criteria arrived, the newly modified drop operator was applied, and the packet was blocked from reaching its destination. The "Inline Result" icon for this new event would be a black arrow, indicating the packet was dropped. Petitioner contended this functionality directly maps to the core method of the challenged claims.
    • Motivation to Combine (for §103 grounds): The challenge was based on a single reference in view of the general knowledge of a Person of Ordinary Skill in the Art (POSA). Petitioner argued no combination was necessary because Sourcefire, a system publicly available years before the patent's priority date, already integrated all the claimed features. A POSA would have understood that the described functionalities—rule-based filtering, event logging, and UI-based rule modification—were standard and conventional elements of network security systems at the time.
    • Expectation of Success (for §103 grounds): A POSA would have had a very high expectation of success, as the argument was not based on a hypothetical combination but on the documented, existing functionality of a widely used commercial product. The features were designed to work together within the Sourcefire system.

4. Relief Requested

  • Petitioner requests institution of IPR and cancellation of claims 1-25 as unpatentable.