PTAB

IPR2019-01328

Fortinet Inc v. British Telecommunications Public Ltd Co

Log In
Key Events
Petition
petition

1. Case Identification

2. Patent Overview

  • Title: Agent-Based Intrusion Detection System
  • Brief Description: The ’358 patent discloses a distributed intrusion detection system (IDS) for computer networks that uses co-operative software agents. The agents are organized into distinct groups and use a messaging system with "group specific tags" to prevent agents in one group from understanding communications from another, thereby limiting the spread of a potential attack.

3. Grounds for Unpatentability

Ground 1: Obviousness over EMERALD and IDIP - Claims 1-4, 7-13, 19-20, 24-29, 32-38, 44-45, and 49-50 are obvious over the EMERALD References in view of IDIP.

  • Prior Art Relied Upon: EMERALD97 (a 1997 conference paper by Porras and Neumann), EMERALD-Patent (Patent 6,321,338), EMERALD98 (a 1998 conference paper by Porras and Valdes), and IDIP (a 2000 conference paper by Schnackenberg et al.).
  • Core Argument for this Ground:
    • Prior Art Mapping: Petitioner argued that the combination of EMERALD references taught all elements of the challenged claims except for the specific messaging limitation added during prosecution. The EMERALD references describe a hierarchical, distributed IDS using cooperative software agents called "monitors." These monitors are organized into groups ("domains") where they communicate to provide domain-wide surveillance. Each monitor analyzes network activity by comparing it against locally stored known behavior patterns (statistical profiles and signatures) to detect anomalies. The system uses a subscription-based messaging scheme with authentication to ensure monitors only communicate with other trusted monitors within their group. Petitioner contended that these teachings map directly to the claimed system of inter-communicating agents in a plurality of groups that compare actual behavior patterns against known patterns. For example, the EMERALD references' "domain monitors" aggregate reports from "service monitors" to create "groupwide measures" of agent status, fulfilling a means-plus-function limitation of claim 1.
    • Motivation to Combine (for §103 grounds): Petitioner asserted that the primary patentable distinction argued during prosecution was the use of "group specific tags" to prevent communication between agent groups, thereby hindering the spread of an attack. Petitioner argued a person of ordinary skill in the art (POSITA) would combine the EMERALD system with the teachings of IDIP to implement this exact functionality. IDIP discloses using group-specific multicast keys to secure messages within trusted "neighborhoods" of IDS components, preventing non-members from understanding the communications. A POSITA would have been motivated to apply IDIP’s cryptographic key management to EMERALD's existing subscription-based messaging system to achieve the "essential" security requirements already identified by EMERALD and to gain the well-known benefit of isolating agent groups to reduce the risk of a widespread compromise.
    • Expectation of Success (for §103 grounds): A POSITA would have had a reasonable expectation of success because combining the references was merely the application of a known technique (IDIP's group-specific keys) to a known system ready for improvement (EMERALD's IDS). Success was predictable because EMERALD monitors already used subscription lists and key-based cryptography, and IDIP explicitly stated that EMERALD monitors had already been integrated with its protocol.

4. Key Claim Construction Positions

  • "agent": Petitioner argued that based on its usage in the specification and the relevant art, a POSITA would understand "agent" to mean "a piece of software running on a computer system." This broad construction was presented as consistent with the patent's own references to prior art agent-based systems.
  • "group specific tags": Petitioner contended this term is not well-defined in the intrusion detection field. Based on the intrinsic evidence and prosecution history, where this limitation was added to overcome prior art, Petitioner argued a POSITA would understand it to mean "information exchanged between agents that enables a member of a group of agents to distinguish other group members from non-group members." This construction focuses on the functional goal of preventing inter-group communication, which Petitioner argued is precisely what the IDIP reference teaches.

5. Relief Requested

  • Petitioner requested institution of an inter partes review and cancellation of claims 1-4, 7-13, 19-20, 24-29, 32-38, 44-45, and 49-50 of the ’358 patent as unpatentable under 35 U.S.C. §103.