IBM Corp v. Ebates Performance Marketing Inc

1. Case Identification

• Case #: IPR2022-01250
• Patent #: 7,962,960
• Filed: July 13, 2022
• Petitioner(s): International Business Machines Corporation
• Patent Owner(s): Ebates Performance Marketing, Inc. dba Rakuten Rewards
• Challenged Claims: 1-5, 7-23

2. Patent Overview

• Title: Method and System for Analyzing a Network Element
• Brief Description: The ’960 patent discloses a method and system for automating network security analysis. The technology involves scanning network elements to identify vulnerabilities, generating a risk indicator based on assigned values for those vulnerabilities, and adjusting the risk indicator based on exceptions to security rules.

3. Grounds for Unpatentability

Ground 1: Obviousness over Andres and Dodd - Claims 1-4, 7-12, 14-20, and 22-23 are obvious over Andres in view of Dodd.

• Prior Art Relied Upon: Andres (Patent 8,201,257) and Dodd (Application # 2002/0147803).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Andres, a system for managing network security risks, teaches most limitations of the challenged claims. Andres discloses a security risk management system that uses a vulnerability scanner to detect vulnerabilities in network assets, receives values corresponding to these vulnerabilities (e.g., "vulnerability severity values"), and generates a "risk score" for each asset. However, Petitioner contended that Andres does not explicitly teach adjusting a risk score subsequent to its generation based on an exception. Dodd was introduced to supply this missing element. Dodd discloses a security auditing system that calculates a risk value and expressly teaches adjusting this value after calculation based on a "fix difficulty value," which Petitioner equated to an "exception to a security rule."
  • Motivation to Combine: A Person of Ordinary Skill in the Art (POSITA) would combine Andres with Dodd to improve the prioritization of remediation tasks. Andres aims to help administrators remediate security flaws, and Dodd teaches that considering the difficulty of fixing a vulnerability helps prioritize which flaws to address first. A POSITA would have recognized that incorporating Dodd’s risk adjustment method into Andres’s system would allow an administrator to more effectively use limited time and resources by addressing easier-to-fix vulnerabilities first, thereby fulfilling a shared goal of both references.
  • Expectation of Success: A POSITA would have had a reasonable expectation of success because Andres and Dodd disclose similar systems for managing network security risks using equivalent components (e.g., scanners, risk scores based on numeric values). The combination would involve applying known mathematical techniques from Dodd to the risk scores in Andres, a predictable modification to improve a known system.

Ground 2: Obviousness over Andres, Dodd, and Njemanze - Claims 2, 5, 13, and 21 are obvious over the combination of Andres and Dodd in view of Njemanze.

• Prior Art Relied Upon: Andres (Patent 8,201,257), Dodd (Application # 2002/0147803), and Njemanze (Patent 7,788,722).

• Core Argument for this Ground:

  • Prior Art Mapping: This ground built upon the Andres/Dodd combination from Ground 1 and added Njemanze to teach limitations related to specific automated remedial actions and user-privilege-based options. For claim 5 (quarantining or preventing access), Petitioner argued Njemanze teaches a rules engine that can automatically trigger actions to "thwart a suspected attack," such as by "modifying or updating access lists," which a POSITA would understand includes preventing access entirely. For claim 13 (receiving login information and identifying access privileges), Njemanze was cited for disclosing user management consoles that provide a front-end for administration, including creating users, roles, and access privileges.
  • Motivation to Combine: A POSITA would have been motivated to add Njemanze’s rules engine to the Andres/Dodd system to enhance and automate remediation processes. While Andres/Dodd provides for remediation, Njemanze offers a more robust, rule-based system for automatically triggering specific actions (e.g., isolating a device under attack). This addition would further the shared goal of all three references: allowing administrators to manage security risks more effectively. Adding Njemanze’s user management features would also improve the base system by allowing for role-based access and control, a known technique for improving security systems.
  • Expectation of Success: The combination would have been predictable. Integrating a known technique like a rules engine (from Njemanze) into the security risk management framework of Andres/Dodd to trigger automated actions is a straightforward application of known software components to improve a system's functionality.

• Additional Grounds: Petitioner asserted additional obviousness challenges (Grounds III and IV) based on the same Andres/Dodd and Andres/Dodd/Njemanze combinations, arguing these combinations render the claims obvious even under the Patent Owner's claim interpretations from a related litigation.

4. Key Claim Construction Positions

• Petitioner argued for constructions of the means-plus-function limitations in claim 23, identifying specific structures from the ’960 patent’s specification corresponding to the claimed functions.
• "means for adjusting the risk indicator, subsequent to generating the risk indicator, based on exceptions to security rules stored in the system" (claim 23): Petitioner proposed the function is adjusting the risk indicator after it is generated based on stored exceptions. The corresponding structure was identified as the "network monitoring system 150" and its associated generic computing elements, which the specification describes as being able to determine if an exception has been granted and, if so, reduce the associated score. This construction was central to Petitioner's argument that Dodd’s "fix difficulty value" adjustment mechanism was analogous.

5. Arguments Regarding Discretionary Denial

• Petitioner argued that discretionary denial under both 35 U.S.C. §314(a) and §325(d) would be improper.
• §314(a) (Fintiv Factors): Petitioner asserted that this was the first IPR petition filed against the ’960 patent. It also argued that the parallel district court litigation was in a nascent stage, with no substantive rulings on invalidity, thus favoring institution.
• §325(d) (Advanced Bionics Factors): Petitioner contended that none of the asserted prior art references (Andres, Dodd, and Njemanze) were considered during the original prosecution. It further argued that these references teach the very limitation—adjusting a risk score subsequent to its generation—that the applicant added to overcome the examiner's rejections, making the challenge particularly strong.

6. Relief Requested

• Petitioner requested the institution of an inter partes review and the cancellation of claims 1-5 and 7-23 of the ’960 patent as unpatentable under 35 U.S.C. §103.