PTAB

IPR2023-00656

IriusRisk Inc v. ThreatModeler Software Inc

Log In
Key Events
Petition

1. Case Identification

2. Patent Overview

  • Title: Systems and Methods For Automated Threat Model Generation From Third Party Diagram Files
  • Brief Description: The ’366 patent describes a computer-implemented method and system for generating threat models by importing diagrams from a third-party software application (e.g., Microsoft Visio). The system uses mapping files to correlate components from the imported diagram with pre-defined threat model components and associated threats stored in a database, then generates and displays a threat model and corresponding reports.

3. Grounds for Unpatentability

Ground 1: Anticipation over Keenan - Claims 1-20 are anticipated by Keenan under 35 U.S.C. §102.

  • Prior Art Relied Upon: Keenan (Patent 11,200,228).
  • Core Argument for this Ground:
    • Prior Art Mapping: Petitioner argued that Keenan discloses every element of the challenged claims. Keenan’s Integrated Object Environment (IOE) is a threat modeling system that runs on a graph database and stores threat model components (“objects”/“assets”) and associated threats (“risks”/“threat vectors”). The system explicitly teaches importing diagrams from Microsoft Visio, a third-party application. Petitioner asserted that Keenan’s preset “map” that “maps Visio shapes and formats to IOE shapes and formats” is the claimed mapping file. Keenan also discloses generating and displaying relational diagrams and exportable reports, thereby teaching the core limitations of independent claims 1, 8, and 16 and their dependents.
    • Key Aspects: The core of the argument rested on Keenan’s express disclosure of importing Visio files and using a “map” to integrate them into its threat modeling environment, which Petitioner contended was the key feature that led to the allowance of the ’366 patent.

Ground 2: Obviousness over Zheng, Baker, and Jones - Claims 1-4, 7-11, and 15-18 are obvious over Zheng in view of Baker and Jones under 35 U.S.C. §103.

  • Prior Art Relied Upon: Zheng (Patent 10,503,907), Baker (Application # 2014/0236665), and Jones (Patent 9,602,529).

  • Core Argument for this Ground:

    • Prior Art Mapping: Petitioner asserted that Zheng provided a base system for threat modeling that uses databases and mapping techniques to visualize threats on a graphical map of a software architecture. However, Zheng did not explicitly teach importing diagrams from a third-party application. Baker was argued to supply this missing element, as it expressly discloses a risk management system that can import flowcharts from third-party software like Microsoft Visio. Jones was argued to teach the generation of detailed threat reports from a threat analysis, fulfilling the reporting limitations of the claims.
    • Motivation to Combine: Petitioner argued a person of ordinary skill in the art (POSITA) would combine these references to improve the efficiency of Zheng’s system, a goal stated within Zheng itself. Integrating Baker’s teaching would allow users to leverage existing diagrams created in a well-known tool like Visio, saving significant time and effort. Adding the reporting functionality of Jones would be a logical next step to provide users with a clear, digestible output of the threat analysis, a common feature in such systems.
    • Expectation of Success: The combination involved integrating known, compatible software concepts (importing diagrams, generating reports) into a threat modeling framework. Petitioner argued this would be a straightforward task for a POSITA with a predictable and successful outcome.

  • Additional Grounds: Petitioner asserted additional obviousness challenges based on the combination of Zheng, Baker, and Jones, in further view of Galliano (for disclosing alternative storage of mapping files in memory or a database), Keenan (for teaching specific naming conventions for third-party components), and the general knowledge of a POSITA (for implementing mere design choices).

4. Key Claim Construction Positions

  • “Third-Party Software Application”: Petitioner relied on the definition provided by the Patent Owner during prosecution to overcome an indefiniteness rejection. The term was defined to mean “independently-created software applications not created with a common schema, such that a mapping file or the like as claimed in the claims would be useful to map between elements of the two software applications.” This construction was critical to Petitioner's argument that applications like Microsoft Visio, disclosed in the prior art, meet this limitation.
  • “Third Party Diagram Components” vs. “Visual Representations of the Threat Model Components”: Petitioner noted that during prosecution, these were established as distinct elements. “Third party diagram components” originate from the independent software (e.g., Visio shapes), while “visual representations of the threat model components” are elements of the native software, stored in its database. This distinction, which was key to allowance, was used by Petitioner to map different aspects of the prior art to the claims.

5. Arguments Regarding Discretionary Denial

  • Petitioner argued that discretionary denial under §314(a) based on the Fintiv factors would be inappropriate. The parallel district court litigation was in a very early stage, with no Markman hearing or trial date set. Petitioner stated its intent to seek a stay of the litigation if the IPR is instituted and stipulated that it would not pursue the same invalidity grounds in the litigation. Furthermore, Petitioner emphasized that the prior art relied upon in the petition was never considered by the examiner during prosecution, presenting compelling unpatentability challenges that warrant institution.

6. Relief Requested

  • Petitioner requested the institution of an inter partes review and the cancellation of claims 1-20 of the ’366 patent as unpatentable.