PTAB

IPR2023-01466

CrowdStrike Inc v. Taasera Licensing LLC

Log In
Key Events
Petition
petition

1. Case Identification

2. Patent Overview

  • Title: System and Method for Dynamic Operational Integrity Attestation
  • Brief Description: The ’616 patent discloses systems and methods for providing runtime attestation of application security and user reputation in computer networks. The system uses an endpoint trust agent on a monitored device, a central trust orchestration server, and various collaboration services to monitor endpoint events, receive third-party assessments, and generate an integrity profile for the system.

3. Grounds for Unpatentability

Ground 1: Claims 1-6 are obvious over Mukherjee in view of Miliefsky.

  • Prior Art Relied Upon: Mukherjee (a 1994 IEEE Network paper titled “Network Intrusion Detection”) and Miliefsky (Application # 2007/0192867).
  • Core Argument for this Ground:
    • Prior Art Mapping: Petitioner argued that Mukherjee’s Distributed Intrusion Detection and Alerting System (DIDS) discloses the core architecture of claim 1. Specifically, Mukherjee’s “host monitor” corresponds to the claimed “endpoint trust agent,” its “LAN monitor” serves as the “network trust agent,” and its central “DIDS director” functions as the “trust orchestration server.” This system monitors runtime events on host devices and analyzes them centrally to assess system security. Petitioner contended that while Mukherjee provides this framework, Miliefsky supplies the missing element of receiving "third party network endpoint assessments." Miliefsky teaches a security system that scans for known vulnerabilities (CVEs) using third-party data and integrates this assessment information with an IDS, such as Mukherjee’s DIDS, to improve threat detection. The combination, therefore, was asserted to teach every limitation of independent claim 1. Dependent claims 2-6 were argued to be obvious as they recite additional conventional features taught by the combination, such as receiving assessments from an "endpoint assessment service" (disclosed by Miliefsky’s use of external vulnerability reporting services).
    • Motivation to Combine: A POSITA would combine Mukherjee and Miliefsky because both address computer security by detecting and mitigating vulnerabilities. Petitioner asserted that Mukherjee explicitly anticipates its DIDS will be used with a "growing set of tools," including incident-handling and network-management tools. Miliefsky provides precisely such a tool, disclosing an architecture designed to be integrated with an IDS to improve its performance by sharing vulnerability data, thereby reducing false positives and traffic load. This synergy provides a clear motivation to combine the systems to create a more robust and efficient security platform.
    • Expectation of Success: Petitioner argued a POSITA would have a high expectation of success because both references describe modular systems intended for integration. Since Miliefsky specifically discloses plugging its vulnerability assessment capabilities into an IDS like Mukherjee’s, the combination was presented as a straightforward application of known security principles.

Ground 2: Claim 7 is obvious over Mukherjee in view of Miliefsky and Guo.

  • Prior Art Relied Upon: Mukherjee (a 1994 IEEE Network paper), Miliefsky (Application # 2007/0192867), and Guo (Patent 8,104,089).
  • Core Argument for this Ground:
    • Prior Art Mapping: This ground builds on the Mukherjee and Miliefsky combination and adds Guo to address the additional limitations of claim 7. Claim 7 depends on claim 1 and further requires performing, by a "malware analyzer," the detection of code obfuscation and evasion techniques such as "multiple packing, antidebug, anti-trace, anti-memory, and anti-emulation." Petitioner argued that Guo teaches these specific limitations. Guo discloses a memory-based method for analyzing packed application executables in real-time. It works by monitoring memory events as the executable unpacks itself, allowing an anti-virus scanner to analyze the unpacked, de-obfuscated code before execution. Petitioner asserted this automated, real-time analysis of packed code for malicious content directly corresponds to the malware analyzer and evasion technique detection recited in claim 7.
    • Motivation to Combine: A POSITA would be motivated to integrate Guo’s teachings into the Mukherjee/Miliefsky system to address a known weakness in conventional security systems. Petitioner contended that the IDS and vulnerability scanners of Mukherjee and Miliefsky could be evaded by malware that uses packing or other obfuscation techniques. Guo provides an improved and more efficient solution to this specific problem. Therefore, a POSITA would logically incorporate Guo’s advanced malware analysis into the broader security framework of Mukherjee and Miliefsky to enhance its ability to detect sophisticated, evasive threats.
    • Expectation of Success: Petitioner argued that since Mukherjee and Miliefsky provide an open platform designed for integrating additional security tools, adding a specialized scanner like Guo's would be a predictable improvement with a high expectation of success.

4. Arguments Regarding Discretionary Denial

  • Petitioner argued against discretionary denial under §314(a) and §325(d).
  • Fintiv Factors: Petitioner asserted that no operative trial date exists in the parallel district court litigation. The case is part of a Multidistrict Litigation (MDL) proceeding that must be remanded to its originating court before a trial can be scheduled, creating significant uncertainty that weighs against denial. Petitioner also stipulated that, if instituted, it would not pursue any invalidity ground in district court that utilizes Mukherjee, Miliefsky, or Guo.
  • §325(d) Factors: Petitioner argued that denial is not warranted because the primary references (Mukherjee, Miliefsky, and Guo) were not cited or considered during the original prosecution of the ’616 patent. Further, these references were argued to be materially different from the art previously considered by the examiner because they disclose claim limitations the examiner had previously found to be absent from the prior art of record.

5. Relief Requested

  • Petitioner requested institution of an inter partes review and cancellation of claims 1-7 of the ’616 patent as unpatentable under 35 U.S.C. §103.