Sophos Inc v. Open Text Inc

1. Case Identification

• Case #: IPR2024-00252
• Patent #: 8,201,243
• Filed: December 8, 2023
• Petitioner(s): Sophos Ltd. and Sophos Inc.
• Patent Owner(s): Webroot Inc.
• Challenged Claims: 1-14

2. Patent Overview

• Title: Identifying an Origin of Activity Indicative of Pestware
• Brief Description: The ’243 patent discloses methods and systems for identifying the source of malicious software ("pestware") on a computer. The technology involves monitoring computer activity, heuristically analyzing that activity to detect pestware, and then accessing historical logs (e.g., event logs, firewall logs) to identify and report an externally networked source of the pestware.

3. Grounds for Unpatentability

Ground 1: Claims 1-14 are obvious over Li in view of Hartrell

• Prior Art Relied Upon: Li (UCLog: A Unified, Correlated Logging Architecture for Intrusion Detection, 2004) and Hartrell (Patent 8,117,659).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Li disclosed the core method of the ’243 patent, teaching a "unified logging architecture" that monitors and correlates logs from heterogeneous sources (e.g., Kernel API calls, network logs) to trace back and identify the source of a malware intrusion on a single computer. However, Li did not explicitly teach reporting this source information to a centralized, external entity for broader analysis. Petitioner asserted Hartrell supplied this missing element. Hartrell described a malware analysis system that receives "snapshots" of system and network activity from multiple infected computers to a "centralized data store." This centralized store performs a "commonality analysis" to identify a common origin of the malware (e.g., a website visited by all infected machines) and alerts a system operator, effectively functioning as the claimed "externally networked pestware research entity."
  • Motivation to Combine: Petitioner contended that Li and Hartrell are analogous arts in the field of intrusion detection. A person of ordinary skill in the art (POSITA) would combine the teachings to improve upon Li’s single-host system. By incorporating Hartrell’s centralized, multi-computer analysis, a POSITA could aggregate threat data, correlate intrusions across a network, and more accurately identify malicious sources, thereby reducing false positives and creating a more robust, scalable security solution.
  • Expectation of Success: A POSITA would have had a high expectation of success, as the combination involved applying a known network-level analysis technique (Hartrell) to an established host-level detection system (Li), which was a predictable and beneficial improvement.

Ground 2: Claims 1-14 are obvious over Li in view of Yadav

• Prior Art Relied Upon: Li (UCLog: A Unified, Correlated Logging Architecture for Intrusion Detection, 2004) and Yadav (Patent 7,174,566).

• Core Argument for this Ground:

  • Prior Art Mapping: Petitioner presented this ground as an alternative to the Hartrell combination. As in Ground 1, Li was asserted to teach the fundamental host-based monitoring and source identification method. Petitioner argued Yadav, like Hartrell, taught the claimed step of reporting intrusion data to an external entity. Yadav disclosed an intrusion detection system where information from multiple monitored computers is sent to a "central security server." This server stores and analyzes information about network sources to scrutinize them more closely and can "report the intrusion to the central security server." Petitioner asserted this central server fulfilled the role of the "externally networked pestware research entity."
  • Motivation to Combine: The motivation was similar to Ground 1. A POSITA would combine Li's detailed host-level logging with Yadav's centralized server architecture to gain the known benefits of aggregating security data. Centralizing logs from multiple sources, as taught by Yadav, would allow for network-wide visibility and more effective correlation of threats identified by Li's method, leading to a more comprehensive security system.
  • Expectation of Success: The combination was argued to be a predictable integration of two known intrusion detection concepts—host-based logging and centralized network analysis—with a clear expectation of yielding a more powerful and accurate system.

• Additional Grounds: Petitioner asserted additional obviousness challenges for claims 1-14 over Li, Hartrell, and Mandujano (a 2004 Ph.D. thesis) and over Li, Yadav, and Mandujano. In these grounds, Petitioner argued Mandujano provided an alternative, well-understood heuristic method for using weighted factors and thresholds to create a "score-based system" for identifying malware, which could have been readily integrated into the primary combinations.

4. Arguments Regarding Discretionary Denial

• Petitioner argued that the Board should not exercise discretionary denial under 35 U.S.C. §314(a) based on Fintiv factors. The co-pending district court trial date was set for August 2024, but Petitioner argued it was likely to be delayed, making it probable that a Final Written Decision (FWD) in the IPR would issue first. Petitioner also submitted a stipulation agreeing not to pursue the same invalidity grounds in the district court if the IPR is instituted.
• Petitioner further argued against denial under §325(d) or General Plastic, noting that none of the cited prior art references were before the examiner during prosecution. Moreover, this petition was a follow-on to a prior petition (IPR2023-00731) that was denied based on an evidentiary issue regarding the public availability of the Li reference, not on the substantive merits of the invalidity arguments. Petitioner contended that denying a petition on non-merits grounds and then denying a refiled petition that cures the deficiency would be improper.

5. Relief Requested

• Petitioner requested institution of an inter partes review and cancellation of claims 1-14 of Patent 8,201,243 as unpatentable.