PTAB

IPR2025-00276

Normshield Inc v. BitSight Technologies Inc

Log In
Key Events
Petition
petition

1. Case Identification

2. Patent Overview

  • Title: Determining a Security Rating of an Entity
  • Brief Description: The ’976 patent discloses methods and systems for determining an entity’s cybersecurity posture. The technology involves gathering data from both internal and external sources, generating separate internal and external security ratings from this data, and then combining these ratings to create a single composite security rating for the entity.

3. Grounds for Unpatentability

Ground 1: Obviousness over Tippett - Claims 1-2, 4-10, and 12-16 are obvious over Tippett

  • Prior Art Relied Upon: Tippett (Application # 2005/0278786).
  • Core Argument for this Ground:
    • Prior Art Mapping: Petitioner argued that Tippett teaches all limitations of the challenged claims. Tippett discloses a method for determining a “security risk index” for an entity, analogous to the claimed “security rating.” This index is a composite score derived from a “local vulnerability factor” and a “general threat factor.” Petitioner contended that Tippett’s “local vulnerability factor,” based on “internal factor component[s]” like “a past history of at least one type of security breach,” maps to the “internal security rating.” Tippett’s transformation of these components via a "weighting operation" meets the limitation of applying a transformation function. The combination of these weighted components forms the final factor. Likewise, Tippett’s “general threat factor,” generated from external sources like “chat rooms or on message boards,” maps to the “external security rating,” which is also normalized and weighted. Tippett explicitly combines these internal and external factors (e.g., LSRI=GTLVGI) to create its composite index, meeting the core combination element of independent claims 1 and 9. Petitioner further mapped dependent claim limitations, arguing that a "security breach" constitutes "malicious activity associated with an IP address" (claim 1[k]), Tippett’s use of weighted components satisfies the "weighted combination" (claim 2), and its disclosure of a "graphical representation" of the risk index serves as the claimed "reporting facility." Summing and normalizing features (claims 5, 7, 8) were also argued to be disclosed or rendered obvious by Tippett’s teachings on using "statistical mathematics" to combine components and normalizing them into a common format.
    • Motivation to Combine: As a single-reference ground, the argument focused on obvious modifications. Petitioner argued that using a "plurality" of internal data sources, rather than a single source, would have been an obvious design choice to a person of ordinary skill in the art (POSITA) for improving data redundancy, parallelization, and efficiency, especially since Tippett already discloses using multiple "databases."
    • Expectation of Success: A POSITA would have a reasonable expectation of success in implementing Tippett's system with these minor, conventional modifications, as they involved well-understood database management and network security practices.

Ground 2: Obviousness over Tippett and McGovern - Claims 3 and 11 are obvious over Tippett in view of McGovern

  • Prior Art Relied Upon: Tippett (Application # 2005/0278786) and McGovern (Application # 2009/0024663).
  • Core Argument for this Ground:
    • Prior Art Mapping: This ground addresses dependent claims 3 and 11, which recite a specific list of internal data sources. Petitioner asserted that while Tippett teaches using internal data, it does not enumerate all the specific sources required. McGovern, describing a comprehensive "information security assessment," was cited to supply these disclosures. McGovern explicitly teaches collecting information from various "security parameters" that map directly to the claimed data sources. For instance, McGovern's teaching of using "software tools for security scanning and vulnerability removal" provides the claimed "vulnerability scan data." Its discussion of "identity and access management" involving "firewall[s]" and "implementation of access policies" discloses "data indicating firewall rules." McGovern's disclosure of collecting information on "hardware and software configuration" and "network size and scale" maps to "data indicative of computer network configurations." Finally, its teaching on identity management, including "how often a network user is required to change his or her login password," corresponds to "data indicative of user behavior." McGovern specifies that this information is collected from "internal data records maintained by the organization."
    • Motivation to Combine: Petitioner argued a POSITA would be motivated to combine McGovern's detailed list of conventional data sources with Tippett's framework to create a more robust and accurate security rating. A POSITA implementing Tippett's system would have sought to improve the accuracy of the "local vulnerability factor" by making it as comprehensive as possible. McGovern provides an explicit roadmap of well-known and commonly collected security parameters for this very purpose. Incorporating these parameters into Tippett's system would be a logical and straightforward way to enhance the quality and reliability of the security assessment.
    • Expectation of Success: A POSITA would have a high expectation of success, as combining the references merely involved using the conventional data types described in McGovern as inputs for the established security rating framework of Tippett. Both references are analogous art, and McGovern confirms its "security parameters" can be quantified for an overall risk assessment, making them inherently compatible with Tippett's mathematical approach.

4. Relief Requested

  • Petitioner requests the institution of an inter partes review and the cancellation of claims 1-16 of Patent 11,777,976 as unpatentable under 35 U.S.C. §103.