IBM Corp v. Croga Innovations Ltd

1. Case Identification

• Case #: IPR2025-00379
• Patent #: 11,178,104
• Filed: January 2, 2025
• Petitioner(s): International Business Machines Corporation
• Patent Owner(s): Croga Innovations Ltd.
• Challenged Claims: 1-3, 8, 10-11, 17-19

2. Patent Overview

• Title: Sandbox Based Network Isolation System
• Brief Description: The ’104 patent discloses a network security system that protects computer assets from malware by implementing a "workspace" in a first memory space and an isolated "sandboxed computing environment" in a second memory space. The patent describes separating these environments with an internal isolation firewall and authenticating the sandboxed environment with a proxy server to access Internet-based cloud services.

3. Grounds for Unpatentability

Ground 1: Obviousness over Hoy and Pratt - Claims 1-3, 8, 10-11, and 17-19 are obvious over Hoy in view of Pratt.

• Prior Art Relied Upon: Hoy (Application # 2013/0318594) and Pratt (Patent 10,798,077).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Hoy taught a host computer system with all major components of the challenged claims, including a trusted host OS (workspace) and an isolated virtual guest OS (a sandboxed environment) separated by an internal firewall. Hoy’s system used a proxy/web-content filter to access internet services via a VPN tunnel. However, Hoy did not explicitly detail the authentication of the isolated environment. Pratt allegedly supplied this missing element by teaching a system to securely authenticate an isolated operating environment, like Hoy’s guest OS, to a remote service provider.
  • Motivation to Combine: A POSITA would combine Pratt’s explicit authentication process with Hoy’s system to solve a known problem. Hoy’s use of a VPN tunnel implied a need for authentication to establish a connection, a detail Hoy omitted. Pratt provided a known method for authenticating an isolated environment, and a POSITA would have been motivated to incorporate it into Hoy to provide this necessary functionality securely, allowing the guest system to authenticate itself without exposing the trusted host system to malicious code.
  • Expectation of Success: A POSITA would have had a high expectation of success, as combining a known authentication module with a networked system to enable secure connections was a predictable and routine integration in the field of network security.

Ground 2: Anticipation by Benoit - Claims 1-3, 8, 10-11, and 17-19 are anticipated by Benoit.

• Prior Art Relied Upon: Benoit (Application # 2015/0096031).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner asserted that Benoit disclosed every limitation of the challenged claims in a single reference. Benoit taught a host computer system with a host operating system that includes both a "typical operating environment" (the workspace) and a "sandbox operating environment" (the isolated, sandboxed computing environment). The two environments used separate memory spaces and were isolated by pre-defined read/write permissions that functioned as an internal isolation firewall. Benoit’s sandbox environment connected to remote cloud resources containing an authentication server (the authentication device) and a proxy server, with communication being allowed after successful authentication.

Ground 3: Obviousness over Benoit and Hunt - Claims 1-3, 8, 10-11, and 17-19 are obvious over Benoit in view of Hunt.

• Prior Art Relied Upon: Benoit (Application # 2015/0096031) and Hunt (Application # 2012/0017213).
• Core Argument for this Ground:
  • Prior Art Mapping: While arguing Benoit alone anticipated the claims, Petitioner presented this ground to further strengthen the teachings of an internal firewall and memory segregation. Petitioner argued that Hunt explicitly taught a low-overhead "isolation container" (a sandbox) that runs on a single OS alongside non-isolated applications. Critically, Hunt disclosed an "isolation monitor" that functioned as an internal "application firewall" to segregate the sandbox and its dedicated memory space from the rest of the system.
  • Motivation to Combine: A POSITA would combine Hunt's specific, low-overhead sandbox architecture with Benoit's system to achieve known benefits. Hunt described its architecture as reducing computing overhead and resource usage compared to other isolation methods. A POSITA would have been motivated to implement Hunt's efficient "isolation monitor" and memory allocation process within the broader system described by Benoit to create a more robust and efficient security solution, which was a predictable improvement.
  • Expectation of Success: The combination involved applying a known, more efficient sandboxing technique (Hunt) to a known system architecture (Benoit), which a POSITA would have expected to function successfully.
• Additional Grounds: Petitioner asserted an additional obviousness challenge based on Hoy and Pratt in view of Krasin (Application # 2015/0278513) to further support the teaching of a sandboxed environment using a host OS. Petitioner also asserted a challenge based on Benoit and Hunt in view of Pratt to ensure the teaching of an explicit authentication process.

4. Key Claim Construction Positions

• "sandboxed computing environment": Petitioner proposed this term should be construed as a "computing environment that does not require its own separate operating system." This construction is based on the patent’s specification and is critical for showing that prior art which uses hypervisors or containers meets this limitation, as opposed to only systems that boot an entirely separate OS.
• "authentication device": Petitioner argued this term should be construed to include, at a minimum, a proxy server that performs the function of authentication. This is based on the patent’s disclosure, where LAN-based and Internet-based web proxy servers are the only structures described as performing this function, allowing prior art proxy servers to meet this claim element.

5. Arguments Regarding Discretionary Denial

• Petitioner argued that discretionary denial under Fintiv would be inappropriate. The petition asserted that the parallel district court litigation is in its earliest stages, with significant milestones like claim construction yet to occur. Petitioner contended the scheduled trial date is likely to slip past the IPR statutory deadline for a Final Written Decision. Crucially, Petitioner offered a Sotera stipulation, agreeing not to pursue in district court any invalidity grounds raised or that reasonably could have been raised in the IPR. Petitioner also argued the petition presented compelling evidence of unpatentability based on prior art (e.g., Pratt, Benoit) that the patent examiner did not consider during prosecution.

6. Relief Requested

• Petitioner requests institution of an inter partes review and cancellation of claims 1-3, 8, 10-11, and 17-19 of the ’104 patent as unpatentable.