PTAB

IPR2026-00027

Fortinet Inc v. Netskope Inc

Log In
Key Events
Petition
petition

1. Case Identification

2. Patent Overview

  • Title: Detecting Abnormal System States in Computers
  • Brief Description: The ’936 patent discloses a method for detecting computer anomalies by receiving system "snapshots" from a population of computers. The method involves automatically generating an "adaptive reference model" by identifying patterns among the snapshots to define a normal state and then comparing a computer's current snapshot to this model to detect abnormalities.

3. Grounds for Unpatentability

Ground 1: Claims 1, 7-12, 17-19, 21-22 are anticipated or rendered obvious by Honig

  • Prior Art Relied Upon: Honig (Patent 7,225,343).
  • Core Argument for this Ground:
    • Prior Art Mapping: Petitioner argued that Honig’s intrusion detection system met all limitations of claim 1. Honig's "sensors" gather diverse data from multiple host machines, which constitutes "receiving snapshots from a plurality of computers." Honig's "detection model generator" automatically creates "detection models" (the "adaptive reference model") from the aggregated data using algorithms for "unsupervised anomaly detection," which inherently identifies patterns to define normal states. Honig's "detectors" then compare new sensor data against the generated model to find intrusions, mapping to the claimed comparison step. For dependent claims, Petitioner asserted Honig's collection of data from the registry, performance counters, and event logs either discloses or makes obvious the specific data types in claim 7. Petitioner further mapped the model layers of claims 9-11 to Honig’s exemplary detection models: the "value layer" (claim 9) was mapped to Honig’s "probabilistic model" which computes a probability for each data record to determine if it is anomalous; the "cluster layer" and "profile layer" (claims 10-11) were mapped to Honig’s "decision tree" model, which tracks relationships between data assets via its branches to identify anomalies.

Ground 2: Claims 2-6, 13-16, 20 are obvious over Honig in view of Oliphant

  • Prior Art Relied Upon: Honig (Patent 7,225,343), Oliphant (Application # 2005/0005171).
  • Core Argument for this Ground:
    • Prior Art Mapping: Petitioner contended that while Honig provides the core anomaly detection system that generates an "alert," Oliphant supplies the automated remediation functionality recited in the dependent claims. The combined system would use Honig's alert to query Oliphant’s "vulnerability and remediation database" (the "recognition filter") to diagnose a "trouble condition." Upon diagnosis, the system would trigger an "automated response" taught by Oliphant, such as "installation of a patch" or "removing services," which Petitioner argued maps to the "generic response" of claims 3 and 4.
    • Motivation to Combine: A POSITA would combine the references to create a more effective and complete security system. Honig’s system only detects threats and issues an alert, leaving the response to a manual actor. A POSITA would have found it an obvious and predictable improvement to integrate the automated remediation capabilities of a known system like Oliphant to respond to these alerts automatically, thereby preventing further damage and propagation of malware.
    • Expectation of Success: A POSITA would have had a reasonable expectation of success because both references operate in the real-time network security field. The alerts generated by Honig contain specific information, such as a matched attack signature, which could be used as a direct input to search Oliphant's remediation database and select the appropriate automated response.

Ground 3: Claims 1, 7-12, 17-19, 21-22 are obvious over Vinberg

  • Prior Art Relied Upon: Vinberg (Patent 6,327,550).

  • Core Argument for this Ground:

    • Prior Art Mapping: Petitioner argued that Vinberg’s system for monitoring computer states teaches the claimed invention. Vinberg's agents collect "state vectors" ("snapshots") from a plurality of computers. During a "learning phase," system managers analyze this data with pattern recognition techniques to establish "common modes" of operation, which Petitioner asserted is the claimed "adaptive reference model" indicative of normal states. During the "monitoring phase," Vinberg compares new state vectors to the common modes and "raises an alarm" if a vector falls outside a known mode, mapping to the comparison step of claim 1. Petitioner further argued that Vinberg’s disclosure of tracking "strongly correlated" metrics and "combinations of metrics" to find "unprecedented" combinations of values teaches the cluster and profile layers of claims 10 and 11. Vinberg’s system is also adaptive, as it "continuously updates its degree of learning" by adding new states to the common modes, thus augmenting the rule set as recited in claim 8.

  • Additional Grounds: Petitioner asserted an additional obviousness challenge against claims 2-6, 13-16, and 20 over Vinberg in view of Oliphant, relying on a similar theory of adding Oliphant's automated remediation capabilities to Vinberg's detection and alarm system.

4. Key Claim Construction Positions

  • Petitioner addressed the claim term "snapshot," noting that the Patent Owner appeared to interpret it broadly as any collection of "OS metadata" in related litigation. Petitioner argued for a more detailed construction consistent with the specification’s explicit list of system files, registry entries, and performance counters. However, Petitioner contended that the Board need not resolve the dispute for purposes of institution, as the cited prior art invalidates the challenged claims under either construction.

5. Relief Requested

  • Petitioner requests the institution of an inter partes review and the cancellation of claims 1-22 of the ’936 patent as unpatentable.