PTAB

IPR2026-00031

Fortinet Inc v. Netskope Inc

Log In
Key Events
Petition
petition

1. Case Identification

2. Patent Overview

  • Title: Network Based Malware Detection
  • Brief Description: The ’697 patent discloses methods and systems for network-based malware detection within a service provider network. The core inventive concept involves identifying the specific operating system (OS) of a computing device behind a Network Address Translation (NAT) device when malware is detected in its traffic, allowing for more targeted remediation.

3. Grounds for Unpatentability

Ground 1: Claims 1-25 are obvious over Deridder, Tuvell, and Lee

  • Prior Art Relied Upon: Deridder (Application # 2010/0161795), Tuvell (Application # 2008/0086773), and Lee (KR100765340B1).

  • Core Argument for this Ground:

    • Prior Art Mapping: Petitioner argued that the combination of these references taught every limitation of the challenged claims. Deridder was asserted to provide the foundational system—a network device in a service provider network that uses OS fingerprinting on TCP SYN packets to distinguish between users connected behind a single NAT device. Crucially, Deridder explicitly suggested that its OS fingerprinting technique would be useful for services including "malware detection."

    To implement the malware detection functionality suggested by Deridder, a person of ordinary skill in the art (POSITA) would have looked to references like Tuvell and Lee. Tuvell disclosed a malware detection system that used a network analyzer and malware scanner to intercept traffic, identify malware by comparing signatures against data packets, and correlate malware data with device-specific information, including the device’s OS. This combination supplied the elements of determining malware presence by signature comparison (claim 1[c]) and generating an alert (claim 1[d]).

    Lee disclosed a network firewall that intercepts traffic, checks for malware, and logs the client's OS as part of the process. Petitioner argued that Lee taught a second, complementary method of identifying the OS by extracting it from the HTTP User-Agent field. This was presented as an obvious addition to Deridder's TCP-based fingerprinting, providing a cross-check for accuracy and fulfilling limitations in dependent claims that require determining a "first OS ID" (from Deridder) and a "second OS ID" (from Lee). Tuvell's system then provided the framework for generating an alert containing the network address, malware ID, and the OS ID identified by the combined Deridder/Lee techniques.

    • Motivation to Combine: The petition asserted multiple motivations for the combination. The primary motivation stemmed from Deridder's own disclosure, which explicitly stated that its OS fingerprinting system for NAT environments would be useful for "malware detection." This created a clear reason for a POSITA to combine Deridder's system with a known malware detection system like that taught by Tuvell.

    Furthermore, a POSITA would combine the teachings of Tuvell and Lee because Tuvell, while teaching the correlation of malware with an OS, relied on receiving OS information from the end device. A POSITA would be motivated to improve this system by using Lee's technique of extracting the OS directly from network traffic (the User-Agent field) to reduce network overhead and client dependency. Combining all three references was argued to be a predictable integration of known technologies to create a more robust system, using both TCP fingerprinting (Deridder) and User-Agent inspection (Lee) to reliably identify the OS of an infected machine behind a NAT for targeted malware remediation as contemplated by Tuvell.

    • Expectation of Success: Petitioner argued a POSITA would have a high expectation of success. The systems in Deridder and Tuvell were designed to operate on network components within a service provider network (a NAT device and a GGSN, respectively), both of which function as gateways that inspect all passing traffic. Integrating Tuvell's malware scanning logic into Deridder's traffic inspection device was presented as a straightforward application of known network security principles.

4. Relief Requested

  • Petitioner requests institution of an inter partes review and cancellation of claims 1-25 of Patent 8,635,697 as unpatentable.