In re Enhanced Sec. Research, LLC.

• Decision Date: 16 April 2014
• Docket Number: No. 2013–1114.,2013–1114.
• Citation: 739 F.3d 1347
• Parties: In re ENHANCED SECURITY RESEARCH, LLC.
• Court: U.S. Court of Appeals — Federal Circuit

739 F.3d 1347

In re ENHANCED SECURITY RESEARCH, LLC.

No. 2013–1114.

United States Court of Appeals, Federal Circuit.

Jan. 13, 2014.

Rehearing En Banc Denied April 16, 2014.^*

Martin M. Zoltick and R. Danny Huntingtown, Rothwell, Figg, Ernst & Manbeck, P.C., of Washington, DC, argued for appellant. With them on the brief were Nancy J. Linck, Derek F. Dahlgren and Michael V. Battaglia.

Meredith H. Schoenfeld, Associate Solicitor, Office of the Solicitor, United States Patent and Trademark Office, of Alexandria, Virginia, argued for appellee. With her on the brief were Nathan K. Kelley, Deputy Solicitor, and Farheena Y. Rasheed, Associate Solicitor.

Before DYK, O'MALLEY, and TARANTO, Circuit Judges.

Opinion for the court filed by Circuit Judge DYK.

Dissenting opinion filed by Circuit Judge O'MALLEY.

DYK, Circuit Judge.

Enhanced Security Research, LLC (“ESR”) appeals from the decision of the Board of Patent Appeals and Interferences (“Board”), now the Patent Trial and Appeal Board, in an ex parte reexamination of U.S. Patent No. 6,119,236 (“the '236 patent”). The Board affirmed the Patent and Trademark Office (“PTO”) examiner's rejection of claims 1–5 and 7–19 as obvious. We affirm.

Background

The '236 patent, as amended, claims a computer security device and method for preventing unauthorized individuals from gaining access to a local computer network. The patent specification describes an “intelligent network security device” (“INSD”) that is capable of balancing the desire for network security against the need for network accessibility. '236 patent col. 3 l. 47. The INSD protects a local network by: (1) monitoring the data packets flowing into and out of the network in order to detect suspicious patterns of communications; (2) assigning weighted values to any threatening activity it detects; and (3) blocking communications based on their assigned weight using a firewall.

Claim 1 of the amended '236 patent reads:

In a computer system connected to an external communications medium, a security device comprising:

a programmable firewall device interposed between the computer system and the external communications medium;

a controller device configured within the computer system such that said controller device can access all communications into and out of the computer system; and

a communications device for communicating instructions from said controller device to said firewall device for controlling said firewall device; wherein

said controller device is configured to operate generally continuously and repeatedly to:

(i) examine, in essentially real time, communications incoming to the computer system;

(ii) analyze, in essentially real time, communications to detect if the communications contain patterns of activity indicative of an attempted security breach;

(iii) assign a weight to the attempted security breach if an attempted security breach is detected; and

(iv) continuously control the firewall during the operation of the computer system to block communications between the computer system and the external communications medium, based on the weight assigned to the attempted security breach, when an attempted security breach is detected.

JA 9622–23. Thus, claim 1 pertains to a security device that provides protection to a local area network (“LAN”) by monitoring communications, analyzing whether they represent attempted security breaches, assigning weights to any detected breach attempts, and, finally, commanding the firewall to block attempted breaches based on their assigned weight.

Claims 2–5 and 7–11 are dependent on claim 1.¹ Amended claims 8 and 9 relate to the blocking process. Claim 8 states:

the controller controls the firewall to block the communication between the computer system and the external communication medium for a predetermined period according to the weight assigned to the attempted security breach.

Id. claim 8 (emphasis added). Claim 9 presents a slight variation on claim 8: after the controller assigns a weight to the attempted breach, “the controller controls the firewall to block communications between a selected portion of the computer system and the external communications medium according to the weight assigned to the perceived attempted security breach.” Id. claim 9 (emphasis added). Thus, under these dependent claims, the INSD has limited blocking capabilities: the INSD can only command the firewall to undertake a certain, predetermined response.

Next, independent claim 12 covers the method portion of the '236 patent. According to amended claim 12, this method comprises

monitoring, in essentially real time, communications between the local area network and the wide area network;

determining, over time, if the communications between the local area network and the wide area network contain patterns of activity indicative of an attempted security breach;

classifying by assigning a weight to the attempted security breach if an attempted security breach is detected; and

generally simultaneously controlling a firewall to selectively block communications between the local area network and the wide area network depending upon the weighted classification assigned to the attempted security breach.

Id. claim 12. Under some of the dependent claims, the method entails classifying and assigning a weight to an attempted security breach depending on: (1) “the importance of a portion of the local area network which the attempted security breach attempts to access,” id. claim 15 (emphasis added); (2) “the number of attempts made in the course of the attempted security breach,” id. claim 16 (emphasis added); or (3) “ the relative sophistication of the attempted security breach,” id. claim 17 (emphasis added).

A third party requested reexamination of the original patent, and, among other documents, two potential pieces of prior art were before the PTO: the manual of a software product called NetStalker (“NetStalker” or the “Manual”) and a scholarly article authored by G.E. Liepins and H.S. Vaccaro (“Liepins”). Similar to the '236 patent, the NetStalker software protects a LAN from attempted security breaches. The Manual describes how the product functions and teaches the user how to install the software and tailor it to his needs. Through these descriptions, the Manual discloses a dynamic security device that provides protection to a LAN by monitoring the incoming and outgoing communications, identifying attempted security breaches, and then automatically blocking any unauthorized access attempts. As discussed below, ESR contends that the Manual is not prior art.

Liepins is a scholarly article that describes a computer system, called Wisdom and Sense (“W & S”), that is capable of detecting anomalous network activity. Liepins first recognizes that the identification of activity patterns not previously known to be associated with misuse is intrinsically difficult to systematize. Liepins also notes that “just checking” historical data regarding misuse patterns is not sufficient. To solve this problem, Liepins teaches a framework that can detect newly identified anomalous activity by automatically generating, weighing, and applying a “forest” of decision rules. Using stored data to identify patterns associated with unauthorized access, W & S generates rules that are capable of parsing new anomalous activity from acceptable activity.² Through this mechanism, the W & S system protects a LAN without shutting down all network activity. ESR does not dispute the prior art status of Liepins.

During reexamination, the examiner rejected claims 1–19 as obvious in light of various prior art references. The examiner also rejected ESR's arguments that the Manual did not qualify as publically-available prior art. The applicant then amended the '236 patent claims and appealed to the Board. ³ The Board affirmed the rejection of amended claims 1–5 and 7–19.

ESR timely appealed to this court, and we have jurisdiction pursuant to 28 U.S.C. § 1295(a)(4)(A). We review the Board's legal determinations de novo, and its factual findings for substantial evidence. In re Baxter Int'l, Inc., 678 F.3d 1357, 1361 (Fed.Cir.2012).

Discussion

I. Obviousness

A determination of obviousness under 35 U.S.C. § 103 is a question of law based on underlying findings of fact. Graham v. John Deere Co., 383 U.S. 1, 17–18, 86 S.Ct. 684, 15 L.Ed.2d 545 (1966); In re Baxter, 678 F.3d at 1361. The differences between the claimed invention and the prior art as well as what a reference actually teaches are questions of fact. In re Baxter, 678 F.3d at 1361;Rapoport v. Dement, 254 F.3d 1053, 1060–61 (Fed.Cir.2001).

With respect to obviousness, the critical issue is whether the Manual in combination with Liepins teaches a person of ordinary skill in the art how to assess the severity of an attempted security breach and then block that attempted breach based on its severity. (For the purposes of this discussion, we assume that the Manual constitutes valid prior art. This assumption is discussed in Section II.)

As previously described, the amended '236 patent claims a device that examines the data entering and exiting a LAN, assigns weights to any attempted security breaches, and initiates predetermined responses depending on the assigned weights of the attempted breaches. ESR argues that a combination of NetStalker and Liepins does not disclose: (1) assigning a weight to an attempted security breach; or (2) blocking incoming communications based on that assigned weight. The Board found that, in combination, these two pieces of prior art disclosed all of the elements of the '236 patent. Substantial evidence supports this conclusion.

NetStalker teaches: (1) assigning severity levels to network transactions or events based on the number of attempted intrusions; ⁴ (2) automatically blocking the source of communications when those transactions meet user-defined criteria; and (3) varying response type based on the number of breach attempts. More...