-
Federal Circuit Affirms PTAB Unpatentability Findings Regarding Network Security Patents
11/05/2024On October 31, 2024, the U.S. Court of Appeals for the Federal Circuit (“CAFC”) issued an opinion affirming the final written decisions of the Patent Trial and Appeal Board (“PTAB”) finding that two of Centripetal Network, LLC’s (“Centripetal”) patents directed to network security are unpatentable. Centripetal Networks, LLC v. Palo Alto Networks, Inc., Appeal No. 2023-1654, __ F.4th __ (Fed. Cir. Oct. 31, 2024).
In March 2021, Centripetal sued Palo Alto Networks, Inc. (“PAN”), alleging infringement of twelve patents, including U.S. Patent Nos. 10,542,028 and 10,757,126, which share the same specification, and are directed to detecting network threats, such as viruses, malware, distributed denial of service (“DDoS”) attacks, etc., and further to compiling logs of information about the threats. Specifically, the patents disclose the use of a “packet-filtering device” that receives data packets and determines whether each data packet satisfies “criteria specified by a packet-filtering rule,” which criteria may correspond to certain “network-threat indicators,” such as network addresses, ports, domain names, and URLs. When a packet-filtering rule is triggered, further actions follow, such as either allowing or preventing the data packet’s continued progress to its destination. The packet-filtering device has the further capability of generating log entries about the network-threat indicator(s) and the action that was taken.
In July 2021, PAN petitioned for inter partes review (“IPR”) of each patent, arguing that the claims were obvious over a single reference—the “Sourcefire User Guide”—which describes a network security system that allows monitoring for and defending against attacks on a user’s network using a “3D Sensor” with an “Intrusion Prevention System” component. The 3D Sensor uses customizable “intrusion rules” to analyze network traffic (e.g., incoming data packets) and to log “intrusion events” when an intrusion rule is triggered. The criteria for the intrusion rules correspond to information about the data packet’s source and destination (e.g., IP addresses or ports) and may also correspond to information about the data packet’s contents. The system classifies a data packet as a network threat if it matches an intrusion rule. If it matches, the intrusion rule then dictates whether an intrusion event should be generated or whether the data packet should be ignored.
In February 2023, the PTAB found each patent unpatentable as obvious over the Sourcefire User Guide.
Centripetal argued to the CAFC that the PTAB incorrectly (1) construed a limitation—i.e., the “responsive to” limitation—that dictated certain further actions (i.e., the “applying” and “communicating” steps) and (2) found that Sourcefire taught the “responsive to” limitation.
With respect to claim construction, in its institution decision, the PTAB considered—but did not expressly adopt—Centripetal’s proposed construction, which was that “the ‘responsive to’ language requires the applying and communicating steps to ‘be performed in reaction to a packet satisfying a packet-filtering rule based on network-threat indicators . . .’”; and that “this language ‘establishes a clear cause-and-effect relationship between (i) a packet satisfying a packet-filtering rule . . . and (ii) the subsequent application of an operator that allows the packet and communication of data indicating the packet was allowed.’” In doing so, the CAFC stated: “[t]o the extent interpretation of this term is necessary, we consider the meaning of the claim language in the context of determining whether the prior art teaches or suggests the limitations at issue.”
On appeal, with respect to the claim construction issue, Centripetal argued that the Board (1) impermissibly declined to construe the “responsive to” limitation and (2) ignored the phrase “based on one or more network-threat indicators” in the “responsive to” limitation. With respect to the latter, Centripetal’s contention was that this limitation requires that the “applying” and “communicating” steps be triggered by a determination that a packet-filtering rule is satisfied based on network-threat indicators and no other criteria—in other words, on network-threat indicators alone.
The CAFC rejected Centripetal’s arguments, finding that the PTAB did, in fact, construe the “responsive to” limitation in its analysis of the Sourcefire User Guide: “[T]he Board’s discussion of Sourcefire establishes an interpretation—one elaborating on (and not inconsistent with) the ‘in reaction to’ and ‘cause-and-effect’ language the Board earlier quoted from Centripetal without disapproval—namely, that being ‘responsive to’ a source indicating a network threat includes deciding on an action to take based on that source information in combination with other possible criteria.” The CAFC further explained that, “if an action is taken in reaction to the satisfaction of a rule with two criteria, then the action is taken ‘based on’ each of the two criteria,” and noted that the claim language did not include limiting language such as “based only on one or more network-threat indicators” that would indicate that additional conditions cannot be considered. The CAFC concluded that “the Board correctly understood the ‘responsive to’ limitation to be met when the ‘applying’ and ‘communicating’ steps are triggered by a determination that a packet satisfies a packet-filtering rule based on one or more network-threat indicators and additional criteria.
With respect to Sourcefire’s teaching of the “responsive to” limitation, the PTAB considered expert testimony and found that when both a rule header (such as an IP address) and any other optional criteria in Sourcefire’s rule options are satisfied, Sourcefire teaches that an intrusion rule is triggered, and therefore that Sourcefire teaches the “responsive to” limitation.
On appeal, with respect to this issue, Centripetal argued that Sourcefire does not disclose the “responsive to” limitation because the IP addresses in the rule header are only used to determine whether to further evaluate a data packet’s contents against the keywords specified in those intrusion rules by the rule options. Centripetal argued that actions are not performed on data packets in reaction to detecting any particular IP address. In other words, Centripetal argued that a data packet can match the IP addresses in a rule header and still not trigger a rule or generate an intrusion event because a data packet’s contents might not match all of the specified keywords and arguments.
The CAFC rejected those arguments, finding that they essentially depended on Centripetal’s rejected claim construction position—i.e., that action must be triggered by particular IP addresses alone, without consideration of other criteria.
(Note that the CAFC issued, concurrently with the opinion that is the subject of this digest, a second opinion affirming the PTAB’s unpatentability findings with respect to a third Centripetal patent.)