Ex Parte 6304975 et al

Board of Patent Appeals and Interferences

Aug 30, 2012

95000489 (B.P.A.I. Aug. 30, 2012)

UNITED STATES PATENT AND TRADEMARK OFFICE
UNITED STATES DEPARTMENT OF COMMERCE
United States Patent and Trademark Office
Address: COMMISSIONER FOR PATENTS
P.O. Box 1450
Alexandria, Virginia 22313-1450
www.uspto.gov
APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO.
95/000,489 07/20/2009 6304975 159291-0011(975) 8274
6449 7590 08/31/2012
ROTHWELL, FIGG, ERNST & MANBECK, P.C.
607 14th Street, N.W.
SUITE 800
WASHINGTON, DC 20005
EXAMINER
STEELMAN, MARY J
ART UNIT PAPER NUMBER
3992
MAIL DATE DELIVERY MODE
08/31/2012 PAPER
Please find below and/or attached an Office communication concerning this application or proceeding.
The time period for reply, if any, is set in the attached communication.
PTOL-90A (Rev. 04/07)
UNITED STATES PATENT AND TRADEMARK OFFICE
____________

BEFORE THE BOARD OF PATENT APPEALS
AND INTERFERENCES
____________

JUNIPER NETWORKS, INC.
Respondent
v.

ENHANCED SECURITY RESEARCH, L.L.C.
Patent Owner, Appellant
________

Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1
Technology Center 3900
____________

Before KARL D. EASTHOM, STEPHEN C. SIU, and THOMAS L.
GIANNETTI, Administrative Patent Judges.

SIU, Administrative Patent Judge.

DECISION ON APPEAL
Patent Owner (Appellant) appeals under 35 U.S.C. §§ 134(b) and 306
from a Right of Appeal Notice rejecting claims 1-13. We have jurisdiction
under 35 U.S.C. §§ 134(b) and 315.
An Oral hearing was conducted on August 8, 2012.

STATEMENT OF THE CASE
This proceeding arose from a third party request for inter partes
reexamination (filed July 20, 2009) by Juniper Networks, Inc. of United
States Patent 6,304,975 B1 (the ‘975 patent), titled “Intelligent Network
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

2
Security Device and Method” and issued to Peter M. Shipley on October 16,
2001.1
The ‘975 patent describes recognizing attempts at breaching network
security (col. 3, ll. 21-22). Claim 1 on appeal reads as follows:
1. A computer program product which includes codes on a
compute readable medium, comprising:
code for monitoring communications between a local area network
and a wide area network;
code for determining, over time, if the communications between the
local area network and the wide area network contain patterns of activity
indicative of an attempted security breach; and
code for generally simultaneously controlling a firewall to selectively
block communications between the local area network and the wide area
network depending upon a classification of the attempted security breach.

(App. Br. Claims Appendix).

The Examiner cites the following prior art references:
Hershey US 5,414,833 May 9, 1995

Haystack Labs, Inc., “NetStalker, Installation and User’s Guide, Version
1.0.2,” (Date disputed) (hereinafter, “NetStalker”).
Dorothy E. Denning, “An Intrusion-Detection Model,” SRI International,
IEEE, (1986), (“Denning”).
Stephen E. Smaha, “Haystack: An Intrusion Detection System,” Tracor
Applied Sciences, Inc., IEEE (1988), (hereinafter, “Smaha”).
G.E. Liepins and H.S. Vaccaro, “Anomaly Detection: Purpose and
Framework,” 1989 (hereinafter, “Liepins”).

1 Third Party Requester, Juniper Networks, Inc., states that “it will not
participate further in this inter partes reexamination” (Third Party
Requester’s Notice of Non-Participation,” filed June 8, 2012).
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

3
Steven R. Snapp, et al., “DIDS (Distributed Intrusion Detection System) –
Motivation, Architecture, and an Early Prototype,” Proceedings of the 14th
National Computer Security Conference, October 1991, (hereinafter,
“Snapp”).
Rens Troost, Active Defense, excerpts, January 20, 1994 (hereinafter,
“Troost”).
Gary W. Hoglund and Eduardo M. Valcarce, “The ‘ESSENSE’ of Intrusion
Detection: A Knowledge-Based Approach to Security Monitoring and
Control,” June 1994 (hereinafter, “Hoglund”).
Biswanath Mukherjee, L. Todd Heberlein, and Karl N. Levitt, “Network
Intrusion Detection,” IEEE (1994) (hereinafter, “Mukherjee”).
Karl N. Levitt and Steven Cheung, “Common Techniques in Fault-Tolerance
and Security,” (Reportedly, 1994) (hereinafter, “Levitt”).
Bob Baldwin, Ben Dubin, and Richard Mahn, “Gabriel – Network Probe
Detector for SATAN,” Sun Release 4.1, Los Altos Technologies, Inc.,
March 30, 1995 (hereinafter, “Gabriel”).
R. Baldwin, et al., Source code for Gabriel 1.0, Los Altos Technologies,
Inc., 1995 (hereinafter, “Gabriel Code”).
Bob Sutterfield, “GreatCircle Firewall Mailing List: Morning Star SATAN
Advisory,” (April 4, 1995) (hereinafter, “Morning Star Ad”).
Doug Karl, “GreatCircle KarlNet 3.0 Announcement,” GreatCircle List
Excerpts, April 5, 1995 (hereinafter, “KarlNet 3.0”).
“GreatCircle List,” Excerpts, April 13-16 1995, “GreatCircle SATAN Logs
Thread”) (hereinafter, “SATAN”).
Mark Crosbie and Gene Spafford, “Defending a Computer System using
Autonomous Agents,” June 9, 1995 (hereinafter, “Crosbie”).
Morning Star Technologies, “SecureConnect Dynamic Firewall Filter User
Guide Version 1.4,” (June 14, 1995) (hereinafter, “Morning Star”).
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

4
Brian J. Murrell, “GreatCircle Firewall Mailing List, Selected Postings RE:
‘Sending replies to blocked packets.’” (July 8, 1995) (hereinafter,
“Murrell”).
D. Brent Chapman and Elizabeth D. Zwicky, “Building Internet Firewalls,”
O’Reilly & Associates, Inc., September 1995 (hereinafter, “Chapman”).
Darren Bolding, “Network Security, Filters and Firewalls,” (Reportedly,
September 1995) (hereinafter, “Bolding”).
Business Wire, “Improved Internet Monitoring, Intrusion Detection and
Application-Level Monitoring Added to AXENT’s OmniGuard Intruder
Alert,” (November 25, 1995) (hereinafter, “Intruder Alert”).
“Configuration Guide for PortMaster Products,” Livingston Enterprises,
Inc., (December 1995), (hereinafter, “Livingston”).
KarlBridge & KarlBrouter Installation & Configuration Software Version
2.0 (1991-1995) (hereinafter, “KarlNet 2.0”).

Eric Hall, “Sneak Previews – Seattle Software’s Firewall Keeps Watch,”
September 24, 1996 (hereinafter, “Hall”).
“NetRanger User’s Guide,” WheelGroup Corporation, (Reportedly,
November 1996), (“NetRanger”).
Eric Young, “RealSecureTM Release 1.0 for Windows NTTM 4.0,” Internet
Security Systems, Inc., (1996) (hereinafter, “RealSecure”).
Joseph D. Barrus, “Intrusion Detection in Real Time in a Multi-Node, Multi-
Host Environment,” Naval Postgraduate School, (September 1997)
(hereinafter, “Barrus”).
RealSecure Sales FAQ, “Frequently-Asked Questions about RealSecure,”
(October 21, 1997) (hereinafter, “RealSecure FAQ”).
Phillip A. Porras and Peter G. Neumann, “EMERALD: Event-Monitoring
Enabling Responses to Anomalous Live Disturbances,” Computer Science
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

5
Laboratory, SRI International (Reportedly, Oct. 1997) (hereinafter,
“Porras”).
Phillip A. Porras and Alfonso Valdes, “Live Traffic Analysis of TCP/IP
Gateways,” (November 10, 1997) (hereinafter, “Valdes”).
Terry Escamilla, “Intrusion Detection: network Security Beyond the
Firewall,” Wiley Computer Publishing, (1998) (hereinafter, “Escamilla”).
The Examiner rejects the claims as follows:
1) Claims 1-13 under 35 U.S.C. §§ 102(a) and 102(b) as
anticipated by NetRanger or under 35 U.S.C. § 103(a) as unpatentable over
Escamilla or the combination of RealSecure and RealSecure FAQ;
2) Claims 1-12 under 35 U.S.C. §§ 102(a) and 102(b) as
anticipated by RealSecure;
3) Claims 1-7 and 9-12 under 35 U.S.C. §§ 102(a) and 102(b) as
anticipated by Valdez;
4) Claims 1-7, 9, 10, and 12 under 35 U.S.C. §§ 102(a) and 102(b)
as anticipated by Barrus or under 35 U.S.C. § 103(a) as unpatentable over
Barrus and Porras;
5) Claims 1-10, 12, and 13 under 35 U.S.C. § 102(a) as anticipated
by Escamilla.
The Examiner also rejects the claims as follows:
6) Claims 1-12 under 35 U.S.C. § 102(b) as anticipated by
NetStalker or under 35 U.S.C. § 103(a) as unpatentable over Netstalker and
Liepins; claim 13 under 35 U.S.C. § 103(a) as unpatentable over NetStalker
and Hall; claims 11 and 13 under 35 U.S.C. § 103(a) as unpatentable over
Netstalker and Hershey; claims 2, 3, 6, and 9 under 35 U.S.C. § 103(a) as
unpatentable over NetStalker and Mukhjeree.
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

6
The Examiner also rejects the claims as follows:
7) Claims 1-11 under 35 U.S.C. §§ 102(a) and 102(b) as
anticipated by Morning Star or under 35 U.S.C. § 103(a) as unpatentable
over Morning Star and one of Morning Star Ad, Hoglund, Crosbie,
Chapman, or Bolding;
8) Claims 1-8 under 35 U.S.C. §§ 102(a) and 102(b) as anticipated
by Chapman; claims 9-13 under 35 U.S.C. § 103(a) as unpatentable over
Chapman; and claims 1-13 under 35 U.S.C. § 103(a) as unpatentable over
Chapman, Morning Star Ad, and KarlNet 3.0;
9) Claims 1-7, 10, and 12 under 35 U.S.C. §§ 102(a) and 102(b) as
anticipated by Intruder Alert;
10) Claims 1-6 and 10-12 under 35 U.S.C. § 103(a) as unpatentable
over Gabriel and claims 1-13 under 35 U.S.C. § 103(a) as unpatentable over
Gabriel and any one of Chapman; Livingston; the combination of
Livingston, Morning Star Ad, KarlNet 3.0 and SATAN; or the combination
of Livingston and Levitt;
11) Claim 1-8 and 10 under 35 U.S.C. §§ 102(a) and 102(b) as
anticipated by KarlNet 2.0 and claims 1-13 under 35 U.S.C. § 103(a) as
unpatentable over KarlNet2.0 and Karlnet 3.0;
12) Claims 1-12 under 35 U.S.C. §§ 102(a) and 102(b) as
anticipated by Snapp or under 35 U.S.C. § 103(a) as unpatentable over
Snapp and claims 1-13 under 35 U.S.C. § 103(a) as unpatentable over Snapp
and Murrell;
13) Claims 1-6 and 10 under 35 U.S.C. § 103(a) as unpatentable
over Denning or the combination of Denning and Troost;
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

7
14) Claims 1-6, 9, and 10 under 35 U.S.C. §§ 102(a) and 102(b) as
anticipated by Smaha or under 35 U.S.C. § 103(a) as unpatentable over
Smaha or the combination of Smaha and Troost.

ISSUE
Did the Examiner err in rejecting claims 1-13?

PRINCIPLES OF LAW

In rejecting claims under 35 U.S.C. § 102, “[a] single prior art
reference that discloses, either expressly or inherently, each limitation of a
claim invalidates that claim by anticipation.” Perricone v. Medicis Pharm.
Corp., 432 F.3d 1368, 1375 (Fed. Cir. 2005) (citation omitted).
The question of obviousness is resolved on the basis of underlying
factual determinations including (1) the scope and content of the prior art,
(2) any differences between the claimed subject matter and the prior art, and
(3) the level of skill in the art. Graham v. John Deere Co. of Kansas, 383
U.S. 1, 17-18 (1966).
“The combination of familiar elements according to known methods
is likely to be obvious when it does no more than yield predictable results.”
KSR Int’l Co. v. Teleflex, Inc., 550 U.S. 398, 416 (2007).

Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

8
ANALYSIS

Priority date of the ‘975 patent
The ‘975 patent is a continuation of U.S. Patent No. 6,119,236 (filed
December 10, 1998), which is a continuation-in-part of U.S. Serial No.
08/726,563 (the ‘563 application), filed October 7, 1996. Respondent argues
that the ‘975 patent is not entitled to the October 7, 1996 priority date (filing
date of the ‘563 application). We disagree.

“Over time”
Respondent argues that the ‘975 patent defines the term “over time” to
mean “over a time period which includes the examination of a series of more
than one packet, whereby patterns of activity can be detected” (col. 9, ll. 36-
38) and that the ‘563 application “say[s] nothing about ‘the examination of a
series of more than one packet’ as required by the later special definition”
(Respondent Br. 5).
Claim 1 recites code for determining, over time, if the
communications between a local area network and a wide area network
contain patterns of activity. The ‘563 application discloses that a “look for
known patterns operation 36” (p. 12, ll. 11-12) that requires retention of
“data for a limited amount of time, as it is patterns of activity over time . . .
that is being examined” (p. 12, ll. 15-18). Hence, the ‘563 application
discloses determining patterns of activity “over time,” which appears to be
precisely what is claimed in the ‘975 patent.
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

9
Contrary to Respondent’s assertions, the ‘563 application appears to
disclose “more than one packet.” For example, the ‘563 application
discloses one embodiment in which a “large number of . . . attempts [to
access a port] would leave little doubt of a methodical attempt at intrusion”
(p. 13, ll. 18-20), another embodiment examining “a quantity of ‘responses’
from machines on the internet 16” (p. 13, l. 22-23), an embodiment in which
a “multitude of responses . . . forthcoming [through] the internet 16 to the
LAN12” (p. 14, ll. 1-3). One of skill in the art, given the disclosure of the
‘563 application that discloses a “large number,” “a quantity of,” or a
“multitude of responses,” would have understood that “more than one
packet” would have been examined since such a “large number” of
responses would have included more than one packet “over time.”
Hence, even assuming Respondent’s assertion to be correct that the
term “over time” must include “more than one packet,” Respondent has not
sufficiently demonstrated that the ‘563 application fails to provide support
for the term “over time.”

“Controlling a firewall”
Claim 1 recites code for controlling a firewall to block
communications. The ‘563 application discloses sending “a control signal to
the firewall” (p. 16, ll. 22-23), the control signal to “direct the firewall . . . .
to take . . . action” (p. 16, ll. 24-25). An example of an action to take,
according to the ‘563 application, is “to block all access to the LAN12 from
a sender which has been detected as attempting the security breach” (p. 17,
ll. 3-5). Hence, the ‘563 application discloses directing (or “controlling”) a
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

10
firewall to block communications.2 It appears that the ‘563 Specification
supports the feature of “controlling a firewall” as recited in claim 1 of the
‘975 patent.
Respondent argues that the ‘975 patent discloses that “controlling a
firewall” includes “‘sending instructions to the firewall to direct it to reject
packets which would not otherwise be rejected . . .’” (Respondent Br. 5-6)
and argues that the ‘563 application lacks a “reference to instructions to
reject packets – or to rejecting packets at all” (Respondent Br. 6). However,
Respondent has not sufficiently demonstrated that the ‘563 application in
fact lacks such a disclosure, particularly in view of the ‘563 application’s
disclosure of controlling a firewall to block communications (thereby
rejecting packets), as described above.

“Generally simultaneously”
Respondent argues that the ‘563 application “does not support the
‘generally simultaneously’ limitation” (Respondent Br. 6). Claim 1 recites
code for generally simultaneously controlling a firewall to block
communications. Respondent has not indicated that the ‘975 patent assigns
a specialized meaning to the term “generally simultaneously.” We note that
both the ‘563 application and the ‘975 patent disclose that a “look for known
code” operation 34 and a “look for known patterns” operation 36 are
performed “generally simultaneously” (‘563 application: p. 12, ll. 8-11 and
‘975 patent: col. 6, ll. 8-12) and that controlling the firewall occurs

2 Each of these disclosures is also present in the ‘975 patent (see, col. 7,
ll.57-59 and col. 8, ll. 9-11).
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

11
“following the assign weight to breach operation” (‘563 application: p. 16,
ll. 20-23 and ‘975 patent: col. 7, ll. 55-58), which, in turn “follows” the look
for known code and look for known patterns operations (see, e.g., ‘563
application: p. 14, ll. 18-21 and ‘975 patent: col. 7, ll. 5-7).
Since it appears that the ‘975 patent and the ‘563 application utilize
the term “generally simultaneously” in an identical manner and since
Respondent has not indicated that the ‘975 patent redefines the term
“generally simultaneously,” we agree with Appellant that the ‘563
application provides support for the term “generally simultaneously” as
recited in claim 1 of the ‘975 patent to include performance of one operation
“following” the performance of another operation.
The question of whether the scope of the term “generally
simultaneously” as recited in the ‘975 patent includes operating in “real
time” and with “no operator [intervention]” (Respondent Br. 6) will be
addressed below.

“Computer program product”
Claim 1 recites a computer program product. Respondent argues that
“[t]he ‘computer program product’ limitation from claim 1 of the ‘975 patent
is . . . not found in the ‘563 application” (Respondent Br. 6). However, the
‘563 application discloses computers or computer networks and running
programs for network security on the computers throughout the specification
(see, e.g., p. 1, ll. 4, 18-20; p. 2, ll. 1, 14,19-21; p. 6, ll. 16-17, 20-22; p. 7, ll.
6-10; p. 8, ll. 5-6; p. 9, ll. 9-13; p. 10, ll. 13-14; etc.). Hence, the ‘563
application discloses computers on which programs are run. Respondent has
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

12
not adequately demonstrated how this differs from a “computer program
product.”

References dated after October 7, 1996
As above, Respondent has not adequately demonstrated that the
claims of the ‘975 patent are not entitled to the priority date of October 7,
1996. Appellant states (App. Br. 4), and Respondent does not dispute, that
the following non-patent references are dated after October 7, 1996:
1) NetRanger
2) RealSecure
3) RealSecure FAQ
4) Valdez
5) Barrus
6) Porras
7) Escamilla

Hence, the above listed references do not qualify as prior art and the
Examiner erred in rejecting claims of the ‘975 patent over these references.

NetStalker
Missing pages
Appellant argues that Netstalker “should not be considered as prior art
because it is missing material that likely would be highly relevant to the
relied-upon disclosure” (App. Br. 11). We disagree with Appellant.
Appellant has not indicated any reason why missing material “would be
highly relevant” in this case. The disclosure of NetStalker in those portions
that are present serve to disclose that portion of NetStalker that presumably
is relevant to the patentability of the ‘975 patent. Indeed, Appellant has not
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

13
indicated that the portions of NetStalker provided are in any way irrelevant
to the patentability of the ‘975 patent. Nor has Appellant provided any
arguments that refute the Examiner’s findings that the provided portions of
NetStalker disclose the claimed invention of the ‘975 patent. If the provided
portions of NetStalker disclose, for example, each feature recited in claim 1
(which the Examiner finds and Appellant does not appear to refute), then
NetStalker would anticipate claim 1, regardless of what might be further
disclosed in other portions of NetStalker that were not provided.
Appellant cites the Manual for Patent Examiner Procedure (MPEP §
2218) and Federal Rules of Evidence, Rule 106 (App. Br. 12-13) but neither
MPEP § 2218 nor Rule 106 applies to the present situation. As Appellant
points out, MPEP § 2218 merely states that references should be legible.
Appellant does not argue that any of the provided portions of NetStalker are
illegible. Rule 106 permits, after submission of portions of evidence by a
party, the introduction of additional portions of the evidence by an adverse
party. Even assuming that the Federal Rules of Evidence apply to Inter
Partes Reexamination matters at the U.S. Patent & Trademark Office, Rule
106 does not pertain to the present fact pattern since Appellant has not
indicated that Appellant was denied entry of additional pages of the
NetStalker reference.
We therefore find unpersuasive Appellant’s argument regarding
whether every page of the NetStalker reference was provided or not and its
bearing on whether NetStalker qualifies as prior art.

Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

14
Public accessibility
Appellant also argues that the NetStalker reference was not
“accessible to the public prior to October 7, 1996” (App. Br. 13). However,
we note that the NetStalker reference was copyrighted 1996 and has a
publication date of May 1996 indicated on the cover. (In re Ronald A. Katz
Tech. Licensing, L.P., 2011 WL 1676313 at *6 (BPAI May 2, 2011)
(informative) (holding that a document constituted a printed publication with
indicia of copyright date and notices).
Appellant argues that NetStalker was not publicly available in May
1996 (as indicated on the cover of the NetStalker reference) because the
version of NetStalker provided is “a draft rather than [a] final version” as
evidenced by a notation (i.e., “6-1-??, 6-5”) in the index concerning certain
specified page numbers. Appellant construes the clerical errors in the index
of the NetStalker reference (with question marks inserted) as indicating that
the NetStalker reference “was a work-in-progress” (App. Br. 13). However,
Respondent provides a Declaration of the Chief Executive Officer and
chairman of the board of Haystack Labs, Inc. (Stephen Smaha) that avers
that the NetStalker reference provided “was available in May 1996” and was
available to “[m]embers of the public showing an interest in buying or
licensing the NetStalker product” by “requesting [a copy of the manual]”
(Declaration of Stephen Smaha, dated February 24, 2010, ¶ 5). Appellant
has not provided evidence refuting Mr. Smaha’s sworn testimony.
We also disagree with Appellant that a clerical error or a missing page
reference in the index of a document (even if replaced by question marks)
indicates that the reference was not publicly available since Appellant has
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

15
not demonstrated a meaningful relationship between such misprints and
whether a document is publicly accessible or not.
Appellant argues that even if the NetStalker reference were available
to members of the public, Respondent has not demonstrated that the
NetStalker reference was also publicly accessible to members of the public
(see, e.g., App. Br. 14). To be considered a printed publication, the
reference “must have been sufficiently accessible to the public interested in
the art; dissemination and public accessibility are the keys to the legal
determination whether a prior art reference was ‘published.’” Constant v.
Advanced Micro-Devices, Inc., 848 F.2d 1560, 1568 (Fed. Cir). “‘[P]ublic
accessibility’ has been called the touchstone in determining whether a
reference constitutes a ‘printed publication’ bar . . .” In re Hall, 781 F.2d
897, 899 (Fed. Cir. 1986).
In the present case, Respondent has provided testimony from the
Chief Executive Officer (Stephen Smaha) of the company that developed
NetStalker (Haystack, Inc.) that the NetStalker reference “was available in
May 1996” and that “[m]embers of the public . . . could have obtained a
copy of the manual by . . . requesting one” (Declaration of Stephen Smaha,
dated February 24, 2010, ¶ 5). Mr. Smaha also testified that “NetStalker
was advertised no later than 1995 . . . and [advertisements] were directed at
members of the networking community” (Declaration of Stephen Smaha,
dated February 24, 2010, ¶ 6). In addition, Respondent has provided
evidence corroborating the existence of such advertisements. For example,
Respondent cites PR Newswire, Minneapolis, MN (Sep. 1995) “Network
Systems and Haystack Labs Introduce NetStalker to Track Hacker
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

16
Attempts” Accession No. 00531881 (3 pgs.) (Respondent Br., App’x D,
U.S. Patent No. 6,298,445 B1, “Other Publications” – hereinafter, “PR
Newswire”). PR Newswire (dated September 1995) provides a description
of the NetStalker system, pricing information (e.g., “starts at under $5000”),
and contact information for providing “more information.” The contact
information provided in PR Newswire includes names, telephone numbers,
and e-mail addresses of contacts and website information for potential
customers.
Members of the relevant public would have been apprised of the
NetStalker system as early as September 1995 at least by viewing
advertisements, such as PR Newswire, according to Mr. Stephen Smaha’s
testimony. The members of the public, having been informed of the
NetStalker system as early as September 1995, would also have been invited
to contact specifically named individuals at Haystack, Inc. (developer of the
NetStalker system) as indicated in PR Newswire for more information. As
early as May 1996 (publication date of the NetStalker reference), such
members of the public would have received the NetStalker reference upon
request, according to Mr. Stephen Smaha’s testimony.
Just as the “indexing, cataloging, and shelving” of a document in a
library is “persuasive evidence that the [reference] was accessible” (In re
Hall, 781, F.2d 897, 899 (Fed. Cir. 1986), the NetStalker reference in the
present case would also have been “accessible” since the advertisement, at
least, would have amply informed the interested public of the accessibility of
the NetStalker reference by exercising reasonable diligence (i.e., upon
request). Based on the record, we disagree with Appellant’s assertion that
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

17
such notification of the relevant public (via advertisements) of the
NetStalker product and provision of the NetStalker reference to anyone who
then requested the reference does not constitute sufficient accessibility to
those interested individuals exercising reasonable diligence.
Appellant argues that Respondent has failed to identify “a single
customer to which [the NetStalker reference] was distributed by May 1996
(or even later)” (App. Br. 14). We disagree with Appellant’s theory of the
requirement for the identification of a specific customer in possession of the
NetStalker reference before the reference can be deemed a publicly
accessible publication. Rather, a printed document may qualify as a publicly
accessible publication “so long as accessibility is sufficient ‘to raise a
presumption that the public concerned with the art would know of (the
invention).’” (In re Bayer, 568 F.2d 1357, 1361 (CCPA 1978)) or so long as
the reference was “made available to the extent that persons interested and
ordinarily skilled in the subject matter or art, exercising reasonable
diligence, can locate it and recognize and comprehend therefrom the
essentials of the claimed invention without the need of further research or
experimentation (In re Wyer, 655 F.2d 221, 223 (CCPA 1981) (citation
omitted).

Prior invention
Appellant submits the Declaration of Peter M. Shipley Under 37
C.F.R. § 1.131 (Shipley Dec) and the Statement of F. Eric Saunders in
Support of 37 C.F.R. § 1.131 Declaration (Saunders Dec) in order to
establish an earlier date of prior invention (App. Br. 15).
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

18
Mr. Shipley provides general allegations of various activity conducted
prior to November 6, 1995 (Shipley Dec, ¶ 3). Mr. Shipley also asserts that
prior to November 6, 1995 “the system was operational and met all of the
limitations of claims 1 – 13 of the ‘975 patent” (Shipley Dec, ¶ 3(m)).
Although not entirely clear, Mr. Shipley appears to argue actual reduction to
practice of the claimed invention “prior to November 6, 1995.” However,
such assertions merely constitute a declaration by the inventor to the effect
that his invention was conceived or reduced to practice prior to the date of
the reference. Absent is a statement of facts demonstrating the correctness
of the inventor’s conclusion. Such general allegations, without more, are not
sufficient to establish earlier invention since general assertions “amount []
essentially to mere pleading, unsupported by proof or a showing of facts”.
Ex parte Saunders, 1883 C.D. 23 (Comm’r Pat. 1883); In re Borkowski, 505
F.2d 713 (CCPA 1974).
Alternatively, Appellant argues conception of the claimed invention
prior to the date of the NetStalker reference and diligence from before the
date of the NetStalker reference to Appellant’s constructive reduction to
practice (October 7, 1996). With regard to showing reasonable attorney
diligence, F. Eric Saunders states the following timetable:
1) February 28, 1996: First meeting with Mr. Shipley
to discuss the claimed invention (Saunders Dec, ¶ 2);
2) April 1, 1996: conducted patentability search
(Saunders Dec, ¶ 4);
3) April 19, 1996: analyzed results of patentability
search conducted on April 1, 1996 (Saunders Dec, ¶ 4);
4) May 4, 1996: conducted second patentability
search (Saunders Dec, ¶ 4);
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

19
5) May 6, 1996: reported results of second
patentability search (Saunders Dec, ¶ 4);
6) June – July 1996: “had several discussions . . .
[with] Mr. Shipley” (Saunders Dec, ¶ 5);
7) July – August 1996: “worked diligently and
continuously on the draft patent application” (Saunders Dec, ¶
6); and
8) September 4, 1996: “I sent . . . a draft of the patent
application [to Mr. Shipley]” (Saunders Dec, ¶ 7).
9) “Late September or early October 1996”: Met with
inventor for dinner (Saunders Dec, ¶ 7).
10) October 7, 1996: “I submitted the final draft . . .
for review” (Saunders Dec, ¶ 8).

The general evidence of attorney diligence in preparation and filing of
the present patent application between May and September 1996 is the
statement by Mr. Saunders that he “had several discussions . . . [with] Mr.
Shipley” (Saunders Dec, ¶ 5) and “worked diligently and continuously on
the draft patent application” (Saunders Dec, ¶ 6).3 However, Appellant and
Mr. Saunders only provide details of specific activities on May 4, 6, and 20,
and activity in July, but do not provide any other details for June or August.
While “reasonable diligence can be shown if it is established that the
attorney worked reasonably hard on the particular application in question

3 Mr. Shipley also attaches to his declaration an invoice dated July 31, 1996
from Mr. Saunders in an attempt to corroborate “work[] on my patent
application [by Mr. Saunders] during the months of June, July, and August.”
(Saunders Dec. ¶ 9.) The July invoice lists specific activity in July but it
does not account for work in June or August. (See Ex. 8S of Saunders Dec.)
A May 31, 1996 invoice lists activity on April 19, May 4, and May 6 for a
total of 3.6 hours, and also lists a file wrapper request on May 20 with no
hours charged for that service. (See Ex. 5S of Saunders Dec.)

Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

20
during the continuous critical period” (Bey v. Kollonitsch, 806 F.2d 1024,
1027 (Fed. Cir. 1986)), in the present case, Appellant has not provided
records or other evidence showing the exact days when activity specific to
this application occurred. Id. at 1027-28 (concluding an insufficient
showing of attorney diligence when there is a lack of records showing the
exact days when activity specific to preparation of the patent application).
While “it may not be possible for a patent attorney to begin working
on an application at the moment the inventor makes the disclosure” (Bey,
806 F.2d at 1028), Appellants have not provided sufficient evidence
pertaining to “a backlog of other cases of other cases demanding [the
attorney’s] attention” (Id.). For example, Appellant does not provide
evidence showing “that unrelated cases are taken up in chronological order”
such as, for example, docket numbers assigned “to the cases in consecutive
order . . . [and] the specific dates when the cases were docketed . . . [and]
that the cases were taken up in chronological order. (Id.) (holding that the
patent attorney must generally show that unrelated cases are “taken up in
chronological order” and that “the attorney has the burden of keeping good
records of the dates when cases are docketed as well as the dates when
specific work is done on the applications”).
In the absence of such evidence, we cannot conclude that the mere
testimony from Mr. Saunders that he “worked diligently and continuously”
over the four month period preceding the filing date of October 7, 1996 and
Appellant’s general assertion that four months is “a reasonable time period
to prepare and file a patent application” are sufficient to demonstrate
attorney diligence. (App. Br. 16)
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

21
Appellant does not provide additional arguments with respect to the
NetStalker reference or the NetStalker reference in combination with any of
Hall, Hershey, Liepins, or Mukhjeree. Therefore, the Examiner did not err
in rejecting claims 1-13 over NetStalker alone or in combination with any
one of Hall, Hershey, Liepins, or Mukhjeree.

Morning Star
Appellant argues that Morning Star discloses a “firewall filter as
‘dynamic’ and describes ‘on-the-fly changes’” (App. Br. 19) but fails to
disclose “generally simultaneously controlling a firewall to block
communications,” as recited in claim 1, because, according to Appellant, the
claim term “generally simultaneously” means “carried out continuously, in
essentially real time” (App. Br. 18) and “without operator intervention” (id.
at 19) and that Morning Star fails to disclose this feature (id.). We disagree
with Appellant.
Claim 1 recites determining, over time, if communications contain
patterns of activity and generally simultaneously controlling a firewall to
block the communications. Hence, claim 1 recites performing a second
function “generally simultaneously” with a first function, the first function
being determining if communications contain certain patterns of activity and
the second function being controlling a firewall to block the
communications.
As an initial matter, Appellant has not adequately demonstrated that
functions performed “generally simultaneously” must be “carried out
continuously,” “in essentially real time,” and “without operator
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

22
intervention.” Construing the claim term “generally simultaneously” in light
of the Specification, we observe that the Specification discloses that
determining if communications contain certain patterns of activity includes a
“look for known code” operation 34 (see, e.g., col. 6, ll. 9-10) or a “look for
known patterns” operation 36 (see, e.g., col. 6, ll. 11-12), and that these
operations are “followed” (see, e.g., col. .7, ll. 5-8) by performing an “assign
weight to breach” operation 38. The Specification also discloses controlling
a firewall to block the communications as part of the “react” operation 40
that “follows” the assign weight to breach operation (see, e.g., col. 7, ll. 55-
58).
In other words, “determining, over time, if the communications . . .
contain patterns of activity indicative of an attempted security breach,” as
recited in claim 1, includes performing a “look for known code” operation
and a “look for known patterns” operation “followed by” an “assign weight
to breach” operation. Also, “generally simultaneously controlling a firewall
to . . . block communications,” according to the Specification, is performed
“following” the step of performing an “assign weight to breach” operation.
Hence, performing a second function “generally simultaneously” with a first
function, when construed in light of the Specification, means performing the
second function “following” performance of the first function. One of
ordinary skill in the art would have understood that a second function that is
performed at a time that occurs after the performance of a first function
would “follow” the first function.
Morning Star discloses a “datagram . . . under examination” (p. 6, ll.
1-2) and “[i]f the datagram doesn’t match the requirements . . . [r]eject
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

23
(discard) the datagram and . . . generate a new set of filtering rules” (p. 6, ll.
7-8, 10-16). In other words, Morning Star discloses blocking data
transmission that “follows” (i.e., comes after in time) examination of data to
determine patterns of activity. Since one function (controlling a firewall)
following another function (examining data for patterns), according to the
Specification, is the same as each function occurring “generally
simultaneously” (as discussed above), Appellant has not adequately
demonstrated that Morning Star fails to disclose the disputed claim features.
Appellant argues that the Specification supports the contention that
the claim term “generally simultaneously” requires that functions be “carried
out continuously, in essentially real time” (App. Br. 18) by disclosing “‘data
packets are being examined and analyzed in essentially real time rather than
by reference to log files’ (emphasis added)” (id.). However, this passage of
the Specification refers to “data packets . . . being examined and analyzed”
during the “look for known code” operation 34 (see col. 6, ll. 4-6) (i.e.,
during the claimed determining step) and does not refer to the claimed step
of controlling a firewall to block communications or its timing relationship
with the determining step. Instead, as described above, the Specification
discloses that the controlling step “follows” the determining step (see, e.g.,
col. 7, ll. 55-58). Thus, we disagree with Appellant that performing actions
“generally simultaneously” requires performing actions “continuously” or
“in real time.”
Appellant argues that Morning Star discloses a “Subnet scan”
involving receiving “at least four ICMP echo request[s],” then “block[ing]
traffic from the source address” (App. Br. 20) and does not disclose
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

24
“generally simultaneously controlling a firewall to selectively block” (id.).
Appellant appears to argue that Morning Star fails to disclose “selectively”
blocking data. However, Appellant does not sufficiently explain how data
traffic that is blocked in Morning Star is not “selected” as data to be blocked.
By virtue of the fact that Morning Star blocks certain traffic (and does not
block other data that is not desired to be blocked), Morning Star “selects”
such data to be blocked. If not, Morning Star would be unable to block the
data desired to be blocked since such data would not be “selected” for
blocking in the first place.
Appellant does not provide additional arguments in support of claims
2-11 or with respect to any of Hoglund, Crosbie, Chapman, or Bolding.
The Examiner did not err in rejecting claims 1-11 as anticipated by
Morning Star or unpatentable over Morning Star in combination with any of
Hoglund, Crosbie, Chapman, or Bolding.

Chapman
Appellant argues that Chapman fails to disclose “detecting an
attempted security breach or controlling a firewall to selectively block
communications” (App. Br. 21, citing Declaration of Bruce F. Webster, filed
January 28, 2010, ¶ 124). We disagree with Appellant.
Chapman discloses security breaches,4 detecting the attempted
“security breaches”5 using firewalls6 performing packet filtering to

4 See, e.g., Chapman, p. 7 (“[t]here are many attacks on systems”; see p. 7,
et seq. for examples of such attacks).
5 See, e.g., Chapman, p. 14 (“most common model for computer security is
host security . . . you enforce the security of each host machine . . .”)
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

25
selectively block communications.7 Appellant has provided insufficient
evidence demonstrating a difference between Chapman’s disclosure and the
disputed claim feature of determining the presence of an “attempted security
breach” or “controlling a firewall to selectively block communications.”
Appellant argues that Chapman discloses “dynamic packet filtering”
that, according to Appellant “neither teaches, nor would have suggested . . .
detecting an attempted security breach or controlling a firewall to selectively
block communications” (App. Br. 21, citing Declaration of Bruce F.
Webster, filed January 28, 2010, ¶ 124). Bruce F. Webster states that
Chapman’s “dynamic packet filtering” “has nothing to do with detecting an
attempted security breach and controlling a firewall to selectively block
communications . . . [because Chapman only discloses] storing information
on outbound UDP packets so that the filter will allow inbound packets
through the filter from the same host and port that the outbound packet was
sent to” (Declaration of Bruce F. Webster, filed January 28, 2010, ¶ 124).
We agree with Appellant that Chapman discloses “the capability of
‘remembering’ outgoing UDP packets . . . [and allowing] only the

6 See, e.g., Chapman, p. 17 (“firewalls are a very effective type of network
security,” a firewall “restricts people to entering at a carefully controlled
point . . . prevents attackers from getting close to your other defenses . . . .
[and] restricts people to leaving at a carefully controlled point”); p. 19 (“A
firewall is a focus for security decisions,” “A firewall can enforce security
policy”); p. 57 (a firewall is a “component . . . that restricts access between a
protected network and the Internet, or between other sets of networks”); or
see Chapter 4, in general.
7 See, e.g., Chapman, p. 59, “Packet filtering systems route packets between
internal and external hosts, but they do it selectively. They allow or block
certain types of packets in a way that reflects a site’s own security policy . .
.”
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

26
corresponding response packets back in through the filtering mechanism” (p.
147). However, Appellant and Mr. Webster do not provide sufficient
evidence demonstrating a difference between allowing only desired packets
through the filtering mechanism (i.e., “dynamic packet filtering” – in other
words, allowing only the desired packets to pass while blocking undesired
packets from passing) and selectively blocking communications as claimed
since in both cases data is being filtered and blocked by a firewall.
Appellant argues that Chapman fails to disclose “real-time monitoring
and selective blocking of communications without operator intervention”
(App. Br. 21). As described above, we disagree with Appellant that
Chapman fails to disclose selectively blocking communications. Also as
described above, Appellant has not provided sufficient evidence supporting
the contention that claim 1 requires “real time monitoring” or that actions be
performed “without operator intervention.”
Appellant does not provide additional arguments in support of claims
2-13 or with respect to any of Morning Star Ad or KarlNet 3.0.
The Examiner did not err in rejecting claims 1-13 over Chapman
alone or in combination with Morning Star Ad or KarlNet 3.0.

Intrusion Alert, Gabriel, KarlNet 2.0, Snapp, Denning, and Smaha
Affirmance of the rejection of claims 1-13 over any of NetStalker
(alone or in combination with any of Hall, Hershey, Liepins, or Mukhjeree),
Morning Star (alone or in combination with any of Hoglund, Crosbie,
Chapman, or Bolding), or Chapman (alone or in combination with Morning
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

27
Star Advertisement and Karlnet 3.0) renders it unnecessary to reach the
propriety of the Examiner’s decision to reject those claims on a different
basis. Cf. In re Gleave, 560 F.3d 1331, 1338 (Fed. Cir. 2009). As such, we
need not reach to propriety of the rejection of those claims over Intrusion
Alert, Gabriel, KarlNet 2.0, Snapp, Denning, or Smaha.

CONCLUSION
The Examiner erred in rejecting claims 1-13 as anticipated by
NetRanger and unpatentable over Escamilla or the combination of
RealSecure and RealSecure FAQ; claims 1-12 as anticipated by RealSecure;
claims 1-7 and 9-12 as anticipated by Valdes; claims 1-7, 9, 10, and 12 as
anticipated by Barrus or unpatentable over Barrus and Porras; and claims 1-
10, 12, and 13 as anticipated by Escamilla.
The Examiner did not err in rejecting claims 1-12 as anticipated by
NetStalker or unpatentable over NetStalker and Liepins; claim 13 as
unpatentable over NetStalker and Hall; claims 11 and 13 as unpatentable
over NetStalker and Hershey; claims 2, 3, 6, and 9 as unpatentable over
NetStalker and Mukhjeree; claims 1-11 as anticipated by Morning Star or
unpatentable over Morning Star and any of Hoglund, Crosbie, Chapman or
Bolding; claims 1-8 as anticipated by Chapman; claims 9-13 as unpatentable
over Chapman; claims 1-13 as unpatentable over Chapman, Morning Star
Ad and KarlNet 3.0.

DECISION
The Examiner’s decision to reject claims 1-13 is affirmed.
Appeal 2012-008552
Reexamination Control 95/000,489
Patent 6,304,975 B1

28

AFFIRMED

rvb

PATENT OWNER

ROTHWELL, FIGG, ERNST & MANBECK, P.C.
607 14TH STREET, NW
SUITE 800
WASHINGTON, DC 20005

THIRD PARTY REQUESTER

IRELL & MANELLA LLP
1800 AVENUE OF THE STARS
SUITE 900
LOS ANGELES, CA 90067