[00:00:00] Speaker 04: Intellectual Ventures II Against Commerce Bank Shares, Mr. Picard. [00:00:07] Speaker 04: Mr. Picard, we appreciate that there are overlap, that these cases are listed separately, but let's just start with our full case for the first one that's listed here. [00:00:18] Speaker 04: And then when there are things to fill in, we can go into greater detail with the others. [00:00:24] Speaker 00: Very good, Your Honor. [00:00:25] Speaker 00: Thank you. [00:00:26] Speaker 00: Byron Picard on behalf of the Appellant Intellectual Ventures, [00:00:30] Speaker 00: May I please the court? [00:00:31] Speaker 00: This appeal presents two claim construction errors in the board's anticipation rulings in the IPR below. [00:00:39] Speaker 00: Claim 26 of the patent at issue is the only independent claim involved in this appeal. [00:00:45] Speaker 00: And claim 26 recites a data collection and processing center. [00:00:50] Speaker 00: And of relevance to this appeal, it requires that the data collection and processing center do two things first or be capable of doing two things. [00:00:58] Speaker 00: That is identifying [00:01:00] Speaker 00: an anomaly and that it do so in a particular way, that is by analyzing data entering into a plurality of host servers and computer sites. [00:01:09] Speaker 00: The analyzing the data step, the board's error below was to broadly construe that claim to allow the instance where information about the network traffic to satisfy that limitation and to understand... Yes? [00:01:27] Speaker 03: Can I just ask this? [00:01:29] Speaker 03: The common claim construction issue between the two cases can be summarized, maybe you even have summarized it or the board has, is whether indirect analysis of data by the central unit, even when the central unit doesn't have any of the data itself, the network entering data itself, can, under our broadest reasonable interpretation standard, be covered by the claim language that the central unit must analyze the data. [00:01:59] Speaker 00: I think that well summarizes that issue. [00:02:01] Speaker 03: Why is that not one reasonable understanding of analyzing data in something like the same way that the term meta-analysis is used, as I understand it, you can correct me if I'm wrong, to refer to analyzing data by analyzing earlier studies of that data, even if the direct data is not presented to the meta-analyst? [00:02:30] Speaker 00: The metal analyst paradigm, if you will, has been introduced, at least not in those terms. [00:02:36] Speaker 03: No, but I'm trying to get a grip on the language. [00:02:39] Speaker 03: You make a kind of ordinary language argument that the central unit doesn't analyze data that it doesn't see, and the board at the core said [00:02:48] Speaker 03: That's not really quite right. [00:02:49] Speaker 03: You can reasonably say the central unit analyzes data by analyzing an analysis, even if it doesn't, if it gets only the results of the analysis and not the data. [00:03:00] Speaker 00: And I don't think that's fair because we look at the plain language, start with the plain language for claim 26. [00:03:05] Speaker 00: Claim 26 has the comprising limitation, comprising analyzing data entering into a plurality of host servers and computer sites. [00:03:18] Speaker 00: So data about that data or metadata are not the data that have entered into the host servers and computer sites. [00:03:26] Speaker 00: And the specification is consistent and supports that reading. [00:03:31] Speaker 00: For example, column seven. [00:03:33] Speaker 00: And one of the advantages of the invention, I think it's important to keep in mind, is that in the prior art approach, you would have these distributed network modules. [00:03:41] Speaker 00: They did their own [00:03:43] Speaker 00: isolated or module host-based intrusion detection and they would report the fact of an anomaly to some other component of the system. [00:03:52] Speaker 00: The advantage of the OA4 patent was that you could get a broader scope of detection by looking at data from many of those sources. [00:04:00] Speaker 01: On page nine of the reply brief in the other case, and I'm sure you agree with this, [00:04:06] Speaker 01: It says we're not saying that it has to analyze all of the data. [00:04:11] Speaker 01: It's sufficient if it analyzes some of the data. [00:04:14] Speaker 01: But isn't it clear that in both of these prior art references that summaries of the data are being analyzed? [00:04:22] Speaker 01: It isn't just taking a conclusion from the peripheral computer. [00:04:27] Speaker 01: It is also taking summaries of the data that are provided by the peripheral computers. [00:04:33] Speaker 00: In the case of the porous reference, which is in the second IBM appeal, I don't believe that there's substantial evidence that shows what's, in fact, in those anomaly reports. [00:04:43] Speaker 01: Well, let's talk about Oxford. [00:04:45] Speaker 01: I think there is in the porous reference, specific reference to considering summaries of the data. [00:04:51] Speaker 01: In other words, they're not just taking a conclusion from the peripheral computers saying, oh, there's an anomaly here. [00:04:58] Speaker 01: There's a description. [00:05:00] Speaker 01: of what the anomaly is, which includes summaries of the data that's received. [00:05:05] Speaker 01: Is that wrong? [00:05:07] Speaker 00: I think it's wrong in that it's not been shown that the summaries that are provided, these anomaly reports in the Porch reference, in fact contain the same data that were delivered to the network modules. [00:05:19] Speaker 00: It's a different case in the Oxmouth reference, which is [00:05:23] Speaker 01: the prior art here and the one... You're saying data has to be raw data. [00:05:27] Speaker 01: It can't be a summary of data. [00:05:28] Speaker 01: That seems to me that's what your position is. [00:05:31] Speaker 00: That's right, but the only point in the reply brief there is that we're not requiring that every data packet in a packet-based system be delivered to the centralized processor, but you have to have some of it at least as drafted in Claim 26. [00:05:43] Speaker 01: So why wouldn't... Why isn't there a broadest reasonable interpretation of data to include summaries of data as opposed... Why does it have to be raw data? [00:05:52] Speaker 00: because summaries of data do not enter the plurality of host servers and computer sites, which is required by Claim26. [00:06:00] Speaker 00: I don't understand what you're saying. [00:06:04] Speaker 00: Excuse me? [00:06:04] Speaker 00: I don't understand what you just said. [00:06:06] Speaker 00: So the network modules which are recited here as the host servers and computer sites, they don't receive summaries of data. [00:06:13] Speaker 00: They're receiving network traffic. [00:06:14] Speaker 00: Are you talking about the central server or the peripheral ones? [00:06:19] Speaker 00: The peripheral ones. [00:06:21] Speaker 00: So they're receiving network traffic. [00:06:23] Speaker 00: And that network traffic is not summaries about the data that those are receiving. [00:06:28] Speaker 01: And in case of course... They're receiving the raw data and they pass along summaries of the raw data to the central computer. [00:06:35] Speaker 01: That's right. [00:06:37] Speaker 01: And that's not the same data that they receive. [00:06:38] Speaker 01: Well, that's the question of whether that falls within the claim. [00:06:43] Speaker 00: It is, Your Honor. [00:06:43] Speaker 00: I think maybe the clearest [00:06:47] Speaker 00: explanation why that's outside the scope and why it would not be reasonable to include that data in the claims is to look at the prosecution history. [00:06:54] Speaker 00: And we cited this in our brief. [00:06:56] Speaker 00: This appears in the joint appendix starting at 463. [00:07:01] Speaker 00: And during the prosecution of the 08-4 patent, a limitation was added, the very limitation that's at issue here. [00:07:10] Speaker 00: If we look at JA 463, they add the limitation using network-based intrusion detection techniques comprising [00:07:17] Speaker 00: analyzing data, entering into a plurality of host servers and computer sites in the network computer system. [00:07:23] Speaker 00: And if we look ahead from the same office action response at JA469, the patent applicant explained why that limitation was being added. [00:07:37] Speaker 00: And the reference issue there was this Rallon reference, and Rallon was a host-based intrusion system. [00:07:46] Speaker 00: not unlike what we see with Oxmith and Porus. [00:07:50] Speaker 00: And the patent applicant made clear that what's being claimed in the 084 patent is a network-based intrusion detection system. [00:07:58] Speaker 00: And explained by the addition of that limitation, it was attempting to require that the centralized server not just receive reports about anomalies, but receive the data itself. [00:08:10] Speaker 01: But I don't see that that's inconsistent with receiving summaries of the data. [00:08:17] Speaker 00: Respectfully, Your Honor, we see it differently. [00:08:19] Speaker 00: And the prosecution history shows that what is required is raw data to be delivered to the centralized processor. [00:08:28] Speaker 00: And I think Your Honor's question also got to the substance of the Oxmith reference, which leads to the second claim construction issue, and that is this identifying anomaly limitation in the board's decision in Oxmith. [00:08:42] Speaker 00: If we look at the joint appendix 11, the final written decision, [00:08:47] Speaker 00: There's really no dispute about what Oxsmith shows. [00:08:50] Speaker 00: What happens in the so-called indirect method of Oxsmith is you've got these network components. [00:08:59] Speaker 00: It's called agents 106. [00:09:00] Speaker 00: These are the distributed modules. [00:09:03] Speaker 00: They receive and detect anomalies and then send the summaries on to the centralized network server 104. [00:09:10] Speaker 00: And then network 104 classifies those anomalous traffic events as either malignant or benign and requiring action. [00:09:17] Speaker 00: And the dispute there is about whether server 104 is in fact identifying an anomaly or just classifying them. [00:09:24] Speaker 00: Because there's no dispute that Hawksmith, for example, those reports have some of the data that's sent to the network modules, which we submit has not been shown to be the case for PORUS. [00:09:35] Speaker 03: If we look there then to the patents, the patent makes it... I'm sorry, you said Hawksmith, the nodes are forwarding to the central unit [00:09:46] Speaker 03: some of the data that entered the network? [00:09:49] Speaker 00: Yes, sir. [00:09:50] Speaker 00: In Oxmouth, there is a disclosure that some of the reports that go from the nodes to the central server do include some of the data. [00:09:57] Speaker 00: And I want to address that head on. [00:09:59] Speaker 00: And that's why the identifying an anomaly limitation is important here. [00:10:04] Speaker 00: The patent makes a distinction between anomaly detection and then subsequent steps of classifying the anomaly as a real threat, a real intrusion, or a false alarm. [00:10:13] Speaker 00: And if we look to the patents, [00:10:18] Speaker 04: So where is the distinction from this monitoring and spotting anomalies and reporting them in OXMETH? [00:10:27] Speaker 00: So OXMETH, while in OXMETH it does receive some of what we're calling the raw data here today, OXMETH's central processor, the server 104, it doesn't use that raw data or analyze that raw data to detect an anomaly. [00:10:41] Speaker 00: So the claims require that the data collection and processing center do two things. [00:10:45] Speaker 00: It's got to detect the anomalies and then [00:10:48] Speaker 00: And the way it does so must involve analyzing the... What is the ROT data used for? [00:10:53] Speaker 00: In OXMETH? [00:10:54] Speaker 00: Yeah. [00:10:54] Speaker 00: In OXMETH, it's used to classify the anomalous traffic as either a real threat or a benign statistical fluke. [00:11:02] Speaker 00: And if we look to column four of the OA4 patent... Why isn't that used in detecting an anomaly? [00:11:08] Speaker 00: So the class of the patent makes a distinction between classifying anomalies as a real threat or a benign statistical fluke. [00:11:17] Speaker 00: detecting anomalies just to look for that unusual pattern or signature in the traffic itself. [00:11:22] Speaker 00: And if we look to column four of the 084 patent at line four, it says anomaly detection techniques also produce false alarms. [00:11:31] Speaker 00: Most of the reported anomalies are purely coincidental statistical exceptions and do not reflect actual security problems. [00:11:38] Speaker 00: What that suggests is that detecting the initial unusual traffic, be it by pattern or signature, [00:11:46] Speaker 00: That is the anomaly detection. [00:11:47] Speaker 00: That's different than determining whether the unusual traffic is, in fact, potentially harmful. [00:11:53] Speaker 00: And we can see another example that in the description of figure four, if we turn to column 10 of the 084 patent, and it says the intrusion detection portion of the system receives data from the various intrusion detection systems on the network and analyzes this to detect an attempted intrusion [00:12:14] Speaker 00: or intrusion reconnaissance activity, and then it says the data is logged and analyzed. [00:12:19] Speaker 00: If an intrusion is detected, an alert is logged. [00:12:21] Speaker 00: So it's making a distinction between the detection of the anomaly and then what would happen if it turns out that anomaly is in fact a true threat, and then it triggers things like adjusting the sensitivity of the firewalls, alerting network modules, and so on. [00:12:36] Speaker 03: By the way, on the and so on, which I guess involves [00:12:43] Speaker 03: Claim 33, what other things, other responses, could the central unit take beyond the two listed in 33 to indicate why the more general language of Oaksmith isn't necessarily referring to adjusting anomaly detection sensitivity and alarm thresholds? [00:13:10] Speaker 00: So if you look, for example, at Claim 27, [00:13:13] Speaker 00: In addition to detecting an anomaly, the central processor can determine which of the devices that it expects to be affected by the threatening activity there. [00:13:25] Speaker 00: I believe 28 has an additional claimed example. [00:13:29] Speaker 03: So it might, for example, cut that device out of the network. [00:13:32] Speaker 03: That's right. [00:13:35] Speaker 04: Let's hear from the other side and we'll save you rebuttal and then we'll continue with the next case in the same patents. [00:13:49] Speaker 04: Thank you. [00:13:52] Speaker 02: May I please support? [00:13:55] Speaker 02: The court can affirm the board's decision on two different grounds in this case. [00:14:00] Speaker 02: If the court determines that the board correctly construed the data limitations in claim 26, IV does not dispute that anticipation is proper. [00:14:09] Speaker 02: Alternatively, the court can affirm the board's factual findings with regard to the board's findings that [00:14:19] Speaker 02: claim 26 as anticipated by Auxmith, even under the narrow construction proposed by IV. [00:14:26] Speaker 02: I'd like to turn first to the claim construction issue with respect to the data limitations in claim 26. [00:14:33] Speaker 02: So in the briefing, the argument from Intellectual Ventures was that the plain meaning of the claim requires this narrow sense of what it means to monitor [00:14:47] Speaker 02: the data and analyze the data to detect intrusions. [00:14:51] Speaker 02: This morning, it morphed a little bit into more of a prosecution disclaimer type argument that wasn't raised below. [00:14:58] Speaker 02: But I believe the thrust of their argument before this court is that the plain meaning of analyzing data entering into a plurality of hosts, servers, and computer sites requires that there be this firsthand analysis or that data be raw data. [00:15:13] Speaker 02: And there's no support [00:15:15] Speaker 02: in the plain and ordinary meaning of that claim language for these limitations. [00:15:20] Speaker 02: And in fact, if we turn to the 084 patent and we look to the 084 patent for guidance, what does it mean when it says that the Data Collection Processing Center is monitoring data and analyzing this data to detect intrusions? [00:15:35] Speaker 02: And if we look first, and there's several ways that the 084 patent describes it, this can be done. [00:15:41] Speaker 02: We look first at column seven, it said appendix 33, [00:15:46] Speaker 02: It says that the data collection and processing center receives information from various network devices attached to the computer network. [00:15:54] Speaker 02: For example, all communications can be sent to the central server, the data collection and processing center. [00:16:00] Speaker 02: It also says later in column seven that certain devices can be used as sensors and sense data traffic and pass their findings on to the data collection and processing center. [00:16:10] Speaker 02: It's one way that you can get the data in for analysis at the central server. [00:16:15] Speaker 02: In column eight, talking about the present invention, it says that suspicious network traffic events are collected, potentially in context, and forwarded to a central database and analysis engine. [00:16:28] Speaker 02: Then the centralized engine uses pattern correlation across multiple customers' events in order to detect intrusions. [00:16:36] Speaker 02: And then yet another way of performing these functions that we're arguing about, it starts at the bottom of column eight. [00:16:43] Speaker 02: There it says that the present invention monitors the traffic from plurality of customers and continuing on in column nine, line four, the data that's sent is data from existing customers conventional intrusion detection systems that's provided to the central database and then analyzed. [00:17:02] Speaker 02: These data records comprise, for example, a timestamp, a description of the activity, and a source of the probe. [00:17:10] Speaker 02: So the 084 patent specification describes [00:17:13] Speaker 02: numerous ways in which the data collection and processing center can perform these two functions that are required by claim 26. [00:17:21] Speaker 02: And the claim language itself is agnostic as to how these functions are performed. [00:17:28] Speaker 02: So we believe that the broadest reasonable interpretation in line with the specification has to be broad enough to encompass these multiple alternative ways of getting the data from the remote hosts back to the central server. [00:17:45] Speaker 02: Now, there was argument this morning that in the case of Auxmith, the patent owner here admits that in Auxmith, certain data that's received by the nodes is sent back and reported back to the central server. [00:18:05] Speaker 02: And indeed, in Auxmith, it talks about the anomaly is sent back to the central server. [00:18:13] Speaker 02: So we would agree that there is definitely data because the anomaly has sent back. [00:18:17] Speaker 02: And if you look at the OXMETH reference, for example, at appendix 718, it talks about in paragraph 43, the server 104 receives notice of the anomaly and can examine the anomaly to determine, at step 314, if the anomaly constitutes an actual anomaly. [00:18:40] Speaker 02: And it goes on. [00:18:42] Speaker 02: Down in paragraph 45, it expands on this description. [00:18:45] Speaker 02: In individually examining the anomaly, the server 104 may, for example, search for particular information in the anomaly, such as a network address previously noted as a security problem, a particular query or command associated with a known intrusion pattern or technique, a particular file name or file type associated with a known intrusion pattern or technique, or other similar types of information. [00:19:11] Speaker 02: And it goes on. [00:19:12] Speaker 02: So it's clear here that the anomaly is detected at the nodes. [00:19:16] Speaker 02: This collection of data that was received is sent back to the central server. [00:19:21] Speaker 02: It's analyzed to determine if it constitutes an actual anomaly. [00:19:24] Speaker 02: Now, Intellectual Ventures argues that what happens at the central server is simply a classification of an already detected anomaly. [00:19:33] Speaker 02: Well, we would dispute that characterization in the reference. [00:19:38] Speaker 02: For example, in figure two of Al Smith, [00:19:42] Speaker 02: At step 214, server determine actual anomaly, question mark. [00:19:46] Speaker 02: There's a decision step as to whether there's an anomaly. [00:19:50] Speaker 02: If you look at page, I'm sorry, paragraph 13 of the Aft Smith Reference, it says that the server 104 can also use possible security problems reported by all the agents, 106.1 through N, [00:20:08] Speaker 02: to help detect intrusion patterns, detect intrusion techniques, and other security problems. [00:20:13] Speaker 02: That is intrusion detection. [00:20:15] Speaker 02: That is anomaly detection. [00:20:20] Speaker 02: Other examples, paragraph 50. [00:20:23] Speaker 02: And this is what the board referred to as the direct detection method. [00:20:26] Speaker 02: But there, it talks about after logging the anomaly, you add that to the collection of security information that you use for this network-based approach. [00:20:37] Speaker 02: And then you can go on and do your general intrusion detection actions. [00:20:41] Speaker 02: That's what it's called, intrusion detection actions. [00:20:45] Speaker 02: Such actions can include monitoring all the incoming data, the packets. [00:20:50] Speaker 02: You can recognize attack patterns, report possible intrusions, and so on. [00:20:55] Speaker 02: So how this isn't detecting anomalies is beyond me. [00:21:01] Speaker 02: But if we look at paragraph 77, [00:21:03] Speaker 02: In a detailed description of the actual configuration for the network server 104, it describes that it has a, quote, anomaly detection mechanism 528. [00:21:16] Speaker 02: This is at the central node. [00:21:20] Speaker 02: So the plain and expressed disclosure of the OXMETH reference clearly teaches [00:21:28] Speaker 02: that what's going on is you're receiving information from the nodes. [00:21:31] Speaker 02: The central server is looking at that information with the benefit of a broader source of network events that it's collected. [00:21:39] Speaker 02: And it's determining whether or not there's an anomaly or an intrusion. [00:21:42] Speaker 01: So suppose hypothetically that the central computer did only one thing, which was to count the number of anomalies detected by the peripheral computers and then made a decision as to what action to take based on that. [00:21:59] Speaker 01: Would that be within the scope of Claim 41? [00:22:04] Speaker 01: The central server is simply counting the number of anomalies? [00:22:07] Speaker 01: Yeah, it receives, there are 10 peripheral computers, it receives only from those computers information that an anomaly was detected. [00:22:17] Speaker 02: I think that the number of events is one of the ways, now there's nothing detailed in the OA-4 Packness. [00:22:25] Speaker 02: What's the answer to my question? [00:22:26] Speaker 02: I think the answer is yes. [00:22:29] Speaker 02: I think it would be covered in that you're making a new determination. [00:22:33] Speaker 02: Is there an actual problem here? [00:22:35] Speaker 02: We've seen these events coming in from multiple nodes. [00:22:40] Speaker 02: And based on that broader scope of information, there is some algorithm that is determining you've exceeded the threshold where we think there's an issue here. [00:22:48] Speaker 02: So I think simply counting and making a determination whether this is a real problem. [00:22:53] Speaker 02: Counting the number of anomalies would be sufficient. [00:22:55] Speaker 02: Counting the number of anomalies in the context of outsmith [00:22:59] Speaker 02: But there's something strange going on here. [00:23:01] Speaker 02: We're sending it up to the central server. [00:23:03] Speaker 01: There's more in OXMETH. [00:23:04] Speaker 01: OXMETH, the central processor, is doing more than counting the number of anomalies that are received. [00:23:10] Speaker 01: It's actually doing an analysis. [00:23:14] Speaker 01: Right? [00:23:15] Speaker 01: Correct. [00:23:26] Speaker 02: The prosecution history cited by Intellectual Adventures does not support the disavowal language that was suggested this morning. [00:23:34] Speaker 02: The host-based analysis that was referred to in the prior art wasn't host-based analysis followed by sending reports from those hosts to a central server to do further analysis to determine if there's an actual security threat. [00:23:47] Speaker 02: So there's no foothold in the prosecution history for them to extrapolate to where they went this morning. [00:23:53] Speaker 03: Were there [00:23:56] Speaker 03: This is Roland or Rowland that was being distinguished. [00:23:59] Speaker 03: And was there no sending of information either collected or developed at the host to anywhere else? [00:24:12] Speaker 02: Not that I can recall. [00:24:13] Speaker 02: And it's certainly not in a record that they've made below. [00:24:16] Speaker 03: And not part of the discussion in the PTO. [00:24:20] Speaker 02: Not that I can recall. [00:24:23] Speaker 02: If I could turn quickly to the cross-appeal issue, which is... Yes, please do. [00:24:28] Speaker 02: So our cross-appeal deals with claim 33. [00:24:32] Speaker 02: Claim 33 is a dependent claim that introduces the additional limitation that once the anomaly is detected, the data collection and processing center adjusts anomaly detection sensitivity and alarm thresholds. [00:24:47] Speaker 02: There's very little guidance in the 084 patent as to what those two functions mean. [00:24:53] Speaker 02: If we look first to column 8, around line 30, it says, second, upon detection of suspected reconnaissance and probing, the detection process can adjust its matching parameters and alarm thresholds to focus sensitivity on attacks from suspected sources against specific targets. [00:25:18] Speaker 02: It doesn't support, this portion of the specification uses this term as does claim 33, very generically these terms. [00:25:27] Speaker 02: It's not like there's a specific alarm threshold that is adjusted in these firewalls or a specific anomaly detection sensitivity knob that's adjusted. [00:25:36] Speaker 02: These are generic terms to describe the situation where we've now seen, the central server has now seen that there is this security problem in the future [00:25:45] Speaker 02: we're going to be on the lookout for this security problem. [00:25:49] Speaker 02: And so certain parameters have to be adjusted in order to more easily detect that anomaly in the future and issue alarms, if appropriate. [00:25:59] Speaker 04: The only issue that was raised was section 102 anticipation. [00:26:04] Speaker 04: Is that right? [00:26:05] Speaker 04: Nothing under 103? [00:26:06] Speaker 02: Correct. [00:26:07] Speaker 02: In the Outsmith reference, it teaches [00:26:15] Speaker 02: in paragraph 54. [00:26:22] Speaker 02: We'll start with paragraph 52, actually. [00:26:25] Speaker 02: There it says that in the second sentence, the agents, once they receive the notification of the anomaly, quote, immediately are able to check for that anomaly in examining information arriving at its respective client terminals. [00:26:39] Speaker 02: So they're informed of the anomaly, and they can check for that anomaly. [00:26:43] Speaker 02: And then in 54, [00:26:45] Speaker 02: It's updating the firewall 112 and the notification of the anomaly, quote, may include updating the collection of corporate security data, 120, to include information about the anomaly, modifying security procedures to account for the anomaly, or performing other similar tasks. [00:27:02] Speaker 02: So you're modifying security procedures to account for the anomaly. [00:27:06] Speaker 02: In other words, when we see the anomaly, if it comes in again, we're going to more easily detect it and alarm if appropriate. [00:27:13] Speaker 02: Now the board rejected, the board had declarations from two experts, our expert Dr. Kessidis and their expert Dr. Goldschlide. [00:27:23] Speaker 02: The board rejected Dr. Kessidis' testimony because it focused on later paragraphs in the declaration. [00:27:31] Speaker 02: In paragraph 145, Dr. Kessidis walked through the logic of if we've now detected an anomaly, we've added that to our collective knowledge of potential problems, [00:27:41] Speaker 02: And we're able to account for the anomaly by modifying our security procedures. [00:27:46] Speaker 02: He testified from one skill in the arts perspective. [00:27:48] Speaker 02: That means you've adjusted anomaly detection sensitivity. [00:27:52] Speaker 02: What else could that mean in alarm thresholds? [00:27:55] Speaker 02: The board, unfortunately, overlooked that portion of the testimony. [00:27:59] Speaker 02: There were some other claims that had the same dependent claim limitation. [00:28:03] Speaker 02: So that was addressed in an earlier portion of his petition, or his declaration. [00:28:07] Speaker 02: And they overlooked that testimony in their final written decision. [00:28:12] Speaker 02: And they did so at the board's, I'm sorry, at Intellectual Venture's suggestion. [00:28:17] Speaker 02: During oral argument, Claim 33 was given somewhat short shrift as far as the argument went. [00:28:23] Speaker 02: But during the oral argument, IB's counsel said that we had a slide for paragraph 145 of Dr. Kassadis' declaration. [00:28:32] Speaker 02: And they told the board that that was unrelated to Claim 33. [00:28:36] Speaker 02: So we think that the board accepted that invitation, even though we reminded the board on rebuttal that it wasn't. [00:28:42] Speaker 02: didn't look at the logic contained in Dr. Kassadis's declaration with respect to this. [00:28:48] Speaker 02: And in doing so, the final written decision, as far as item 33 is concerned, does not support advice of substantial evidence. [00:28:56] Speaker 04: Thank you. [00:28:57] Speaker 04: We'll save some rebuttal time on the cross appeal. [00:29:02] Speaker 04: Mr. Picard, in addition to whatever rebuttal you have, let's concentrate on the cross appeal. [00:29:08] Speaker 00: Absolutely. [00:29:10] Speaker 00: First of all, [00:29:11] Speaker 00: Commerce Bank raises a substantial evidence review question for this panel. [00:29:16] Speaker 00: The board was provided with competing expert testimony on whether Claim 33 was anticipated by Oxmith. [00:29:23] Speaker 00: And I think if you read the opinion, it essentially said that Commerce didn't make out its burden. [00:29:28] Speaker 00: And it's clear to see why. [00:29:30] Speaker 00: If we look at Joint Appendix 614, this is the Casitas declaration, paragraph 178. [00:29:38] Speaker 00: And all Dr. Casitas does is [00:29:41] Speaker 00: put side-by-side block quotes from Oxmouth in the claim language. [00:29:45] Speaker 00: There's no analysis there. [00:29:48] Speaker 00: On the question of whether the board overlooked what was provided in paragraph 145, that's not a fair criticism. [00:29:56] Speaker 00: The board's final written decision cited paragraph 178. [00:29:59] Speaker 00: If we see here, 178 refers back to the analysis, notwithstanding that the board's not required to cite every piece of evidence that it considered in coming to the decision. [00:30:12] Speaker 03: address paragraph 54 of Aux Smith. [00:30:23] Speaker 03: Yes. [00:30:23] Speaker 03: And one of the things it teaches, and I guess this is the crucial allegedly anticipating portion of Aux Smith for claim 33, is modifying security procedures to account for the anomaly. [00:30:39] Speaker 03: What would be an example of that [00:30:43] Speaker 03: that is not one of the two things listed in claim 33. [00:30:55] Speaker 00: For instance, the server 104 could terminate communications between the network and one of the network modules, and that would not involve changing a detection sensitivity or an alarm threshold. [00:31:10] Speaker 00: And I think it's important to keep in mind, Dr. Goldschlag, intellectual ventures expert on this point, provided competing expert testimony on what's disclosed in paragraph 54 and simply said that the skilled artisan wouldn't have understood this to disclose the unique features that are provided in 33. [00:31:27] Speaker 00: If you put that up against Dr. Kousaitis, as the board did. [00:31:31] Speaker 03: I don't remember, did Dr. Goldschlag say, here are other measures that [00:31:39] Speaker 03: the system could take that were different from these? [00:31:42] Speaker 00: He did not. [00:31:42] Speaker 00: There's nothing in the record about what. [00:31:45] Speaker 03: Both sides' testimony seems to me to be at an extraordinarily high level of generality without concretely talking about what's actually going on, which if they have the burden, maybe they lose for that reason alone. [00:31:57] Speaker 00: They do have the burden, yes. [00:31:58] Speaker 00: And I think that's why their appeal fails. [00:32:00] Speaker 00: They have the burden. [00:32:01] Speaker 00: And if the board is free to credit Kasaitis's completely conclusory testimony, then he's certainly free to [00:32:07] Speaker 00: credit Dr. Goldschlag, who frankly provides something more than casitis. [00:32:14] Speaker 00: So we respectfully ask that the board affirm the, this court, excuse me, affirm the board's non-anticipation finding as to claim 33. [00:32:21] Speaker 00: Okay. [00:32:25] Speaker 04: Good. [00:32:26] Speaker 04: Thank you. [00:32:26] Speaker 04: Mr. Van der Twing and Henry Butler on the cross-appeal only. [00:32:35] Speaker 02: So Dr. Goldschlag made the same error that the board did. [00:32:38] Speaker 02: Dr. Goldschlag did not respond to Dr. Kessides' testimony in Paragraph 145 of his declaration either. [00:32:46] Speaker 02: And the criticism that the board... What page are the records on? [00:32:52] Speaker 01: What page is Paragraph 145? [00:32:56] Speaker 02: It's on Appendix 596. [00:33:05] Speaker 02: So the criticism leveled by the board against Dr. Kassadis says that Dr. Kassadis' testimony just repeats the language from Oaksmith quoted above and concludes that Oaksmith discloses each and every limitation of claim 33. [00:33:21] Speaker 02: That criticism is only fair if the board's analysis was limited to [00:33:27] Speaker 02: the claim chart that appears in paragraphs 178 to 181 of Dr. Kessidis' declaration. [00:33:34] Speaker 02: The logic that Dr. Kessidis explained is one skill in the art of when you receive this information and you're modifying security procedures to account for the detected anomaly, and therefore you're necessarily adjusting the sensitivity so that you can detect it down the road. [00:33:53] Speaker 02: The problem is the board doesn't have to believe it, right? [00:33:56] Speaker 02: That's your difficulty. [00:33:58] Speaker 02: Well, between the two experts, you had Dr. Kestadis explaining the logic from his viewpoint what this means. [00:34:05] Speaker 02: And you had Dr. Goldschlag saying, I don't see these, basically, I don't see these words in Oaksmith. [00:34:12] Speaker 02: And they haven't explained why these words are present. [00:34:16] Speaker 02: That kind of testimony that I've read in Oaksmith, and I tell you, Board, that it's not there from Goldschlag, that exact type of testimony, [00:34:23] Speaker 02: was rejected in another portion of the board's opinion as to conclusory to support their position. [00:34:29] Speaker 02: So we would say Dr. Goldschlag's conclusory testimony doesn't withstand the logical conclusion that one would reach reading paragraph 52 and 54 of Aux Smith along with the interpretation of those provisions provided by Dr. Kessides. [00:34:50] Speaker 02: Again, there's no specific parameters disclosed in the 084 patent relating to alarm thresholds for anomaly detection sensitivity. [00:35:00] Speaker 02: And in fact, the reason why that is is described in column 11 around line 44. [00:35:06] Speaker 02: It says that it is contemplated that in addition to notifying the firewall or other host device of an impending attack, the system could control the firewall or other host device to reconfigure or adjust pertinent parameters, anticipation of the attack. [00:35:20] Speaker 02: For each type of device, the parameters controlled or adjusted would be different and so on. [00:35:24] Speaker 02: So the 084 patent isn't, in the claim 33, isn't talking about specific parameters that are adjusted. [00:35:32] Speaker 02: It's going to depend on the device. [00:35:33] Speaker 02: It was just talking about once you've got the benefit of this anomaly that's been detected, you in the future would be better able to detect the control arms. [00:35:42] Speaker 04: Okay. [00:35:43] Speaker 04: Thank you. [00:35:44] Speaker 04: Thank you. [00:35:44] Speaker 04: Thank you both. [00:35:45] Speaker 04: So this case is taken under submission.