What’s a tool? What is functionality? Network monitoring claim held patent-eligible in split opinion
| October 29, 2019
SRI International, Inc., v. Cisco Systems, Inc.
March 20, 2019
Before Lourie, O’Malley, and Stoll. Opinion by Stoll. Dissenting opinion by Lourie.
Summary
The CAFC affirmed a district court decision holding that claims related to network security monitoring are patent-eligible. In the 2-1 opinion, the CAFC held that all of the asserted claims are patent eligible under §101 as not “directed to” an abstract idea under the first step of the Alice test, because the claims focus on an improvement in the functionality of computers and computer network technology.
The CAFC also affirmed the district court’s construction of the claim term “network traffic data,” summary judgment of no anticipation, and award of ongoing royalties but willful infringement and attorneys’ fees issues were vacated and remanded.
This presentation only addresses the issue of patent eligibility.
Details
SRI International, Inc. (“SRI”) sued Cisco Systems, Inc. (“Cisco”) for infringement of U.S. Patent Nos. 6,711,615 (‘615 patent) and 6,484,203 (‘203 patent). The ‘615 patent is a continuation of the ‘203 patent. The patents relate to network security by using network monitors to analyze the data on the network and generating and integrating reports of suspicious activity.
SRI proposed claim 1 of the ‘615 patent as representative claim while Cisco proposed claim 1 of the ‘203 patent. The CAFC noted that the claims are substantially similar, the difference in the list of categories of data not being material to any issue on appeal, and adopted claim 1 of ‘615 patent as the representative claim.
Claim 1 of the ‘615 patent:
1. A computer-automated method of hierarchical event monitoring and analysis within an enterprise network comprising:
deploying a plurality of network monitors in the enterprise network;
detecting, by the network monitors, suspicious network activity based on analysis of network traffic data selected from one or more of the following categories: {network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in a network packet, network connection acknowledgements, and network packets indicative of well-known network-service protocols};
generating, by the monitors, reports of said suspicious activity; and
automatically receiving and integrating the reports of suspicious activity, by one or more hierarchical monitors.
As a preliminary matter, the CAFC noted that SRI spent considerable investment on network intrusion detection and developed the Event Monitoring Enabling Response or Anomalous Live Disturbances (“EMERALD”) project prior to the filing of the patents. In addition, the CAFC also noted that the Defense Advanced Research Projects Agency of the Department of Defense, which helped fund the project, called it a “gem in the world of cyber defense” and “‘a quantum leap improvement over’ previous technology.”
As to the issue of patent eligibility, the District Court held that the claims do more than merely recite the performance of a known business practice on the Internet and are better understood as being necessarily rooted in computer technology in order to solve a specific problem in the realm of computer networks. The CAFC agreed.
The CAFC explained that by the recitation of detecting an activity, receiving and integrating the reports, the claim does more than just the normal, expected operation of a conventional computer network. The CAFC specifically described the technological improvement as “a network defense system that monitors network traffic in real-time to automatically detect large-scale attacks,” with reference to Enfish, LLC v. Microsoft Corp.
In addition, the CAFC noted that the specification provided an explanation of both the technological problem – the network becomes more valuable when the technology become more interoperable and integrated but also makes it more vulnerable to attack – and the technological solution, by providing “a framework for the recognition of more global threats to interdomain connectivity, including coordinated attempts to infiltrate or destroy connectivity across an entire network enterprise.” Unfortunately, here, the CAFC simply cited the specification of the SRI patent but did not provide any details regarding how the specification presents the technological solution in relation to the claim language.
When arguing that the claims are directed to an abstract idea, Cisco had raised three main arguments, which the CAFC addressed in turn:
1. the claims are “directed to generic steps required to collect and analyze data,” therefore, “the claims are analogous to those in Electric Power Group, LLC v. Alstom S.A.” in which the claims were simply using the computers as tools. Thus, “the claims are directed to an abstract idea”;
2. “the invention does not involve an improvement to computer functionality itself”; and
3. the claims correspond generally to what people can “go through in their minds”.
Regarding Cisco’s first argument, the CAFC disagreed with Cisco’s view that the SRI patent claims are similar to the claims in Electric Power Group,[i] because the claimed invention in Electric Power Group was only “using computers as tools to solve a power grid problem.” The CAFC emphasized that the claims are similar to the claims in DDR Holdings, LLC v. Hotels.com, which were “directed to more than merely requiring a computer network operating in is normal, expected manner.”
Next, in rejecting Cisco’s second argument, the CAFC asserted that the representative claim is not about “automating a conventional idea on a computer” but “improv[ing] the technical functioning of the computer and computer networks by reciting a specific technique for improving computer network security.”
The CAFC also rejected Cisco’s third argument that the claims recite a mental process, by countering that “the human mind is not equipped to detect suspicious activity by using network monitors and analyzing network packets.”
In conclusion, the CAFC held that the claims at issue are not “directed to” an abstract idea under step one of Alice, because the claims are not just using the computer as a tool to analyze data from multiple sources to detect suspicious activity. Instead, the claims define using network monitors to detect suspicious network activity based on analysis of network traffic data, generating reports of that suspicious activity, and integrating those reports using hierarchical monitors to identify hackers and potential intruders. Thus, the claims provide an improvement in the functionality of computers and computer networks, and, therefore, the claims are patent eligible.
Dissent
Dissenting Judge Lourie thought that the claims of the SRI patent were similar to the claims in Electric Power Group because, in his view, the SRI claims “recite nothing more than deploying network monitors, detecting suspicious network activity, and generating and handling reports.” Judge Lourie noted that in Electric Power Group, the claims that were held patent-ineligible recited “receiving data,” “detecting and analyzing events in real time,” “displaying the event analysis results and diagnoses of events,” “accumulating and updating measurements,” and “deriving a composite indicator of reliability.”
Further, he pointed out that the portions of the SRI specification to which the majority refers “only recites results, not means for accomplishing them,” and that the SRI claims as written “do not recite a specific way of enabling a computer to monitor network activity.” Since he considered that the SRI claims do not provide any specifics as to how the steps are performed and show no improvement to computer technology, he would have held that the claims were directed to an abstract idea.
Takeaway
As this decision shows, there is much uncertainty regarding whether a claim would be treated as patent-eligible or not under the Alice test. It seems that a different set of judges might have easily sided with Judge Lourie’s analysis and invalidated the claims.
In the
meantime, the explanations and details given in the patent description
regarding the technical problem solved by the invention, instead of referring
to generic computer or network components, helped these claims survive the
patent-eligibility challenge.
[i] Claim 12 of U.S. Patent 8,401,701 at issue in Electric Power Group, LLC v. Alstom S.A.:
12. A method of detecting events on an interconnected electric power grid in real time over a wide area and automatically analyzing the events on the interconnected electric power grid, the method comprising:
receiving a plurality of data streams, each of the data streams comprising sub-second, time stamped synchronized phasor measurements wherein the measurements in each stream are collected in real time at geographically distinct points over the wide area of the interconnected electric power grid, the wide area comprising at least two elements from among control areas, transmission companies, utilities, regional reliability coordinators, and reliability jurisdictions;
receiving data from other power system data sources, the other power system data sources comprising at least one of transmission maps, power plant locations, EMS/SCADA systems;
receiving data from a plurality of non-grid data sources;
detecting and analyzing events in real-time from the plurality of data streams from the wide area based on at least one of limits, sensitivities and rates of change for one or more measurements from the data streams and dynamic stability metrics derived from analysis of the measurements from the data streams including at least one of frequency instability, voltages, power flows, phase angles, damping, and oscillation modes, derived from the phasor measurements and the other power system data sources in which the metrics are indicative of events, grid stress, and/or grid instability, over the wide area;
displaying the event analysis results and diagnoses of events and associated ones of the metrics from different categories of data and the derived metrics in visuals, tables, charts, or combinations thereof, the data comprising at least one of monitoring data, tracking data, historical data, prediction data, and summary data;
displaying concurrent visualization of measurements from the data streams and the dynamic stability metrics directed to the wide area of the interconnected electric power grid;
accumulating and updating the measurements from the data streams and the dynamic stability metrics, grid data, and non-grid data in real time as to wide area and local area portions of the interconnected electric power grid; and
deriving a composite indicator of reliability that is an indicator of power grid vulnerability and is derived from a combination of one or more real time measurements or computations of measurements from the data streams and the dynamic stability metrics covering the wide area as well as non-power grid data received from the non-grid data source.
[1] Claim 12 of U.S. Patent 8,401,701 at issue in Electric Power Group, LLC v. Alstom S.A.:
12. A method of detecting events on an interconnected electric power grid in real time over a wide area and automatically analyzing the events on the interconnected electric power grid, the method comprising:
receiving a plurality of data streams, each of the data streams comprising sub-second, time stamped synchronized phasor measurements wherein the measurements in each stream are collected in real time at geographically distinct points over the wide area of the interconnected electric power grid, the wide area comprising at least two elements from among control areas, transmission companies, utilities, regional reliability coordinators, and reliability jurisdictions;
receiving data from other power system data sources, the other power system data sources comprising at least one of transmission maps, power plant locations, EMS/SCADA systems;
receiving data from a plurality of non-grid data sources;
detecting and analyzing events in real-time from the plurality of data streams from the wide area based on at least one of limits, sensitivities and rates of change for one or more measurements from the data streams and dynamic stability metrics derived from analysis of the measurements from the data streams including at least one of frequency instability, voltages, power flows, phase angles, damping, and oscillation modes, derived from the phasor measurements and the other power system data sources in which the metrics are indicative of events, grid stress, and/or grid instability, over the wide area;
displaying the event analysis results and diagnoses of events and associated ones of the metrics from different categories of data and the derived metrics in visuals, tables, charts, or combinations thereof, the data comprising at least one of monitoring data, tracking data, historical data, prediction data, and summary data;
displaying concurrent visualization of measurements from the data streams and the dynamic stability metrics directed to the wide area of the interconnected electric power grid;
accumulating and updating the measurements from the data streams and the dynamic stability metrics, grid data, and non-grid data in real time as to wide area and local area portions of the interconnected electric power grid; and
deriving a composite indicator of reliability that is an indicator of power grid vulnerability and is derived from a combination of one or more real time measurements or computations of measurements from the data streams and the dynamic stability metrics covering the wide area as well as non-power grid data received from the non-grid data source.