From The Field

March 25, 2019

Another week….another split Federal Circuit decision on 35 U.S.C. Section 101. This time, in SRI Int’l, Inc. v. Cisco Sys., 2019 U.S. App. LEXIS 8249 (Fed. Cir. March 20, 2019), a divided panel held a network security patent eligible under Alice Step 1. This case highlights the difficulties in resolving one of the major threads in the post-Alice caselaw: the level of specificity that Section 101 requires.

The patent-in-suit relates to detecting network intrusions. The particular challenge the patent addresses is that some security threats can only be detected based on information from multiple sources. For example, a suspicious number of failed log-in attempts at several different computers across a network might suggest a hacker. The representative claim analyzed by the Federal Circuit reads:

1. A computer-automated method of hierarchical event monitoring and analysis within an enterprise network comprising:

deploying a plurality of network monitors in the enterprise network;

detecting, by the network monitors, suspicious network activity based on analysis of network traffic data selected from one or more of the following categories: {network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in a network packet, network connection acknowledgements, and network packets indicative of well-known network-service protocols};

generating, by the monitors, reports of said suspicious activity; and

automatically receiving and integrating the reports of suspicious activity, by one or more hierarchical monitors.

One noteworthy aspect of these steps is the lack of detail they each recite. Monitors get “deployed” in some manner, the monitors “generat[e] [ ] reports” in some way, and the reports get “receiv[ed] and integrat[ed].” Even the “detecting” step lacks much detail. The monitors simply “detect[ ] … suspicious network activity based on analysis of network traffic data[.]” The claim does list several categories of network traffic data. However, the categories include several basic network communication message types, only one of the categories must be used to infringe the claim, and the claim recites nothing about how the network traffic data in any of the categories is analyzed.

Judge Lourie’s dissent, which argues the claims are ineligible, seized on this point. He stated that “[t]here is no specific technique described for improving computer network security[,]” and that the “claims only recite the moving of information.” Judge Lourie emphasized that “[t]he claims as written [ ] do not recite a specific way of enabling a computer to monitor network activity” (emphasis in original). He characterized the claims as “result-focused, functional clams that effectively cover any solution to an identified problem.”

But Judge Stoll’s majority opinion (joined by Judge O’Malley) saw it differently. Judge Stoll rejected Cisco’s argument that the claims “are simply directed to generic steps required to collect and analyze data.” She stated that “[t]he claims are directed to using a specific technique—using a plurality of network monitors that each analyze specific types of data on the network and integrating reports from the monitors[.]” Judge Stoll held that the representative claim “improves the technical functioning of … computer networks by reciting a specific technique for improving computer network security.”

This issue, along with others, continues to vex the Federal Circuit in its Section 101 cases.

Author: Marc J. Pernick