[00:00:00] Speaker 03:
The next case is 23-1731 Centripetal Networks versus Palo Alto Networks.

[00:00:08] Speaker 03:
Mr. Hanna, when you're ready.

[00:00:11] Speaker 00:
Good morning, Your Honors.

[00:00:12] Speaker 00:
May it please the Court.

[00:00:13] Speaker 00:
James Hanna on behalf of Centripetal.

[00:00:16] Speaker 00:
The board's decision in this case should be reversed for at least two reasons.

[00:00:21] Speaker 00:
The first is that the board failed to explicitly construe and faithfully apply the construction of a key term, which is

[00:00:30] Speaker 00:
reportability likelihood.

[00:00:33] Speaker 00:
The second is that the board used hindsight bias to find that an undisputedly new technology was obvious in light of the prior art.

[00:00:46] Speaker 00:
So I'd like to first start with reportability likelihood, and what this is, and what Centripetal came up with in developing this technology.

[00:00:57] Speaker 00:
In the cybersecurity field, as

[00:00:59] Speaker 00:
You're not sure where.

[00:01:01] Speaker 00:
It's a very complicated task to protect the network.

[00:01:05] Speaker 00:
And many of these firms have loads and loads of cybersecurity analysts that are analyzing threats as they come into a network.

[00:01:15] Speaker 00:
These threats typically will have threat scores.

[00:01:20] Speaker 00:
And these threat scores will indicate the threat that a particular virus will do, the damage it will do to a network.

[00:01:28] Speaker 00:
What Centripetal noticed is that only a fraction of these threats are actually reportable.

[00:01:38] Speaker 00:
And what that means is, looking at the threat as it's coming in to a network, whether a cyber analyst is going to actually report the threat.

[00:01:48] Speaker 00:
Now, this is different than what a threat score is.

[00:01:54] Speaker 00:
So I'll give you an example.

[00:01:56] Speaker 00:
So say two threats come in.

[00:01:58] Speaker 00:
One threat has a score of nine, because it's going to do a lot of damage to your network.

[00:02:04] Speaker 00:
Another threat comes in that has a score of seven, because it's not going to do as much.

[00:02:09] Speaker 00:
Well, a cyber analyst might report this threat score of seven, but not the threat score of nine, because the threat score of nine might be, we might have tools that are going to be able to deal with it.

[00:02:22] Speaker 00:
It might be known

[00:02:24] Speaker 00:
But the threat score of 7 might be brand new, and they don't have tools to deal with it.

[00:02:30] Speaker 00:
So I think a proper analogy of this is COVID.

[00:02:34] Speaker 00:
If you think about it, COVID when it first came out was highly reportable.

[00:02:40] Speaker 00:
It was a threat that was highly reportable.

[00:02:44] Speaker 00:
Now, COVID is not as reportable.

[00:02:49] Speaker 00:
We don't have to go to those centers anymore and report when someone is infected with COVID.

[00:02:55] Speaker 00:
The threat's the same.

[00:02:59] Speaker 00:
We now have the tools that are able to deal with certain aspects of COVID.

[00:03:04] Speaker 00:
And that's the same thing as applies to security.

[00:03:09] Speaker 00:
When you have the tools and when you have the necessary things to combat the viruses as they come in, it may be less reportable.

[00:03:21] Speaker 00:
And this system is exactly what Centripetal came up with.

[00:03:25] Speaker 00:
It greatly increased the workflow for these cyber analysts.

[00:03:29] Speaker 00:
Instead of being able to see all these threats and all these scores and have to make a judgment as to whether it's going to be reportable or not, Centripetal came up with a system that actually would say, OK, is this going to be reportable by a cybersecurity analyst?

[00:03:46] Speaker 00:
And if it is,

[00:03:48] Speaker 00:
then it's going to note that.

[00:03:49] Speaker 00:
And it uses, for example, it'll use artificial intelligence to get into the mind of what a cyber security analyst would do.

[00:03:57] Speaker 02:
I can we talk about claim construction because I guess all this turns on reportability likelihood.

[00:04:04] Speaker 00:
Correct.

[00:04:04] Speaker 02:
I understand that you're faulting the board for not expressly construing it, but when I look at the record, it looks as if you both proposed constructions.

[00:04:13] Speaker 02:
They didn't seem to be materially different.

[00:04:15] Speaker 02:
The board set that at institution.

[00:04:17] Speaker 02:
Nobody told them they were wrong.

[00:04:20] Speaker 02:
And in fact, your side, I think, expressly said nothing turns essentially on deciding the construction.

[00:04:28] Speaker 02:
So if I got all that right, how could it possibly be an error for the board not to have construed a claim that wasn't in dispute?

[00:04:36] Speaker 00:
Because the way that the board applied it.

[00:04:39] Speaker 00:
So we agree that the reportability likelihood has to be the probability that an event is going to be reportable.

[00:04:50] Speaker 00:
pan and read with that as well.

[00:04:53] Speaker 00:
But the board.

[00:04:54] Speaker 02:
Show me where the board, you say it took out the requirement of probability.

[00:04:58] Speaker 02:
I just don't see that anywhere in the board's opinion.

[00:05:02] Speaker 00:
So when it applied it to church, the board specifically said that, and this is an appendix, where it said the board held that the

[00:05:18] Speaker 00:
Reportability likelihood could be expressed in any manner.

[00:05:23] Speaker 02:
Right.

[00:05:24] Speaker 02:
But it didn't say you don't need a reportability likelihood.

[00:05:27] Speaker 02:
It didn't say you don't need a probability.

[00:05:28] Speaker 02:
It just said it can be expressed in any manner.

[00:05:32] Speaker 02:
That's not the same thing as I read it as saying, hey, you don't need a reportability likelihood.

[00:05:36] Speaker 02:
You don't need a probability.

[00:05:39] Speaker 00:
Well, the normalized value is not a probability.

[00:05:42] Speaker 00:
Both sides agree.

[00:05:42] Speaker 03:
Well, that's a substantial evidence argument.

[00:05:45] Speaker 03:
I mean, I think you're doing what lots of patentees like to do here and try to get a better center of view by saying it's a claim construction.

[00:05:52] Speaker 03:
But the board said likelihood, which is the same as probability, isn't it?

[00:05:57] Speaker 03:
You just don't agree that the prior art discloses likelihood because threat, in your view, is not likelihood.

[00:06:08] Speaker 00:
I think what happened was the board said, OK, we're not going to construe this term because both sides agree that it's a problem.

[00:06:16] Speaker 03:
And the board didn't diverge from that, right?

[00:06:20] Speaker 03:
They said likelihood.

[00:06:24] Speaker 03:
The stuff you just read us said likelihood.

[00:06:26] Speaker 03:
So that's the proper claim construction, isn't it?

[00:06:30] Speaker 03:
Probability, likelihood.

[00:06:31] Speaker 03:
I mean, they use two different words, but it's the same claim construction.

[00:06:35] Speaker 00:
Well, no, Your Honor, because when they said that it could be expressed in any manner... What did they say could be expressed in any manner?

[00:06:44] Speaker 00:
The reportability likelihood.

[00:06:47] Speaker 00:
By that reading, that's saying that that doesn't have to be expressed as a probability.

[00:06:52] Speaker 00:
That whole analysis that they applied when they're talking about the normalization for church,

[00:06:57] Speaker 00:
They said that a normalization, I think we all understand.

[00:06:59] Speaker 03:
What if that phrase had said probability can be expressed in any manner?

[00:07:04] Speaker 03:
Would you have a problem with them then?

[00:07:06] Speaker 00:
That probability can be expressed in any manner?

[00:07:09] Speaker 03:
Yeah.

[00:07:10] Speaker 00:
I mean, I think it still has to be a probability, though.

[00:07:12] Speaker 00:
I mean, it can't be.

[00:07:13] Speaker 03:
But that's what they're saying.

[00:07:14] Speaker 03:
It's probability, but it can be expressed in any manner, as long as it's expressing a probability.

[00:07:20] Speaker 03:
That, to me, is what they're saying when they're saying what you just quoted to us.

[00:07:25] Speaker 03:
And so then you have to show why the prior art doesn't disclose a likelihood or probability.

[00:07:34] Speaker 00:
So I'm unclear how you can express a probability as a normalized value.

[00:07:40] Speaker 00:
I don't think that's math math.

[00:07:41] Speaker 03:
That's a substantial evidence argument, though.

[00:07:43] Speaker 03:
You should be arguing that their reliance on that reference, which only has a threat level, doesn't contain probability.

[00:07:52] Speaker 03:
And therefore, that reference is not substantial evidence for their decision.

[00:07:56] Speaker 00:
And we do argue that in our papers.

[00:07:58] Speaker 00:
This is part of the hindsight bias that we argue throughout our papers.

[00:08:03] Speaker 00:
And what we say is,

[00:08:05] Speaker 00:
The board absolutely applied hindsight bias because- I don't really care about the hindsight bias argument yet, though.

[00:08:13] Speaker 03:
You're trying to convert a substantial evidence argument into whether the prior artist coaches a likelihood or probability into a claim construction.

[00:08:21] Speaker 03:
And I don't think there's a claim construction argument here.

[00:08:24] Speaker 03:
So explain to me why the board was wrong in pointing to this threat level as showing a probability.

[00:08:32] Speaker 00:
OK, because the claim language itself differentiates between the two.

[00:08:37] Speaker 00:
It says that you can have a reportability likelihood that has to be generated based on an algorithm.

[00:08:44] Speaker 00:
And one of those factors can be the risk score.

[00:08:48] Speaker 00:
I think it's undisputed that the risk score is this.

[00:08:50] Speaker 03:
I mean, you're not answering the question.

[00:08:51] Speaker 03:
The question is, why?

[00:08:55] Speaker 03:
Is the board's reliance on whatever the prior art shows as a threat level not substantial evidence to support its view that it discloses a reportability likelihood?

[00:09:08] Speaker 00:
I was trying to answer that.

[00:09:10] Speaker 03:
Well, you're talking about the claim language.

[00:09:12] Speaker 03:
We've already, at least hypothetically and for purposes of argument, established that I don't think there's a claim construction problem.

[00:09:20] Speaker 03:
So pointing to the patent is not answering the question of what the prior art discloses and whether the board's reliance on it is supported by substantial evidence.

[00:09:29] Speaker 00:
So the threat level or the threat score, that's equivalent in church.

[00:09:36] Speaker 00:
That is the score that the event is going to be a threat.

[00:09:43] Speaker 00:
And actually, that whole quote is actually truncated from Pan when they cite it every time.

[00:09:49] Speaker 00:
But that is the probability that an event is a threat.

[00:09:53] Speaker 00:
That is not the probability that the threat is going to be actually reportable.

[00:09:57] Speaker 00:
It doesn't take that next step.

[00:10:00] Speaker 03:
And the only reason I was pointing to the claim language, Your Honor, was... Can I point you to page 25 of the board's decision, which is also page 25 of the appendix?

[00:10:09] Speaker 00:
Yes, Your Honor.

[00:10:11] Speaker 03:
The bottom paragraph, the board says, responding to this exact argument, Church expressly states that its threat rating indicates the likelihood of an event being a threat to the network and the subjective value.

[00:10:27] Speaker 00:
That's exactly my point.

[00:10:28] Speaker 00:
So the likelihood of an event being a threat to the network, not the likelihood of the event being reportable.

[00:10:37] Speaker 00:
It doesn't take that extra step.

[00:10:41] Speaker 00:
And the reason I play back to the claim language is because the claim language already accounts for the threat being a network.

[00:10:49] Speaker 00:
The claim language requires, in addition, it being reportable.

[00:10:54] Speaker 00:
So that's what Central Pro came up with.

[00:10:56] Speaker 00:
It had a system that had a bunch of threats that came in with threat scores.

[00:11:01] Speaker 00:
And cyber analysts were overwhelmed.

[00:11:04] Speaker 00:
They were completely overwhelmed by it.

[00:11:05] Speaker 02:
Did the board find that there's at least a correlation that church discloses between the severity of the threat and the reportability of the threat?

[00:11:13] Speaker 00:
There isn't.

[00:11:14] Speaker 00:
Church never talks about reportability.

[00:11:16] Speaker 02:
Did the board say that church would render that obvious to want to skill the art?

[00:11:21] Speaker 00:
Well, what the board said was that you would use it as a reportability likelihood, which assumes that you know what a reportability likelihood is.

[00:11:30] Speaker 00:
But that concept did not exist in the prior art, and that's undisputed.

[00:11:34] Speaker 02:
That's your hindsight argument.

[00:11:35] Speaker 02:
But why is there not substantial evidence to support the board's reading of church as establishing or rendering obvious a correlation between the more severe a threat, the more likely it is that it should be reported?

[00:11:53] Speaker 00:
Because we have the example in our briefing.

[00:11:57] Speaker 00:
When you have this normalized value that is pointed to,

[00:11:59] Speaker 00:
And they say the normalized value is 30.

[00:12:04] Speaker 00:
That's the likelihood of it being a threat to the network.

[00:12:10] Speaker 00:
If there's a threshold of that threat being to the network, it might not be reported at all.

[00:12:18] Speaker 00:
So that's not a probability of it being reported.

[00:12:21] Speaker 00:
There's nothing in church that says anything about this being reportable.

[00:12:25] Speaker 03:
You answered your rebuttal, but before you go, is this reportability likelihood a term that you have in other patents you own that might come before the board in IPRs or district court, or is it only in the patents that are in this IPR?

[00:12:39] Speaker 03:
If you know.

[00:12:41] Speaker 00:
This is the only one that I can think of right now that has it in the claim language.

[00:12:46] Speaker 00:
Maybe it's in the specification.

[00:12:48] Speaker 00:
But this is what I would qualify as the cyber analysis workflow patent.

[00:12:54] Speaker 00:
And this improves the workflow for a cyberanalyst.

[00:12:57] Speaker 00:
And in terms of district court, this portion was stayed.

[00:13:03] Speaker 00:
Right, the same patent.

[00:13:04] Speaker 00:
But I was asking if there was other patents.

[00:13:06] Speaker 00:
And to your knowledge, you don't have to.

[00:13:10] Speaker 00:
To my knowledge, I can't think of any.

[00:13:11] Speaker 00:
I would be involved, but I can't think of any.

[00:13:14] Speaker 00:
Thank you, Your Honor.

[00:13:22] Speaker 03:
Mr. Howard Drymire?

[00:13:24] Speaker 03:
Thank you, as we have pleased the court.

[00:13:26] Speaker 03:
Can you jump right in on that point I was asking your friend about?

[00:13:32] Speaker 03:
We were looking at that part of the board's decision, and he made a point that what the board was pointing to was still just a threat level and didn't actually translate to reportability.

[00:13:43] Speaker 01:
So the board does expressly address that argument.

[00:13:48] Speaker 01:
And there is more to the language in church

[00:13:51] Speaker 01:
that the board is relying on because it's a likelihood of the event being a threat and the subjective value of the loss or the magnitude of the loss if the event is not responded to.

[00:14:05] Speaker 01:
That's the reporting.

[00:14:06] Speaker 01:
And I'm quoting from on page 25.

[00:14:10] Speaker 01:
This is the board citing church at 825 to 28.

[00:14:15] Speaker 01:
So it's this notion that this is the risk.

[00:14:20] Speaker 01:
If the event is not responded to is how we know that church is directing its threat level at whether the user is going to respond or not.

[00:14:30] Speaker 01:
And the board addresses this specifically on

[00:14:35] Speaker 01:
pages 26 and 27.

[00:14:37] Speaker 01:
On 27, they're responding to the patenor's argument that church teaches away from responding.

[00:14:47] Speaker 01:
And they say, no, that's not true, church.

[00:14:50] Speaker 01:
And they cite, this is 27, about the middle of the page of citing, including to church 9, lines 25 to 29, that

[00:15:00] Speaker 01:
The user, which is the analyst, reviewing the threat ratings can request that a defensive or corrective action be taken.

[00:15:12] Speaker 01:
So the ratings are used to prioritize the user's review so that they can report, i.e.

[00:15:22] Speaker 01:
take an action, which is either a report or, at the very least, obvious to report anything you

[00:15:29] Speaker 01:
You've requested that an action be taken for it.

[00:15:32] Speaker 01:
So Church is specifically describing this likelihood in terms of whether it does or does not require action on the part of the user.

[00:15:45] Speaker 01:
So on substantial evidence to review, that is certainly substantial evidence.

[00:15:51] Speaker 01:
And I agree with Your Honor, Judge Stark, that this is not a claim construction issue.

[00:15:56] Speaker 01:
And I do want to just underscore

[00:15:58] Speaker 01:
one point that I think proves that.

[00:16:01] Speaker 01:
And that is in 825, in which the board specifically notes the dictionary definition of likelihood being a probability.

[00:16:10] Speaker 01:
So they're not saying a likelihood is not a probability.

[00:16:13] Speaker 01:
They're acknowledging that those two terms are often equated.

[00:16:19] Speaker 01:
But they say that there's no requirement in the 899 that this likelihood be expressed

[00:16:25] Speaker 01:
in a particular manner.

[00:16:27] Speaker 01:
In fact, in the reply brief at page 13, the patent owner acknowledges, concedes that it doesn't have to be in the form of a percentage or decimal between 0 and 1.

[00:16:42] Speaker 01:
But then when they go on to say why it is the church doesn't describe this,

[00:16:47] Speaker 01:
They keep saying it doesn't describe it in percentage terms, such as on page 22.

[00:16:52] Speaker 01:
And they say that 30 is not equivalent to 30% likelihood probability that it will be reported.

[00:17:01] Speaker 01:
But a probability doesn't require that kind of percentage.

[00:17:05] Speaker 01:
It can be more probable, less probable.

[00:17:08] Speaker 01:
And in fact, both Church and the 899 describe the likelihood in those same terms.

[00:17:15] Speaker 01:
Council referred to Church saying that a user could look at threat ratings of 0 to 30 and say, those are low risk, and so I'm not going to spend my valuable time on those.

[00:17:29] Speaker 01:
He says, that means that's a zero likelihood of reportability.

[00:17:33] Speaker 01:
Well, that's ex post, right?

[00:17:36] Speaker 01:
Ex ante, there was some likelihood.

[00:17:38] Speaker 01:
It was just a low.

[00:17:39] Speaker 01:
likelihood that they would be reported.

[00:17:43] Speaker 01:
In the actual event, it may be that the user says, I don't have time to deal with this.

[00:17:48] Speaker 01:
But this is the exact same thing that the 899 uses to describe a reportability likelihood.

[00:17:56] Speaker 01:
899, and this is at A66, column 350 to 53,

[00:18:03] Speaker 01:
discloses that events with a low likelihood of reportability may never be investigated by cyber analysts and may be removed from the queue.

[00:18:14] Speaker 01:
If they've been there too long, the cyber analysts are dealing with the higher ratings, the ones with a greater likelihood of reportability.

[00:18:22] Speaker 01:
And the board points this out and notes also elsewhere that the 899 describes the relationship between

[00:18:35] Speaker 01:
severity of risk and reportability likelihood.

[00:18:40] Speaker 01:
On A23, they cite the 899 at column 15, lines 1 to 9, as describing features, quote, designed to measure or quantify a human's perception of the threat risk and therefore reportability likelihood of an event.

[00:18:58] Speaker 01:
So in other words, the 899 is describing the exact same thing that Church does in light of answer.

[00:19:14] Speaker 02:
And why is that still a probability like that?

[00:19:19] Speaker 01:
Well, normalized values are 0 to 1.

[00:19:24] Speaker 01:
And obviousness does not turn on whether it's 0 to 1 or a decimal point from 0 to 1.

[00:19:32] Speaker 01:
Those can be the same thing, or at the very least would be obvious from one another.

[00:19:38] Speaker 01:
It's just a question of where are you putting the decimal points.

[00:19:41] Speaker 01:
Again, it's

[00:19:42] Speaker 01:
What church is disclosing is the likelihood that this is the thing that the, that the analyst is going to focus on and report.

[00:19:52] Speaker 01:
And that is, I mean, likelihood is used by church itself, right?

[00:19:58] Speaker 01:
So that the product of this is a likelihood of the user taking the corrective action, which is what's called for.

[00:20:07] Speaker 01:
That's what church is focusing on.

[00:20:09] Speaker 01:
is when we're talking about substantial evidence review, I think.

[00:20:13] Speaker 01:
amply supported.

[00:20:15] Speaker 02:
This may be the same question, but in the gray brief, they fault you for suggesting that a reportability likelihood can be a probabilistic determination as opposed to a probability.

[00:20:28] Speaker 02:
Did you mean something different by probabilistic determination?

[00:20:32] Speaker 01:
I don't think so, Your Honor.

[00:20:33] Speaker 01:
I think, again, because the probability or likelihood doesn't have to be expressed in any particular fashion, we were just trying to

[00:20:42] Speaker 01:
covered that there can be other ways of describing it.

[00:20:45] Speaker 01:
And again, that's in the 899 as well when they talk about these low likelihood events as being ones that you might be able to set aside and the high risk ones being the ones that would therefore have a high reportability likelihood.

[00:21:06] Speaker 01:
Those are the same things that are described in church.

[00:21:09] Speaker 01:
I mean, in essence,

[00:21:10] Speaker 01:
I think in this response to the hindsight argument, in essence what the 899 does is take what the prior art already discloses and just uses different words to describe it.

[00:21:25] Speaker 01:
Instead of describing it from

[00:21:27] Speaker 01:
What's the risk if we don't act ie?

[00:21:30] Speaker 01:
What's the likelihood?

[00:21:31] Speaker 01:
We're going to need to act they describe it from the end What's the likelihood that an action was taken and a report made those but but it doesn't matter how you describe it Obviousness is based upon the reality of what's disclosed if the panel has no further questions

[00:22:00] Speaker 03:
Mr. Hannah, you have two minutes left for rebuttal.

[00:22:02] Speaker 00:
Thank you, Your Honor.

[00:22:06] Speaker 00:
I think something to note from counsel's arguments is that it never really addressed what Church actually says.

[00:22:14] Speaker 00:
As Your Honor pointed out on page 25 of the appendix, Church describes the likelihood of an event being a threat to the network.

[00:22:23] Speaker 00:
It never takes the extra step of saying,

[00:22:27] Speaker 00:
that threat is going to be reportable by a cyber analyst.

[00:22:32] Speaker 00:
And that's the key.

[00:22:33] Speaker 00:
That's the key to the initiative.

[00:22:35] Speaker 00:
What about the if not responded to portion?

[00:22:37] Speaker 00:
I'm sorry?

[00:22:38] Speaker 02:
What about the if not responded to portion?

[00:22:41] Speaker 02:
A response implies a message being sent.

[00:22:45] Speaker 00:
But we need an algorithm that's actually going to a system and an algorithm that's designed by the system using, for instance, in claim 11, a machine algorithm or an AI algorithm that's actually going to generate that.

[00:22:59] Speaker 00:
That's the problem is he kept saying that it's going to be done by a person looking at that.

[00:23:03] Speaker 00:
That's the problem this system solves.

[00:23:05] Speaker 00:
And by the board adopting this pseudo-construction, if you want to say about the probability, they completely ignored the testimony of Dr. Orso.

[00:23:16] Speaker 00:
I mean, it's completely absent from this decision because they tried to say that it can be in any manner, expressed in any manner.

[00:23:26] Speaker 00:
And so every time the council talked about this, it always never addressed the fact that this is the likelihood of an event being a threat versus being reportable by the cyber analysts.

[00:23:39] Speaker 00:
I mean, that's exactly what the invention is trying to solve here.

[00:23:45] Speaker 00:
With regard to the normalized value, a normalized value mathematically is a value that's going to be assigned across a variety of different factors that are going to happen.

[00:23:56] Speaker 00:
It's not a probability that it's going to be reportable by a cyber analyst.

[00:24:02] Speaker 00:
And that concept is completely out of the art.

[00:24:06] Speaker 00:
Thank you.

[00:24:07] Speaker 00:
Thank you, Your Honors.