`
`Microsoft contends that the asserted claims of the ’209 Patent are invalid as obvious by Warfield, “Isolation of Shared Network
`Resources in XenoServers” (“Warfield”), Matthews, “Data Protection and Rapid Recovery From Attack With a Virtual Private File
`Server and Virtual Machine Appliances” (“Matthews”), U.S. Patent No. 8,161,475 (“Araujo”), U.S. Patent No. 8,107,370
`(“Chandika”) prior art references under various subsections of 35 U.S.C. § 102 in view of other prior art references under 35 U.S.C. §
`103 as set forth in Microsoft’s invalidity contentions.
`
`As Warfield was published in November 2002, Microsoft contends that it is prior art to the ’209 Patent under at least pre-AIA 35
`U.S.C. § 102(b).
`
`As Matthews was published in 2005, Microsoft contends that it is prior art to the ’209 Patent under at least pre-AIA 35 U.S.C. §
`102(b).
`
`As Araujo filed on September 29, 2006 and published on April 3, 2008, Microsoft contends that it is prior art to the ’209 Patent under
`at least pre-AIA 35 U.S.C. § 102(e).
`
`As Chandika was filed on April 6, 2005 and published on October 12, 2006, Microsoft contends that it is prior art to the ’209 Patent
`under at least pre-AIA 35 U.S.C. § 102(e).
`
`Patent No. 8,381,209
`Claim Limitation(s)
`“setting firewalls to permit
`a network traffic for the
`virtual machine to go to
`the second device at the
`hypervisor layer” (Claim
`element 2[b])
`
`“updating traffic filters for
`said virtual machine at the
`hypervisor level” (Claim
`element 4[b])
`
`Disclosures
`
`Warfield, “Isolation of Shared Network Resources in XenoServers” (“Warfield”)
`
`Warfield discloses setting firewalls to permit a network traffic for the virtual machine to go to the
`second device at the hypervisor layer and updating traffic filters for a virtual machine at the hypervisor
`level. For example, Warfield states:
`
`“The network system within Xen consists of a virtual firewall router, which is a rule-based packet
`classification/forwarding engine (based on Linux netfilter/IPTables code) responsible for simple, fast
`packet handling. Additionally, Xen’s network system incorporates a network address translation
`(NAT) module that provides functions such as address translation and port forwarding.
`
`Packet scheduling in Xen is at the granularity of virtual interfaces. A soft real-time scheduler moves
`transmit packets from virtual interface send queues through Xen’s routing tables. Received packets are
`delivered on arrival and appropriate RX scheduling is deferred on to the CPU scheduler as VMs are
`
`1
`
`IPR2021-00832
`
`Daedalus EX2009
`Page 1 of 10
`
`
`
`Patent No. 8,381,209
`Claim Limitation(s)
`
`EXHIBIT D-5
`
`Disclosures
`
`responsible for emptying their own inbound message buffers. VMs which do not empty their receive
`queues at the inbound packet rate will have extraneous packets dropped.
`
`Rules may be installed into classification engine through an interface provided within a privileged VM
`(known as domain zero). These rules are tuples of the form (pattern, action). Note that rules may be
`prioritized and a particular packet may match multiple rules upon classification. This means that, for
`instance, an arriving packet bound for a VM may be routed to that VM and trigger the generation of a
`logging event to domain zero.” Warfield at 4-5.
`
`Warfield at Fig. 3:
`
`
`
`2
`
`IPR2021-00832
`
`Daedalus EX2009
`Page 2 of 10
`
`
`
`Patent No. 8,381,209
`Claim Limitation(s)
`
`EXHIBIT D-5
`
`Disclosures
`
`
`Matthews, “Data Protection and Rapid Recovery From Attack With a Virtual Private File
`Server and Virtual Machine Appliances” (“Matthews”)
`
`Matthews discloses setting firewalls to permit a network traffic for the virtual machine to go to the
`second device at the hypervisor layer and updating traffic filters for a virtual machine at the hypervisor
`level. For example, Matthews states:
`
`
`
`
`3
`
`IPR2021-00832
`
`Daedalus EX2009
`Page 3 of 10
`
`
`
`Patent No. 8,381,209
`Claim Limitation(s)
`
`EXHIBIT D-5
`
`Disclosures
`
`“We also use the base machine as a platform for monitoring the behavior of each guest. For example,
`in our prototype, we run an intrusion detection system on the base machine. (The base machine could
`also be used as a firewall or NAT gateway to further control access to virtual machine appliances with
`interfaces on the physical network.) The intrusion detection system can detect both attack signatures in
`incoming traffic and unexpected behavior in outgoing traffic. For example, it could indicate that all
`outgoing network traffic from a particular virtual machine appliance should be POP or SMTP. In such
`a configuration, unexpected traffic such as an outgoing ssh connection that would normally not raise
`alarms could be considered a sign of an attack.” Matthews at Section 2.1.
`
`“The base machine creates a set of resource limits for each virtual machine appliance in several ways.
`First, the base machine can allocate a limited amount of system resources such as memory, disk space
`or even CPU time to each guest. Second, the base machine can restrict access to the local virtual
`network and/or the physical network connection. In either case, access can be denied completely or
`restricted through firewall rules. Third, the intrusion detection system running on the base machine
`monitors the behavior of the guest for both attack signatures and otherwise “innocent” looking traffic
`that is simply unexpected given the purpose of the virtual machine appliance.” Matthews at Section
`2.4.
`
`“We can defend against backdoor programs and programs that exploit specific server software by
`blocking all unneeded ports using firewall software at the base OS or virtual machine monitor level.
`On a base operating system, this may not always be possible because some ports exploited by viruses
`must be left open for legitimate reasons. For example, the blaster worm infects systems via the
`Microsoft Windows DCOM RPC service that listens on TCP port 135. Most VM's will not need access
`to this port so it will be blocked by default which completely removes any threat that the Blaster virus
`will infect those VM's. Some VM's may need access to TCP port 135 and on these systems you would
`not block it. In this case, an intrusion detection system on the base machine could monitor for and
`recover from many of these attacks.” Matthews at Section 4.
`
`U.S. Patent No. 8,161,475 (“Araujo”)
`
`
`
`
`4
`
`IPR2021-00832
`
`Daedalus EX2009
`Page 4 of 10
`
`
`
`Patent No. 8,381,209
`Claim Limitation(s)
`
`EXHIBIT D-5
`
`Disclosures
`
`Araujo discloses setting firewalls to permit a network traffic for the virtual machine to go to the second
`device at the hypervisor layer and updating traffic filters for a virtual machine at the hypervisor level.
`For example, Araujo states:
`
`“A mechanism for the provisioning of virtual machines is desired in order to achieve and maintain a
`predetermined state or requirement of a system of virtual machines. A virtual machine provisioning
`system 300 to achieve this goal is illustrated in FIG. 3. Virtual machines 310 are connected to a
`monitoring agent 320. FIG. 3 illustrates three virtual machines 310 (310 a, 310 b, and 310 c), although
`the number of virtual machines is not so limited and more or fewer virtual machines 310 may form
`part of the virtual machine provisioning system 300. The monitoring agent 320 is responsible for
`collecting data from the virtual machines 310. The monitoring agent 320 may also collect data from a
`virtual server host 350, connected to virtual machines 310, and/or from a computing device or system
`360, also connected to virtual machines 310. The computing device or system 360 may include, for
`example, a network router, load balancing hardware, a firewall, a software management system, and/or
`any combination thereof. The collected data may be used to determine a state of the virtual machines
`310 and to determine if their state or that of the system, which may be a combination of virtual
`machines 310 from multiple servers, is at a predetermined state. The provisioning mechanism is
`employed, as described in further detail below, if the state of the virtual machines 310 is not at or near
`the predetermined state.” Araujo at 7:37-60.
`
`“For example, suppose that the policy administrator 340 defines system policies as a target usage of a
`web server at 1,000 pages per minute per web server for a target of 10 virtual machines 310. The target
`usage is, in this example, the monitored variable and is used to determine the state (healthy or
`unhealthy) of the system. The virtual machines 310 provide their respective usage in number of pagers
`per minute to the monitoring agent 320. Further suppose that the policy administrator 340 defines an
`unhealthy state as +/−10% change in usage over a 24 hour time period. If the monitoring agent 320
`detects in virtual machine 310 a+/−10% change in usage over a 24 hour time period, then the
`monitoring agent 320 relays such detection to the enforcement agent 330 to take appropriate action.
`Suppose that the policy administrator 340 defines a violation action as deleting a virtual machine if the
`usage for the particular virtual machine is −10% below 1,000 pages per minute and adding a virtual
`machine if the usage is +10% above 1,000 pages per minute. The policy administrator 340
`
`
`
`5
`
`IPR2021-00832
`
`Daedalus EX2009
`Page 5 of 10
`
`
`
`Patent No. 8,381,209
`Claim Limitation(s)
`
`“storing network access
`control lists” (Claim 7)
`
`EXHIBIT D-5
`
`Disclosures
`
`communicates to the enforcement agent 330 the action to take when the enforcement agent 330
`receives an indication from the monitoring agent 320. The enforcement agent 330 may need to take
`action on other devices to remedy the violation. For example, the enforcement agent 330 may need to
`reconfigure a load and balancing hardware to inform it about the new machine being added or removed
`from the system and become active or reconfigure a firewall to allow traffic to flow to the new
`machine.” Araujo at 9:37-63.
`
`U.S. Patent No. 8,107,370 (“Chandika”)
`
`Chandika discloses storing network access control lists (ACLs). For example, Chandika states:
`
`“In some embodiments of the invention, CAM 222 is configured to hold access parameters based on
`access control lists (ACLs). Access control lists stored in CAMs allow dynamic configuration of the
`set of restricted patterns that are to be detected; that is, changing the content of the CAM changes what
`patterns are restricted. A ternary CAM, that is, one where some bit positions of the pattern to match
`can be stored as “don't cares,” can be used advantageously for storing restricted patterns for packets.
`ACLs, CAMs, and ternary CAMs are known in the art.” Chandika at 4:51-60.
`
`“One known approach to this problem is an access control list (ACL). An access control list stores in a
`memory a restricted pattern, compares this pattern to the packets traveling across a particular point in a
`network, and drops any packets that are restricted, that is, that match the restricted pattern. Thus, any
`problems that would have been created by the restricted packet being received and acted upon are
`prevented.” Chandika at 1:27-34.
`
`“Process 400 starts with activity 410, in which a configuration command is received. Such a command
`may be received in various ways, including but not limited to: by receiving a simple network
`management protocol (SNMP) packet; or by a user such as a network administrator entering a
`configuration command into a command line interface (CLI) window linked to the access device. The
`SNMP packet or the CLI command may, but need not, originate from network management device
`140, as described with regard to FIG. 1.
`
`
`
`
`6
`
`IPR2021-00832
`
`Daedalus EX2009
`Page 6 of 10
`
`
`
`Patent No. 8,381,209
`Claim Limitation(s)
`
`“adding a command line
`interface to a Virtual
`Switch configuration to
`set and unset a respective
`one of the access control
`lists” (Claim 8)
`
`EXHIBIT D-5
`
`Disclosures
`
`The configuration command received specifies, at a minimum, a particular value of the restriction
`parameter (i.e., either restricted or unrestricted) for a particular input port of the access device. In
`various embodiments of the invention, a single command may specify multiple input ports and the
`value, or the set of respective values, to which each port's parameter is to be set.” Chandika at 6:36-51.
`
`“After activity 410, activity 420 occurs, in which the parameter value specified in the command is
`stored for one of the input ports specified in the configuration command received. Next, activity 430
`occurs. If the value specified in the command for the current input port is restricted, then each pattern
`matcher within the access device is enabled for packets arriving on that port. If the value specified is
`unrestricted, then each pattern matcher within the access device is disabled for packets arriving on that
`port.” Chandika at 6:62-7:3.
`U.S. Patent No. 8,107,370 (“Chandika”)
`
`Chandika discloses adding a command line interface to a Virtual Switch configuration to set and unset
`a respective one of the access control lists. For example, Chandika states:
`
`“Network communication links 180 interconnect the various components within network 100. For
`example, network communication link 180 a interconnects network management device 140 and
`network device 120 a, and link 180 b interconnects network devices 120 c and access device 110 c.
`Links 180 may include any mixture of, but are not limited to: Ethernet links; local area network (LAN)
`links; virtual local area network (VLAN) links; wide area network (WAN) links; private intranet links,
`or links over the public Internet.” Chandika at 3:6-14.
`
`“FIG. 2 is a data flow diagram of a portion 200 of an access device that illustrates an embodiment of
`the invention. Access device portion 200 includes input ports 210, packet detectors 200, a
`configuration controller 230, an exception handler 240, a packet switch/router 250, and output ports
`260. Each arrow in FIG. 2 indicates that network packets flow between the components of access
`device 200 in the direction indicated. Configuration controller 230 is described with respect to FIG. 4
`below.” Chandika at 3:30-38.
`
`
`
`
`7
`
`IPR2021-00832
`
`Daedalus EX2009
`Page 7 of 10
`
`
`
`Patent No. 8,381,209
`Claim Limitation(s)
`
`EXHIBIT D-5
`
`Disclosures
`
`“Each input port 210 receives packets of network data traffic that are transmitted from the digital
`device connected with that particular input port. The packets then flow to packet detectors 220. From
`packet detectors 220, the packets flow either to packet switch/router 250 for normal handling, or to
`exception handler 240 when restricted packets are received on a restricted input port.” Chandika at
`3:48-54.
`
`“Each input port has a parameter indicating whether the connected digital device is restricted or
`unrestricted.” Chandika at 1:62-64.
`
`“Process 400 starts with activity 410, in which a configuration command is received. Such a command
`may be received in various ways, including but not limited to: by receiving a simple network
`management protocol (SNMP) packet; or by a user such as a network administrator entering a
`configuration command into a command line interface (CLI) window linked to the access device. The
`SNMP packet or the CLI command may, but need not, originate from network management device
`140, as described with regard to FIG. 1.” Chandika at 6:36-51.
`
`“After activity 410, activity 420 occurs, in which the parameter value specified in the command is
`stored for one of the input ports specified in the configuration command received. Next, activity 430
`occurs. If the value specified in the command for the current input port is restricted, then each pattern
`matcher within the access device is enabled for packets arriving on that port. If the value specified is
`unrestricted, then each pattern matcher within the access device is disabled for packets arriving on that
`port.” Chandika at 6:62-7:3.
`
`Chandika at Fig. 2:
`
`
`
`8
`
`IPR2021-00832
`
`Daedalus EX2009
`Page 8 of 10
`
`
`
`Patent No. 8,381,209
`Claim Limitation(s)
`
`EXHIBIT D-5
`
`Disclosures
`
`
`Chandika at Fig. 4:
`
`
`
`
`
`
`9
`
`IPR2021-00832
`
`Daedalus EX2009
`Page 9 of 10
`
`
`
`Patent No. 8,381,209
`Claim Limitation(s)
`
`EXHIBIT D-5
`
`Disclosures
`
`
`
`
`
`
`
`
`
`10
`
`IPR2021-00832
`
`Daedalus EX2009
`Page 10 of 10
`
`