Obviousness

Obviousness Analysis of US Patent 6,795,918 Under 35 U.S.C. § 103

This analysis identifies combinations of prior art references that would render the claims of US patent 6,795,918 obvious to a person having ordinary skill in the art (PHOSITA) at the time of the invention (priority date 2000-03-07). The primary prior art for this analysis is US patent 5,802,320 (US '320) to Sun Microsystems, Inc., in combination with general knowledge and motivations prevalent in the field of computer security around the year 2000, as reflected in the background section of US 6,795,918 itself and contemporary non-patent literature like the Andy Briney articles.

Prior Art References Considered:

• US 5,802,320 A (Sun Microsystems, Inc.): Titled "System for packet filtering of data packets at a computer network interface," this patent describes a packet filter that extracts filter criteria from incoming packets and tests them against a set of filter rules to either accept or reject the packet.
• Andy Briney, "Got Security?" Cover Story '99 Survey and Andy Briney, "Got Security?" Cover Story '99 Survey-Chart: These non-patent references reflect the general state of computer security concerns and existing solutions around the time of the invention.

Motivation to Combine References:

The background section of US 6,795,918 explicitly outlines the problems with existing computer security solutions (firewalls) at the time of the invention. These problems include:

1. Complexity and Impracticality: Hardware-based solutions were "often impractical and too complex for implementation at home, for a small business, or for users on the road" and required "knowledgeable information systems (IS) personnel to install and/or maintain." Software solutions were "cumbersome to use" and could be "accidentally disabled or overwritten."
2. Targetability: Existing security solutions often had their "own IP addresses which readily allows these security solutions to be identified as targets."
3. Cost and Maintenance: The need for knowledgeable IS personnel came "at a fairly significant cost."

These identified deficiencies provide a clear motivation for a PHOSITA to develop a simpler, more secure, and non-user configurable solution for computer communication security, especially for small office/home office (SOHO) environments. The stated advantages of US 6,795,918—an "efficient, quick, secure, and simple to implement technique"—directly address these motivations.

Obviousness Analysis of Independent Claims:

Independent Claim 1: Method for filtering a plurality of data packets

This claim describes a method involving receiving, extracting source, destination, and protocol information from data packets, providing this to a non-user configurable decision block for authorization, and dropping unauthorized packets while permitting authorized ones. The protocol information includes transport types.

• Receiving and Extracting Data Packet Information: US '320 clearly teaches "extract[ing] filter criteria from an incoming packet." For network data packets, this "filter criteria" would inherently include source, destination (addresses), and protocol information, including transport types (e.g., TCP, UDP, ICMP).
• Decision Block and Authorization: US '320 teaches "test[ing] the extracted filter criteria against a set of filter rules" and either "accept[ing]" or "reject[ing]" the packet. This directly corresponds to a decision block that authorizes or unauthorized services.
• Non-User Configurable Aspect: Given the motivations discussed above (complexity, user error, maintenance costs for SOHO users), a PHOSITA would have been motivated to simplify the "set of filter rules" of US '320 by making them "non-user configurable" and "substantially free from user adjustment." This design choice eliminates the need for user configuration, reducing complexity and potential for error, directly addressing the problems articulated in US 6,795,918's background. Implementing such rules in a fixed hardware lookup table (as described in US 6,795,918) rather than user-adjustable software or complex configuration interfaces would have been an obvious path to achieve this simplification and enhanced security for the target market.

Therefore, the method of Claim 1, combining the packet filtering principles of US '320 with the known desire for simplified, fixed-configuration security solutions for SOHO users, would have been obvious.

Independent Claim 2: Decision block information substantially unrelated to an IP address

This claim specifies that the decision block operates "without knowledge of any IP addresses."

• Motivation for IP Address Independence: The background of US 6,795,918 explicitly states that existing security solutions with their own IP addresses become "targets" or "loophole[s]." A PHOSITA, aware of this vulnerability, would be motivated to modify the filtering approach of US '320 to avoid using IP addresses for the core authorization decision, instead focusing on service-level information like ports and protocols. This design choice directly addresses the identified problem of security solutions becoming targets themselves. It would have been obvious to a PHOSITA to remove IP address information from the decision criteria where possible to enhance security.

Independent Claim 10: Computer security apparatus (unidirectional)

This claim describes an apparatus with communication interfaces, a packet analyzer including protocol, source port, and destination port storage devices, and a non-user configurable lookup table (LUT) for authorization, permitting only a selected group of Internet services.

• Basic Apparatus Components: US '320 teaches a "system for packet filtering of data packets at a computer network interface," which implies an apparatus with communication interfaces and a packet filter. The components described in Claim 10 (protocol, source port, destination port storage devices) are standard hardware elements a PHOSITA would employ to implement the "filter criteria" extraction of US '320 for service-level filtering.
• Lookup Table Device (LUT): Implementing the "set of filter rules" from US '320 as a lookup table (LUT) is a known and obvious hardware implementation choice for fast decision-making based on multiple input fields (protocol, ports). The use of FPGAs or PLDs for such logic (as mentioned in US 6,795,918) was well-established.
• Non-Configurable LUT: As discussed for Claim 1, making this LUT "non-configurable by a computer user" addresses the clear motivation for simpler, more robust, and tamper-resistant security solutions for SOHO users, eliminating the need for complex configuration.
• Selected Group of Internet Services: The concept of allowing only a "selected group of Internet services" is simply the output of applying defined filter rules to achieve "service level security," as stated in the title and abstract of US 6,795,918.

Therefore, the apparatus of Claim 10, combining the functional elements of a packet filter from US '320 with standard hardware implementation techniques and the well-known motivation for non-user configurable and simplified security, would have been obvious.

Independent Claim 21: Computer security apparatus (bidirectional)

This claim extends Claim 10 to cover bidirectional filtering (data from public to private, and private to public).

• Bidirectional Filtering: Once a unidirectional packet filtering system (as in Claim 10, derived from US '320 and the motivations) is known, extending it to handle bidirectional traffic (i.e., filtering both incoming and outgoing packets) is a fundamental and obvious design choice for any comprehensive firewall or network security device. PHOSITAs would understand the need to secure both ingress and egress traffic, particularly for SOHO environments.

Independent Claim 25: Service level computer security apparatus (means-plus-function)

This claim is written in means-plus-function format, mirroring the method steps of Claim 1.

• The "means for receiving," "means for extracting," "means for providing to a non-user configurable decision block," "means for dropping," and "means for permitting" would all be rendered obvious for the reasons explained for Claim 1, based on US '320 and the motivations for non-user configurability and simplified security.

Independent Claim 26: Method for converting an unsecured digital transmission line into a secured digital transmission line

This claim describes a method of providing an unsecured network connection and inserting the apparatus of Claims 10/21 into it to secure digital data transmitted over mediums like cable modem or xDSL.

• Deployment of the Apparatus: If the computer security apparatus itself (as described in Claims 10 or 21) is obvious, then the method of deploying it by inserting it into a network connection to secure a digital transmission line would also be obvious. The specified transmission mediums (cable modem, xDSL) were common high-speed residential/SOHO internet connections at the time, and securing such connections was a known and pressing problem, as discussed in the background of US 6,795,918.

Conclusion:

Claims 1, 2, 10, 21, 25, and 26 of US 6,795,918 would have been obvious to a PHOSITA by combining the teachings of US 5,802,320 with the widely understood problems and motivations in computer network security as of March 2000. Specifically, the need for simpler, non-user configurable, and less targetable security solutions for SOHO environments, as articulated in the background of US 6,795,918, would have motivated a PHOSITA to modify the known packet filtering system of US '320 to incorporate these features. The specific implementation details, such as using a hardware lookup table and focusing the filtering logic on service ports and protocols (rather than IP addresses for the decision itself), are obvious engineering choices for achieving these motivations.