PTAB

IPR2026-00326

Microsoft Corp v. Qomplx LLC

Key Events

Petition

petition Intelligence

1. Case Identification

Case #: IPR2026-00326
Patent #: 12,301,628
Filed: April 3, 2026
Petitioner(s): Microsoft Corporation
Patent Owner(s): Qomplx LLC
Challenged Claims: 1, 4-6, 9-11, 13-15, 17, 20, and 22

2. Patent Overview

Title: Correlating Network Event Anomalies Using Active and Passive External Reconnaissance to Identify Attack Information
Brief Description: The ’628 patent describes a computer system for cybersecurity that stores and dynamically updates a graph structure representing network entities and their relationships. The system uses this graph to identify nodes and edges correlated with an anomalous event and generates a second, smaller graph that visualizes potential cybersecurity attack flows.

3. Grounds for Unpatentability

Ground 1: Obviousness over Brezinski and Crabtree - Claims 1, 4-6, 9-11, 13-15, 17, 20, and 22 are obvious over Brezinski in view of Crabtree.

Prior Art Relied Upon: Brezinski (Patent 9,225,730) and Crabtree (Application # 2018/0219919A1).
Core Argument for this Ground:
- Prior Art Mapping: Petitioner argued that Brezinski, a reference not considered during prosecution, disclosed the core functionality of the challenged claims. Brezinski taught a system that generates a directed graph of network entities (nodes) and events (edges), stores it in memory, and incrementally modifies the graph upon receiving new event data. This modification included adding new nodes for new entities and new edges for new relationships between existing entities. Critically, Brezinski taught analyzing the graph by traversing it from an anomalous node (e.g., a honeypot or a node exceeding risk/rarity thresholds) to identify correlated nodes and edges. Petitioner asserted that Brezinski’s disclosed breadth-first search (BFS) methodology inherently performed the claimed two-level correlation: a first correlation to identify directly connected nodes (a "first plurality"), and a further correlation from those nodes to identify a second level of connected nodes (a "second plurality"). Finally, Brezinski disclosed generating a "subset graph" of just the anomalous activity, which Petitioner contended was the claimed "second graph" representing event flows.
Petitioner argued that while Brezinski disclosed receiving a flow of event data, it did not explicitly teach "streaming" data. Crabtree, which shares inventors and significant disclosure with the ’628 patent, was alleged to supply this teaching. Crabtree described a similar graph-based cybersecurity system that "continuously" collected and received time-series data to provide "live monitoring" and update a graph as events occurred. Crabtree also explicitly taught representing "user accounts" as entities in its graph, which Petitioner argued rendered obvious the limitation of including a plurality of accounts and resources. Dependent claims were addressed by arguing Brezinski taught using rarity metrics (a comparison to normal behavior patterns), identifying interactions with a known compromised node (matching a known attack pattern), and using numerical risk metrics indicating the likelihood of a successful attack.
- Motivation to Combine (for §103 grounds): Petitioner presented three primary motivations for a Person of Ordinary Skill in the Art (POSITA) to combine the references. First, the references addressed closely related cybersecurity problems using complementary graph-based analysis techniques. Second, a POSITA would have recognized the clear benefit of incorporating Crabtree’s real-time, streaming data analysis into Brezinski’s system to improve the timeliness and effectiveness of threat detection. Third, Crabtree's teachings were directly applicable to Brezinski’s system, as both modeled network environments as graphs of nodes and edges to identify anomalous behavior, making the integration straightforward.
- Expectation of Success (for §103 grounds): A POSITA would have had a reasonable expectation of success because the references operated in the same technical field and relied on compatible graph-based structures and objectives. Petitioner contended that incorporating Crabtree's streaming techniques into Brezinski's system was a predictable improvement using known methods, as Brezinski’s architecture already contemplated ongoing modification of the graph based on new event data.

4. Relief Requested

Petitioner requests institution of an inter partes review and cancellation of claims 1, 4-6, 9-11, 13-15, 17, 20, and 22 of the ’628 patent as unpatentable.