Fortinet, Inc. v. SRI International, Inc.
Filing
85
TENTATIVE RULINGS AND QUESTIONS RE CLAIM CONSTRUCTION. Signed by Judge Jeffrey S. White on October 3, 2013. (jswlc3, COURT STAFF) (Filed on 10/3/2013)
<![CDATA[
1
2
3
4
5
IN THE UNITED STATES DISTRICT COURT
6
FOR THE NORTHERN DISTRICT OF CALIFORNIA
7
8
FORTINET, INC.,
9
Plaintiff,
United States District Court
For the Northern District of California
10
11
v.
Defendant.
/
13
CHECK POINT SOFTWARE
TECHNOLOGIES, INC.,
15
16
17
18
TENTATIVE RULINGS AND
QUESTIONS RE CLAIM
CONSTRUCTION
SRI INTERNATIONAL, INC.,
12
14
No. C 12-02540 JSW
No. C 12-03231 JSW
Plaintiff,
v.
SRI INTERNATIONAL, INC.,
Defendant.
/
19
20
TO ALL PARTIES AND THEIR ATTORNEYS OF RECORD, PLEASE TAKE NOTICE OF
21
THE FOLLOWING TENTATIVE RULING AND QUESTIONS FOR THE HEARING SCHEDULED
22
ON OCTOBER 8, 2013, AT 1:30 p.m.:
23
The Court has reviewed the parties’ briefs and, thus, does not wish to hear the parties reargue
24
matters addressed in those pleadings. If the parties intend to rely on legal authorities not cited in their
25
briefs, they are ORDERED to notify the Court and opposing counsel of those authorities reasonably in
26
advance of the hearing and to make copies available at the hearing. If the parties submit such additional
27
authorities, they are ORDERED to submit the citations to the authorities only, without argument or
28
additional briefing. Cf. N.D. Civil Local Rule 7-3(d). The parties will be given the opportunity at oral
1
argument to explain their reliance on such authority. The Court suggests that associates or of counsel
2
attorneys who are working on this case be permitted to address some or all of the Court’s questions
3
contained herein.
4
5
The parties shall each have 60 minutes to present their respective arguments on claim
construction. The Court provides its tentative constructions of the disputed terms.
6
1.
7
The term “network monitors appears in Claims 1, 4, 6, 13, 16, and 18 of the ‘615 Patent, and
8
Claims 1, 4, 6, 12, 15, and 17 of the ‘203 Patent. The term “the monitors” appears in Claim 1 of both
9
the ‘615 and the ‘203 Patents. The parties agree that “the monitors” refers to “network monitors.”
“Network monitors”/“the monitors”
United States District Court
For the Northern District of California
10
SRI argues that the term “network monitors” must be construed to mean “software and/or
11
hardware that can collect, analyze and/or respond to data.” (Parties’ Final Joint Claim Construction
12
Statement (“Statement”) at App. A.) Fortinet and Check Point (collectively, “the Plaintiffs”), on the
13
other hand, argue that the term must be construed to mean “software and/or hardware that can detect
14
suspicious activity by analyzing network traffic data.” (Id.)
15
It appears that the key dispute between the parties is whether all “network monitors” must be
16
capable of detecting suspicious activity through the analysis of network traffic data. SRI argues that the
17
construction the Plaintiffs advance would improperly require hierarchical monitors to include this
18
capability. SRI further contends that the Plaintiffs’ proposed construction creates a redundancy in the
19
claim language. What is the Plaintiffs’ best argument that it is not confusing and redundant to construe
20
“network monitors,” in the context of the claim, to read “detecting, by the ‘software and/or hardware
21
that can detect suspicious activity by analyzing network traffic data,’ suspicious network activity based
22
on analysis of network traffic data”?
23
24
The Court tentatively adopts the following construction: “software and/or hardware that can
collect, analyze and/or respond to data.”
25
2.
26
The term “suspicious network activity” appears in Claims 1 and 13 of the ‘615 Patent, and
27
28
“Suspicious network activity”
Claims 1 and 12 of the ‘203 Patent.
SRI argues that the term “suspicious network activity” must be construed to mean “activity that
2
1
indicates a known or possible malicious attack on the network.” (Statement at App. A.) The Plaintiffs,
2
on the other hand, argue that the term must be construed to mean “network traffic with attributes of a
3
suspected, but unconfirmed, intrusion.” (Id.)
The key areas of dispute between the parties are: (1) whether “suspicious network activity” can
5
encompass known attacks; and (2) whether “network activity” is synonymous with “network traffic.”
6
How does SRI contend that “suspicious network activity” can include known threats, when the Patent
7
specifications distinguish between “intrusion reports” relating to known malicious activity, and
8
“suspicion reports” that presumably relate to unconfirmed threats? (See ‘203 Patent at 7:38-45.)
9
Additionally, why does SRI argue that it is improper to construe “network activity” as “network traffic”
10
United States District Court
For the Northern District of California
4
when the Patent specifications appear to use the terms interchangeably? (Compare ‘203 Patent at 11:41-
11
44 with id. at 1:55-57.)
12
13
The Court tentatively adopts the following construction: “network traffic with attributes of a
suspected, but unconfirmed, intrusion.”
14
3.
15
The term “automatically receiving and integrating” appears in Claim 1 of both the ‘615 and the
16
“Automatically receiving and integrating”
‘203 Patents.
17
SRI argues that the term “automatically receiving and integrating” must be construed to mean
18
“without user intervention, receiving reports of suspicious activity and combining those reports into a
19
different end product; i.e., something more than simply collecting and reiterating data.” (Statement at
20
App. A.) The Plaintiffs, on the other hand, argue that the term must be construed to mean “without user
21
intervention, receiving reports of suspicious activity and combining those reports into a different end
22
product (i.e., something more than simply collecting and reiterating data) for purposes of detecting a
23
suspected attack or threat.” (Id.)
24
The key dispute between the parties is whether detecting a suspected attack or threat is the sole
25
purpose of “automatically receiving and integrating.” How do the Plaintiffs reconcile this proposed
26
limitation with language in the specifications that sets forth other goals for integration, such as alerting
27
other network entities, identifying attacks to other network entities, and determining the proper response
28
in which the system should engage? (See ‘203 Patent at 2:10-14, 3:23-42.)
3
1
The Court tentatively adopts the following construction: “without user intervention, receiving
2
reports of suspicious activity and combining those reports into a different end product; i.e., something
3
more than simply collecting and reiterating data.”
4
4.
5
The term [hierarchical monitors] “adapted to automatically receive and integrate” appears in
6
[hierarchical monitors] “adapted to automatically receive and integrate”
Claim 13 of the ‘615 Patent and Claim 12 of the ‘203 Patent.
SRI argues that the term [hierarchical monitors] “adapted to automatically receive and integrate”
8
must be construed to mean “capable of receiving reports of suspicious activity and, without user
9
intervention, combining those reports into a different end product; i.e., something more than simply
10
United States District Court
For the Northern District of California
7
collecting and reiterating data.” (Statement at App. A.) The Plaintiffs, on the other hand, argue that the
11
term “adapted to” does not be construed, and the remainder of the term must be construed to mean
12
“without user intervention, receiving reports of suspicious activity and combining those reports into a
13
different end product (i.e., something more than simply collecting and reiterating data) for purposes of
14
detecting a suspected attack or threat.” (Id.)
15
The key dispute between the parties is whether “adapted to” should be construed as synonymous
16
with “capable of.” How does SRI respond to case law indicating that “adapted to” is most commonly
17
defined more narrowly than “capable of”? See, e.g., Aspex Eyewear, Inc. V. Marchon Eyewear, Inc.,
18
672 F.3d 1335, 1349 (Fed. Cir. 2012); Brocade Commc’ns Sys., Inc. V. A10 Networks, Inc., No. C 10-
19
3428 PSG, 2013 WL 831528, at *10-11 (N.D. Cal. Jan. 10, 2013).
20
The Court tentatively adopts the following construction: “without user intervention, receiving
21
reports of suspicious activity and combining those reports into a different end product; i.e., something
22
more than simply collecting and reiterating data.”
23
24
25
26
5.
“Detecting, by the network monitors, suspicious activity based on analysis of
network traffic data”
The term “detecting, by the network monitors, suspicious activity based on analysis of network
traffic data” appears in Claim 1 of both the ‘615 and ‘203 Patents.
27
SRI argues that the term “detecting, by the network monitors, suspicious activity based on
28
analysis of network traffic data” must be construed to mean “detecting based on an analysis of data
4
1
derived from or describing network packets and excluding analysis that is limited solely to host
2
operating system audit logs.” (Statement at App. A.) The Plaintiffs, on the other hand, argue that the
3
term must be construed to mean “detecting, by the network monitors, suspicious network activity based
4
on direct examination of network packets.” (Id.)
5
The key dispute between the parties is whether “detecting” requires direct examination of data.
6
Why is SRI not estopped from arguing for its proposed construction by its express assertions during
7
reexamination that “analysis of network traffic data” requires direct examination of network packets?
8
(See, e.g., Appeal Brief at 7; Reply Brief at 5.)
9
United States District Court
For the Northern District of California
10
11
12
The Court tentatively adopts the following construction: “detecting, by the network monitors,
suspicious network activity based on direct examination of network packets.”
6.
“Said plurality of network monitors detecting suspicious network activity based on
analysis of network traffic data”
13
The term “said plurality of network monitors detecting suspicious network activity based on
14
analysis of network traffic data” appears in Claim 13 of the ‘615 Patent and Claim 12 of the ‘203 Patent.
15
SRI argues that the term “said plurality of network monitors detecting suspicious network
16
activity based on analysis of network traffic data” must be construed to mean “capable of detecting
17
based on an analysis of data derived from or describing network packets and excluding analysis that is
18
limited solely to host operating system audit logs.” (Statement at App. A.) The Plaintiffs, on the other
19
hand, argue that the term must be construed to mean “said plurality of network monitors detecting
20
suspicious network activity based on direct examination of network packets.” (Id.)
21
The key dispute between the parties – apart from that described above in Claim term 5 – is
22
whether the network monitors must be actively detecting suspicious network activity, or merely capable
23
of performing that function. How does SRI reconcile its proposed construction with the Claim language
24
indicating that the network monitors are already deployed and actively detecting suspicious network
25
activity? (See ‘203 Patent, Claim 12.)
26
27
The Court tentatively adopts the following construction: “said plurality of network monitors
detecting suspicious network activity based on direct examination of network packets.”
28
5
1
7.
2
The terms “network monitors deployed”/“network monitors are deployed” appears in Claims
3
“Network monitors deployed”/“network monitors are deployed”
13 and 18 of the ‘615 Patent, and Claims 12 and 17 of the ‘203 Patent.
SRI argues that the terms “network monitors deployed”/“network monitors are deployed” must
5
be construed to mean “network monitors that can be configured and/or installed.” (Statement at App.
6
A.) The Plaintiffs, on the other hand, note that the parties agree that “deploying a plurality of network
7
monitors” means “configuring and/or installing two or more network monitors,” and that “software is
8
configured and hardware is installed.” (Id.) The Plaintiffs contend that this claim term does not require
9
additional construction, but argue that if the Court construes the term, it must be construed to mean
10
United States District Court
For the Northern District of California
4
“network monitors that are configured and/or installed” and that “software is configured and hardware
11
is installed.” (Id.)
12
13
14
15
The key dispute between the parties is whether “deployed” means that the network monitors are
configured or installed, or merely capable of being configured or installed.
The Court tentatively adopts the following construction: “network monitors that are configured
and/or installed” and “software is configured and hardware is installed.”
16
8.
17
The term “correlating intrusion reports reflecting underlying commonalities” appears in Claim
18
“Correlating intrusion reports reflecting underlying commonalities”
2 of both the ‘615 and the ‘203 Patents.
19
SRI argues that the term “correlating intrusion reports reflecting underlying commonalities”
20
must be construed to mean “combining the reports to reflect underlying commonalities.” (Statement
21
at App. A.) Check Point agrees with SRI’s proposed construction. (Id. at 2 n.1.) Fortinet, on the other
22
hand, argues that the term either needs no construction, or in the alternative, it must be construed to
23
mean “combining intrusion reports with underlying commonalities to identify more global threats.” (Id.
24
at App. A.)
25
The key dispute between SRI and Fortinet is whether the sole purpose of combining the reports
26
is to identify more global threats to the network. What is Fortinet’s best argument that the purpose of
27
combining reports should be solely to identify more global threats?
28
The Court tentatively adopts the following construction: “combining the reports to reflect
6
1
underlying commonalities.”
2
9.
3
The term “correlating intrusion reports reflecting underlying commonalities” appears in Claim
4
“Correlating intrusion reports reflecting underlying commonalities”
14 of the ‘615 Patent, and Claim 13 of the ‘203 Patent.
SRI argues that the term “correlating intrusion reports reflecting underlying commonalities” in
6
the context of these Claims must be construed to mean “capable of combining the reports to reflect
7
underlying commonalities.” (Statement at App. A.) The Plaintiffs do not believe this term needs
8
additional construction but argue that it must be construed consistently with Claim term 8, above. (Id.)
9
The key dispute between the parties is whether integration requires hierarchical monitors to be
10
United States District Court
For the Northern District of California
5
correlating reports or whether it merely requires that they possess the capability to correlate reports.
11
How does SRI respond to the Plaintiffs’ contention that the claimed system does not exist unless the
12
hierarchical monitors are actually correlating reports?
13
14
The Court tentatively adopts the following construction: “combining the reports to reflect
underlying commonalities.”
15
10.
16
The term “network traffic data” appears in Claims 1 and 13 of the ‘615 Patent, and Claims 1 and
17
“Network traffic data”
12 of the ‘203 Patent.
18
SRI does not believe that this term requires construction. (Statement at App. A.) However,
19
should the Court construe the term, SRI argues that the term “network traffic data” must be construed
20
to mean “data derived from or describing network packets.” (Id.) The Plaintiffs, on the other hand,
21
argue that the term must be construed to mean “network traffic data” is comprised of “network packets.”
22
(Id.)
23
The key dispute between the parties is whether network traffic data can be equated with network
24
packets. What is SRI’s best argument that it should not be bound by its own statement during
25
reexamination that “the phrase ‘network traffic data’ refers to data obtained from network traffic, i.e.,
26
network packets”?
27
//
28
//
7
1
2
3
The Court tentatively adopts the following construction: “network traffic data” is comprised of
“network packets.”
IT IS SO ORDERED.
4
5
Dated: October 3, 2013
JEFFREY S. WHITE
UNITED STATES DISTRICT JUDGE
6
7
8
9
United States District Court
For the Northern District of California
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
8
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
