Fortinet, Inc. v. Forescout Technologies, Inc.
Filing
174
ORDER - Claim Construction Order. Signed by Judge Edward M. Chen on 11/28/2022. (emcsec, COURT STAFF) (Filed on 11/28/2022)
<![CDATA[
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 1 of 58
1
2
3
4
UNITED STATES DISTRICT COURT
5
NORTHERN DISTRICT OF CALIFORNIA
6
7
FORTINET, INC.,
Plaintiff,
8
CLAIM CONSTRUCTION ORDER
v.
9
United States District Court
Northern District of California
Case No. 20-cv-03343-EMC
10
FORESCOUT TECHNOLOGIES, INC.,
11
Defendant.
12
13
14
I.
INTRODUCTION
Fortinet, Inc. (“Fortinet”) brought this action against Forescout Technologies, Inc.
15
16
(“Forescout”), asserting infringement of five patents. Forescout counterclaimed with infringement
17
of six of its own patents and with tortious interference claims.
18
For the 11 patents-in-suit, each party proposed eight terms for the Court to construe. (See
19
Docket No. 142 (Joint Claim Construction Statement) at 2–3.) The parties have agreed on the
20
construction of six additional terms. (Id. at 1.)
21
22
23
II.
A.
BACKGROUND
Factual Background
Fortinet sells cybersecurity products, software, and services to large institutional
24
customers. (Docket No. 67 (“FAC”) at ¶ 4.) Many of its products “provide[] network visibility to
25
see devices connected to a network as well as the ability to control those devices and users.” (Id.
26
at ¶ 26.)
27
28
Forescout competes with Fortinet in that market. (Id. at ¶ 6.) On February 9, 2020,
Forescout publicly announced a major acquisition of all its outstanding shares by Advent
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 2 of 58
1
International (“Advent”), a global private equity investor. (Docket No. 107 (“Countercl.”) at ¶¶
2
135-136.) That month, Fortinet attempted to initiate licensing discussions with Forescout. It
3
persisted through April without success. (FAC at ¶¶ 10-12.) Then, in May, one business day
4
before Advent’s acquisition’s scheduled closing, Fortinet filed this action and began a campaign to
5
allegedly smear Forescout before its existing and potential customers. (Countercl. at ¶¶ 138-145.)
6
Advent paused the acquisition, but eventually closed the deal on financial terms much less
7
favorable to Forescout. (Id. at ¶ 146.)
8
B.
United States District Court
Northern District of California
9
Procedural Background
Fortinet filed suit in May 2020 for contributory, induced, and willful infringement of three
10
patents relating to cybersecurity technology. (Docket No. 1.) Ruling on Forescout’s motion to
11
dismiss, the Court declined to invalidate Fortinet’s three patents under 35 U.S.C. § 101 and found
12
that Fortinet has sufficiently pled induced infringement. (Docket No. 55.) The Court dismissed
13
Fortinet’s contributory and willful infringement claims with leave to amend. (Id.)
14
Fortinet then filed its Amended Complaint, asserting two additional patents. (FAC.)
15
Forescout again moved to dismiss. (Docket No. 71.) The Court declined to invalidate the two
16
newly asserted patents’ claims under Section 101. (Docket No. 94.) It also dismissed Fortinet’s
17
willful infringement claims but found induced and contributory infringement claims adequately
18
pled. (Id.)
19
Forescout then counterclaimed against Fortinet, alleging infringement of six patents and
20
tortious interference based on Fortinet’s extrajudicial statements. (Docket No. 107.) The Court
21
denied Fortinet’s motion to dismiss the tort claims or the infringement claims under Section 101.
22
(Docket No. 133.)
23
III.
FORTINET’S EXPERT’S QULIFICATIONS AND OPINIONS
24
As an initial matter, Forescout asks the Court to disregard the declaration of Fortinet’s
25
expert, Michael Shamos, Ph.D., J.D., for three reasons: (1) Dr. Shamos “never identifies what
26
legal standard he applied for means-plus-function claims.” (Docket No. 147 (“Forescout Resp.”)
27
at 11.) (2) Dr. Shamos is not a POSITA under either party’s definitions. (Id.) (3) Dr. Shamos’s
28
declaration accompanying Fortinet’s reply brief is untimely as it came over a month after claim
2
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 3 of 58
1
construction discovery had closed. (Docket No. 151 (“Forescout Sur-reply”) at 8.) The Court
2
addresses each reason below.
3
A.
Forescout first urges the Court to disregard Dr. Shamos’s declarations because he fails to
4
5
identify the legal standard for means-plus-function claims. (Forescout Resp. at 11.) Federal Rule
6
of Evidence 702 requires a qualified expert to apply “reliable principles and methods” in forming
7
his or her opinions. Fed. R. Evid. 702(c). An expert thus should identify the principles and
8
methods applied so that the court or the jury can evaluate the expert’s testimony.
Here, Dr. Shamos does not explicitly outline the legal standard for construing means-plus-
9
United States District Court
Northern District of California
The Legal Standard Dr. Shamos Applied Is Identifiable And Reliable
10
function limitations in his declarations, but appears to have applied Williamson v. Citrix Online,
11
LLC to his analysis. 792 F.3d 1339, 1350 (Fed. Cir. 2015). In paragraph 39 of his declaration, for
12
example, Dr. Shamos opines, “Because ‘module’ is a nonce word (standing for a hardware or
13
software component), it is possible that ‘earmark provisioning module’ is a mean[s]-plus-function
14
term under pre-AIA 35 U.S.C. §112¶6.” (Ex. A1 (“Shamos Decl.”) at ¶ 39.) That reasoning is
15
consistent with the standard set forth in Williamson. See 792 F.3d at 1350 (“‘Module’ is a well-
16
known nonce word that can operate as a substitute for ‘means’ in the context of § 112, para. 6.”).
17
Dr. Shamos’s opinion therefore is distinguishable from that in the case cited by Forescout,
18
NetFuel, Inc. v. Cisco Sys. Inc., No. 5:18-cv-02352-EJD, 2020 WL 1274985, at *11 (N.D. Cal.
19
Mar. 17, 2020). There, the court was unable to follow the expert’s methodology to calculate
20
royalty. Id. at *7 (finding expert’s conclusion to be “impermissible black box without sound
21
economic and factual predicates”) (internal quotation marks omitted). Although Dr. Shamos
22
should have identified the legal standard for means-plus-function limitations, his methodology is
23
not so undiscernible or unreliable to warrant being disregarded.
24
25
26
27
28
1
Exhibits A-G refer to the exhibits to the Declaration of Anthony P. Biondo in Support of
Fortinet’s Opening Claim Construction Brief (Docket No. 146). Exhibits H-P refer to exhibits to
the Declaration of Matthew R. McCullough in Support of Defendant Forescout Technologies,
Inc.’s Responsive Claim Construction Brief (Docket No. 147-1). Exhibit Q refers to the exhibit to
the Declaration of Anthony P. Biondo in Support of Fortinet’s Reply Claim Construction Brief
(Docket No. 149-1).
3
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 4 of 58
1
2
Dr. Shamos Qualifies As A POSITA
Forescout also asks the Court to disregard Dr. Shamos’s declarations because he lacks
3
experience in network access security systems and thus is not a POSITA under either party’s
4
definition. (Forescout Resp. at 11–12.) Forescout observes that neither Fortinet nor Dr. Shamos
5
even contends that he is a POSITA. (Forescout Sur-reply at 8.) In response, Fortinet points out
6
that Dr. Shamos has a Ph.D. in computer science, and has taught courses in computer networking,
7
wireless communication and Internet architecture, Internet protocols, and electronic payment
8
systems. (Docket No. 146 (“Fortinet Br.”) at 24.) Fortinet also submitted a new declaration from
9
Dr. Shamos accompanying its reply brief setting forth the following qualifications:
10
11
United States District Court
Northern District of California
B.
12
13
14
15
16
17
18
Dr. Shamos is the Distinguished Career Professor in the School of
Computer Science at Carnegie Mellon University;
he has testified before legislatures on computer security;
he authored an article on E-Voting Security in IEEE Security and
Privacy in 2012, and was a guest editor of that issue;
he authored a security analysis of the firmware of an electronic
voting machine; and
he supervised a graduate software project for Samsung to detect
attempts to introduce malware into computer systems.
(Docket No. 149 (“Fortinet Reply”) at 25; Ex. Q (“4/25/22 Shamos Decl.”) at ¶¶ 6-19.)
Dr. Shamos qualifies as a POSITA under Forescout’s definition. Forescout’s expert, Eric
19
Cole, Ph.D., defines a POSITA as “a person with a bachelor’s degree in computer science,
20
computer engineering, or electrical engineering and at least three years of experience in
21
networking operating systems and cybersecurity, or a person with a master’s degree in one of the
22
foregoing and at least two years of experience in the aforementioned fields.” (Ex. B (“Cole
23
Decl.”) at ¶ 19.) And “an individual with additional education or additional industrial experience
24
could still be of ordinary skill in the art if that additional education or experience compensates for
25
a deficit in one of the other aspects of the requirements stated above.” (Id.)
26
As described above, Dr. Shamos has a Ph.D. and years of experience in computer security.
27
Although computer security is different from network or cybersecurity, experience in the former
28
combined with Dr. Shamos’s additional education may compensate for a deficit in the latter, as Dr.
4
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 5 of 58
1
Dole contemplates. Additionally, by submitting the declarations, Dr. Shamos implicitly considers
2
himself qualified as a POSITA under his own definition that requires “one to two years of work
3
experience in implementing network security functions” and in “implementing network security
4
functions.” (Shamos Decl. at ¶¶ 12, 16–17, 21, 25.) Thus, Dr. Shamos implicitly acknowledges
5
that he has experience in cybersecurity, as Dr. Cole requires.
Because Dr. Shamos qualifies as a POSITA under Forescout’s definition, the Court does
6
7
not disregard his opinions.
8
C.
United States District Court
Northern District of California
9
The Court Declines To Strike Dr. Shamos’s New Declaration
In its claim construction sur-reply brief, Forescout asked the Court to strike Dr. Shamos’s
10
declaration accompanying Fortinet’s reply brief (Forescout Sur-reply at 8). The sole authority that
11
Forescout cites to support its request concerns a motion to strike an untimely expert report dressed
12
up as a rebuttal declaration. See Mallinckrodt, Inc. v. Masimo Corp., 254 F. Supp. 2d 1140, 1156–
13
58 (C.D. Cal. 2003) (granting motion to strike 33-page “rebuttal” declaration submitted with
14
opening claim construction brief when previously submitted expert report was rubber-stamped
15
two-pager).
16
Dr. Shamos’s new declaration does not appear to have prejudiced Forescout. In its sur-
17
reply brief, Forescout criticized Fortinet for relying on that declaration for two terms. For one
18
term, Fortinet relied on “Dr. Shamos’[s] untimely new declaration for the proposition that the
19
preamble provides antecedent basis.” (Forescout Sur-reply at 9.) But Dr. Shamos also opined so
20
in his Claim Construction Report on the Fortinet Patents served on Forescout in May 2021. (See
21
Ex. G (“Shamos Rpt.”) at ¶ 77; Docket No. 146-1 at ¶ 8.) For the other term, Fortinet made
22
arguments in the reply brief “based on Dr. Shamos’[s] untimely declaration, which relies on
23
Figure 5” of U.S. Patent No. 9,894,034. (Forescout Sur-reply at 13.) But Forescout anticipated
24
that argument and even included its annotated Figure 5 in its responsive brief. (Forescout Resp. at
25
23.) Regardless, Forescout has had an opportunity to address Dr. Shamos’s new declaration in its
26
sur-reply brief. See, e.g., Forescout Sur-reply at 9 (stating that “Dr. Cole’s declaration stands
27
unrebutted” after considering Dr. Shamos’ new declaration). Forescout has not shown prejudice
28
by Dr. Shamos’s new declaration.
5
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 6 of 58
1
D.
Summary
In sum, the Court denies Forescout’s request to disregard Dr. Shamos’s declarations
2
3
because Dr. Shamos is qualified, applied identifiable and reliable legal standard, and his
4
declaration accompanying Fortinet’s reply brief did not substantially prejudice Forescout.
IV.
5
6
Legal Standard
7
1.
8
“[T]he interpretation and construction of patents claims, which define the scope of the
9
United States District Court
Northern District of California
A.
CLAIM CONSTRUCTION
Claim Construction
patentee’s rights under the patent, is a matter of law exclusively for the court.” Markman v.
10
Westview Instruments, Inc., 52 F.3d 967, 970–71 (Fed. Cir. 1995). Claim terms are generally
11
given their plain and ordinary meaning, which is the meaning one of ordinary skill in the art would
12
ascribe to a term when read in the context of the claim, specification, and prosecution history. See
13
Phillips v. AWH Corp., 415 F.3d 1303, 1313–14 (Fed. Cir. 2005) (en banc). “There are only two
14
exceptions to this general rule: 1) when a patentee sets out a definition and acts as his own
15
lexicographer, or 2) when the patentee disavows the full scope of a claim term either in the
16
specification or during prosecution.” Kyocera Senco Indus. Tools, Inc. v. ITC, 22 F.4th 1369,
17
1378 (Fed. Cir. 2022) (quoting Thorner v. Sony Computer Ent. Am. LLC, 669 F.3d 1362, 1365
18
(Fed. Cir. 2012)).
19
2.
20
A patent specification must “conclude with one or more claims particularly pointing out
Definiteness
21
and distinctly claiming the subject matter which the applicant regards as [the] invention.” 35
22
U.S.C. § 112, ¶ 2 (2006).2 “[A] patent is invalid for indefiniteness if its claims, read in light of the
23
specification delineating the patent, and the prosecution history, fail to inform, with reasonable
24
certainty, those skilled in the art about the scope of the invention.” Nautilus, Inc. v. Biosig
25
26
27
28
The American Invents Act (AIA) revised the pertinent provision of Section 112 to read: “The
specification shall conclude with one or more claims particularly pointing out and distinctly
claiming the subject matter which the inventor or a joint inventor regards as the invention.” 35
U.S.C. § 112(b). The revision is not substantive. The patents at issue in this case are a mix of preand post-AIA patents. The parties have not argued that the Court should assess their definiteness
differently.
6
2
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 7 of 58
1
Instruments, Inc., 572 U.S. 898, 901 (2014). To comply with § 112, a patent “must provide
2
objective boundaries for those of skill in the art.” Interval Licensing LLC v. AOL, Inc., 766 F.3d
3
1364, 1371 (Fed. Cir. 2014). “The scope of claim language cannot depend solely on the
4
unrestrained, subjective opinion of a particular individual.” Datamize, LLC v. Plumtree Software,
5
Inc., 417 F.3d 1342, 1350 (Fed. Cir. 2005), abrogated on other grounds by Nautilus, 572 U.S. at
6
901. The patent challenger “ha[s] the burden of proving indefiniteness by clear and convincing
7
evidence.” BASF Corp. v. Johnson Matthey Inc., 875 F.3d 1360, 1365 (Fed. Cir. 2017).
8
3.
9
“Means-plus-function” limitations generally refer to those invoking § 112 ¶ 6, now
10
United States District Court
Northern District of California
11
12
13
14
15
Means-Plus-Function
codified as § 112(f). That paragraph provides:
An element in a claim for a combination may be expressed as a
means or step for performing a specified function without the recital
of structure, material, or acts in support thereof, and such claim shall
be construed to cover the corresponding structure, material, or acts
described in the specification and equivalents thereof.
35 U.S.C. § 112 ¶ 6. The overall means-plus-function analysis involves two steps.
At step one, courts “determine whether a limitation is drafted in means-plus-function
16
format” by determining whether the limitation “connotes sufficiently definite structure to a person
17
of ordinary skill in the art.” Dyfan, LLC v. Target Corp., 28 F.4th 1360, 1365 (Fed. Cir. 2022).
18
Courts presume that “a claim limitation is not drafted in means-plus-function format in the
19
absence of the term ‘means.’” Id. “The presumption can be overcome if a challenger
20
demonstrates that the claim term fails to recite sufficiently definite structure.” Id. (citation and
21
internal quotation marks omitted). The essential inquiry is “whether the words of the claim are
22
understood by persons of ordinary skill in the art to have a sufficiently definite meaning as the
23
name for structure.” Williamson, 792 F.3d at 1348. Such an inquiry turns on “[i]ntrinsic
24
evidence, such as the claims themselves and the prosecution history,” as well as extrinsic
25
evidence. Dyfan, 28 F.4th at 1365–66.
26
At step two, if the limitation is drafted in a means-plus-function format, courts then
27
“determine[e] ‘what structure, if any, disclosed in the specification corresponds to the claimed
28
function.’” Dyfan, LLC, 28 F.4th at 1365 (quoting Williamson, 792 F.3d at 1349–51). A means7
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 8 of 58
1
plus-function claim is indefinite if the specification fails to disclose adequate corresponding
2
structure to perform the claimed function. Williamson, 792 F.3d at 1351–52. The step one inquiry
3
is distinct from, but “may be similar to[,] looking for corresponding structure in the specification.”
4
Apple Inc. v. Motorola, Inc., 757 F.3d 1286, 1296 (Fed. Cir. 2014), abrogated on other grounds by
5
Williamson, 792 F.3d at 1349.
6
B.
7
U.S. Patent No. 6,363,489 (the “’489 patent”)
1.
“Returning An Earmark” And “Earmark Provisioning Module”
8
10
United States District Court
Northern District of California
11
12
13
14
Forescout’s
Proposal
Fortinet’s Proposal
9
“returning an
earmark” (claim 1)
Indefinite
“earmark
provisioning module”
(claim 15)
Plain and ordinary
meaning
Court’s
Construction
Plain and ordinary
meaning
Indefinite
Claim 1 recites:
15
1. A method for detecting and handling a communication from an
unauthorized source on a network, the method comprising the steps
of:
16
(a) receiving the communication from the unauthorized source;
17
(b) analyzing the communication for detecting an information
gathering procedure;
18
19
20
21
22
23
24
25
26
27
28
(c) if said information-gathering procedure is detected, indicating a
source address of the communication as a suspected network
reconnaissance collector;
(d) returning an earmark to said suspected reconnaissance
collector, such that said earmark includes specially crafted false
data, and such that said earmark includes data that can serve to
identify an unauthorized source;
(e) analyzing each subsequent communication for a presence of said
earmark;
(f) if said earmark is present, indicating source address of the
communication as a suspected network reconnaissance collector,
and
(g) if said source address is said intruder source address, applying
intrusion handling procedures towards the communication from said
intruder source address.
8
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 9 of 58
1
2
3
(’489 patent at claim 1 (emphasis added).) Claim 15 recites:
15. A system for detecting and handling the communication from an
unauthorized source on a network, the system comprising:
(a) An entry point to the network such that the communication
passes through said entry point to reach the network;
4
5
(b) an earmark provisioning module for preparing earmarks for
sending to unauthorized source, such that said earmarks are
specially crafted false data that will identify an unauthorized
source;
6
7
(c) An intrusion detection module for analyzing the
communication and for detecting said earmark in the
communication; and
8
9
(d) An intrusion-handling module for handling the
communication if said earmark is detected by said intrusion
detection module.
10
United States District Court
Northern District of California
11
12
(Id. at claim 15 (emphasis added).) Fortinet asserts that both terms are indefinite because (1) they
13
are “highly subjective,” and (2) they are means-plus-function terms that lack sufficient structure in
14
the specification. (Fortinet Reply at 1–2.)
15
16
17
a.
The Two “Earmark” Terms Are Not So Subjective As To Render Them
Indefinite
The parties agree that “earmark” is a patentee-defined term that means (claim 15)—or
18
includes (claim 1)—“specially crafted false data” to identify an unauthorized source. (Fortinet Br.
19
at 5; Forescout Resp. at 2; ’489 patent at 2:13-14 (“The mark is specifically crafted false data[.]”).)
20
Fortinet argues that the “specially crafted” nature of “earmark” independently renders the term
21
indefinite because it is purely subjective. (Fortinet Reply at 2.) Fortinet’s expert, Dr. Shamos,
22
opines that the specification does not explain—and a POSITA would not understand—the
23
difference between “false data” and “specially crafted false data.” (Shamos Decl. at ¶ 38.)
24
Forescout’s expert, Dr. Cole, counters that “false data” refers to “randomly generated data” that
25
serve no purpose, while “specially crafted false data” refer to those tailored “to identify an
26
unauthorized source.” (Cole Decl. at ¶ 32.) He points to “fake user names and passwords” as an
27
example of “specially crafted false data” in the specification. (Id. (citing ’489 patent at 8:23-26).)
28
“Earmark” is not indefinite for subjectiveness. Claim terms are “purely subjective” if
9
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 10 of 58
1
“they turn[] on a person’s tastes or opinion,” and courts look to the written description to
2
determine whether some standard exists to guide a person as to the scope of the claims. Sonix
3
Tech. Co. v. Publications Int’l, Ltd., 844 F.3d 1370, 1378 (Fed. Cir. 2017). Here, the claim
4
language itself makes clear that “earmark” is not purely subjective because the false data
5
constituting the “earmark” must be specially crafted so that they “can serve to identify an
6
unauthorized source.” (’489 patent at claim 1.) Whether false data can fulfill that purpose is
7
objective. It does not turn on a person’s taste or opinion.
8
United States District Court
Northern District of California
9
Fortinet’s sole authority does not support its position. In that case, the court found the
term “unobtrusive manner” highly subjective because the claim language offers no objective
10
indication of the “unobtrusive manner,” and the prosecution history highlights the difficulty in
11
pinning down the relationship between the term and the patents’ embodiments. Interval Licensing
12
LLC v. AOL, Inc., 766 F.3d 1364, 1372–73 (Fed. Cir. 2014). Here, in contrast, the ’489 patent
13
includes (i) guidance on what makes some false data “specially crafted,” i.e., they must “serve to
14
identify an unauthorized source” (’489 patent at claim 1), (ii) how they are used, i.e., they are
15
gathered by an unauthorized user (id. at 2:14-15), and (iii) at least one example of “specifically
16
crafted false data,” i.e., “fake user names and passwords” (id. at 8:23-26). These details provide
17
guidance on how to distinguish between “specially crafted false data” and generic “false data.”
18
Fortinet thus has not proven by clear and convincing evidence that the “earmark” terms are
19
indefinite for subjectiveness.
20
21
b.
Means-Plus-Function
Fortinet separately argues that the “earmark” terms are indefinite as means-plus-function
22
terms lacking corresponding structures. (Fortinet Reply at 1.) Absent the term “means,”
23
“returning an earmark” and “earmark provisioning module” are presumed not means-plus-function
24
terms. See Dyfan, 28 F.4th at 1365. To overcome that presumption, Fortinet must show—by a
25
preponderance of the evidence—that “persons of ordinary skill in the art would not have
26
understood [those] limitations to connote structure in light of the claim as a whole.” Id. at 1367.
27
28
i.
“Returning An Earmark” Is Not A Means-Plus-Function Term
Fortinet argues that “returning an earmark” is a means-plus-function term because it only
10
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 11 of 58
1
claims a function—to “identify an unauthorized source”—but does not recite how to craft an
2
earmark or how it identifies the unauthorized source. (Fortinet Br. at 5.) Forescout argues that
3
claim 1 resembles a typical method claim and “recites the acts necessary to support the specified
4
function.” (Forescout Resp. at 2.)
United States District Court
Northern District of California
5
Although identifying an unauthorized source may be a function of an “earmark,” the term
6
“returning an earmark” recites no such function to invoke § 112, ¶ 6. Without claiming a function,
7
even a term explicitly reciting “means” does not qualify as a means-plus-function limitation. See
8
Wenger Mfg., Inc. v. Coating Machinery Systems, Inc., 239 F.3d 1225, 1236–37 (Fed. Cir. 2001)
9
(affirming “means defining a plurality of separate product coating zones” not subject to § 112, ¶ 6
10
because there was no recited function corresponding to “means”); York Prods., Inc. v. Cent.
11
Tractor Farm & Family, 99 F.3d 1568, 1574 (Fed.Cir.1996) (“Without an identified function, the
12
term ‘means’ in this claim cannot invoke 35 U.S.C. § 112, ¶ 6.”); Microchip Tech. Inc. v. Nuvoton
13
Tech. Corp. Am., No. 19-CV-01690-SI, 2020 WL 978636, at *11 (N.D. Cal. Feb. 28, 2020)
14
(holding “port control module” not means-plus-function limitation without recited function).
15
“Returning an earmark” thus is unlike the limitations in Fortinet’s cited cases. Both
16
concern terms solely describing the functions being performed. See Advanced Ground Info. Sys. v.
17
Life360, Inc., 830 F.3d 1341, 1348 (Fed. Cir. 2016) (finding “symbol generator” means-plus-
18
function term as “it is simply an abstraction that describes the function being performed (i.e., the
19
generation of symbols)”); Rain Computing, Inc. v. Samsung Elecs. Am., Inc., 989 F.3d 1002, 1006
20
(Fed. Cir. 2021) (finding “user identification module” means-plus-function term “because it
21
merely describes the function of the module: to identify a user”).
22
Even if the term claims a function, Fortinet has not shown that an “earmark” cannot
23
connote sufficient structure. “[W]here a claim recites a function, but then goes on to elaborate
24
sufficient structure, material, or acts within the claim itself to perform entirely the recited function,
25
the claim is not in means-plus-function format.” Sage Products, Inc. v. Devon Industries, Inc.,
26
126 F.3d 1420, 1427–28 (Fed. Cir. 1997). Fortinet presents no convincing argument that an
27
“earmark,” namely, “specially crafted false data,” provides insufficient structure for Fortinet’s
28
proposed function of “identify[ing] an unauthorized source.” (Fortinet Br. at 5.)
11
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 12 of 58
1
In sum, Fortinet has not shown by a preponderance of evidence that “returning an
2
earmark” is a means-plus-function limitation. It thus is not indefinite for lacking a corresponding
3
structure.
ii.
4
5
Unlike “returning an earmark,” “earmark provisioning module” is a means-plus-function
6
term. At the outset, “‘[m]odule’ is a well-known nonce word that can operate as a substitute for
7
‘means.’” Williamson, 989 F.3d at 1350. Accordingly, although this term does not recite “means”
8
and thus is presumed not a means-plus-function limitation, that presumption is much weaker than
9
for “returning an earmark.”
The claim language does not provide sufficient structure for “earmark provisioning
10
United States District Court
Northern District of California
“Earmark Provisioning Module” Is A Means-Plus-Function Term
11
module”—a patentee coined term. Claim 15 only recites the function of the “earmark
12
provisioning module,” i.e., preparing or creating earmarks, without explaining how to do so. Nor
13
does the prefix “earmark provisioning” impart structure. See Rain Computing, 989 F.3d at 1006
14
(holding “user identification module” “merely describes the function of the module: to identify a
15
user”).
Forescout contends that how an “earmark provisioning module” interacts with other claim
16
17
elements defines the structure of the module. (Forescout Resp. at 2.) Referring to Figure 1
18
(reproduced below), Forescout’s expert, Dr. Cole, testifies, “a[n] [ear]mark provisioning module
19
22 provides false information to unauthorized source 20 and hence to the unauthorized user” that
20
“acts as mark and enables traffic from unauthorized source 20, or even from a different
21
unauthorized source (not shown) to be identified later if an intrusion attempt is made.” (Cole
22
Decl. at ¶ 31 (quoting ’489 patent at 4:61–66).)
23
///
24
///
25
///
26
///
27
///
28
///
12
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 13 of 58
1
2
3
4
5
6
7
8
9
10
United States District Court
Northern District of California
11
12
13
14
15
16
17
18
19
20
21
22
(’489 patent at Fig. 1.) The cited specification provides “nothing more than a restatement of the
function, as recited in the claim.” Traxcell Techs., LLC v. Sprint Communs. Co. LP, 15 F.4th
1121, 1134 (Fed. Cir. 2021) (quotation omitted). Also, mere relationship with other elements
alone does not provide sufficient structure. See Media Rights Technologies, Inc. v. Capital One
Financial Corp., 800 F.3d 1366, 1372–73 (Fed. Cir. 2015) (finding written description of
“copyright compliance mechanism,” including how it was connected to various parts of the
system, how it functioned, and its potential functional components, was insufficient to define
limitation in specific structural terms to render it a non-means-plus-function term). Forescout thus
has failed to point to sufficient structure of the “earmark provisioning module.”
23
Contrary to the specification, Forescout’s counsel also suggested that the “[ear]mark
24
database” was the structure for the “earmark provisioning module” at the claim construction
25
hearing. (9/30/22 Hrg. Tr. at 57:9-22.) The “[ear]mark database” corresponds to box 28 in Figure
26
1, while the “[ear]mark provisioning module” corresponds to box 22 in the same figure.
27
(Compare ’489 patent at 5:22, 5:28 with id. at 4:57, 4:61, 4:67, 5:3-4, 5:12-13.) Hence, the
28
13
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 14 of 58
1
“[ear]mark database” is distinct from the “[ear]mark provisioning module.”
Because “earmark provisioning module” does not connote sufficiently definite structure, it
2
3
is a means-plus-function term subject to § 112 ¶ 6. The Court next performs the second step to
4
determine the structure corresponding to the claimed function.
iii.
5
And Is Therefore Indefinite
6
The claimed function of “earmark provisioning module” is to provide earmarks. The
7
8
parties generally agree that the term means “a module that provisions earmarks.” (Shamos Decl.
9
at ¶ 36; Cole Decl. at ¶ 29 (“[T]he plain meaning of [earmark provisioning module] recites a
10
module that creates earmarks.”).)
Next, the Court needs to “determine what structure, if any, disclosed in the specification
11
United States District Court
Northern District of California
“Earmark Provisioning Module” Lacks Corresponding Structure
12
corresponds to the claimed function.” Rain Computing, 989 F.3d at 1007. “If the function is
13
performed by a general-purpose computer or microprocessor, then the second step generally
14
further requires that the specification disclose the algorithm that the computer performs to
15
accomplish that function.” Id.
Here, the specification does not disclose a structure corresponding to the claimed function.
16
17
It only describes that the module provides marks3 “according to techniques which matches the
18
probing method used by unauthorized users to gather information,” without explaining what those
19
techniques are. (’489 patent at 5:4-6.) It refers to the “mark provisioning method” in a single
20
black box in a figure. (Id. at Fig. 1.)
Although the specification describes that modules—including the earmark provisioning
21
22
module—“are installed on protected network” and “may be implemented as software, firmware,
23
hardware or a combination thereof,” it does not disclose an algorithm to achieve the claimed
24
function of provisioning or creating earmark function. (’489 patent at 4:49-54.) In Rain
25
Computing, the Federal Circuit found the claim limitation “user identification module” to be an
26
27
28
“Earmark” does not appear anywhere in the specification, but the specification refers to “marks.”
Forescout contends that those are substitutes for each other. Fortinet agrees that the “earmark” of
the claims may be a type of “mark.” (Fortinet Br. at 6.) The Court therefore treats “earmarks” as
interchangeable with “marks.”
14
3
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 15 of 58
1
indefinite means-plus-function term. 989 F.3d at 1008. The specification provided structural
2
examples of “computer-readable media or storage device[s]” that were linked to the function of
3
the “user identification module”—much like the firmware and hardware disclosed here. Id. at
4
1007–08. But the court found them insufficient without an algorithm to achieve the claimed
5
function. Id. The court highlighted that the fact that the “user identification module” includes
6
software algorithms, as is the case here. Id. at 1008.
United States District Court
Northern District of California
7
Likewise, in Advanced Ground Info. Sys., the Federal Circuit found indefinite “signal
8
generator,” when the specification generally described that a signal was generated from certain
9
databases—similar to the “mark database” in Figure 1 of the ’489 patent—without disclosing an
10
algorithm. 830 F.3d at 1349. The court found it not enough to “only address[] the medium
11
through which the symbols are generated,” and not the means of doing so. Id. Here too, the ’489
12
patent only discloses the database through which the earmarks are generated, but not the means of
13
doing so.
14
Accordingly, the specification of the ’489 patent fails to disclose any structure
15
corresponding to the recited function of “earmark provisioning module.” The asserted claims
16
containing this term are thus indefinite under 35 U.S.C. § 112, ¶ 2, and claim 15 is therefore
17
invalid.
18
2.
“Said Intruder Source Address”
19
20
21
Fortinet’s Proposal
“said intruder
source address”
(claim 1)
Indefinite
Forescout’s Proposal
The source address
indicated in limitation
(f)
Court’s Construction
The source address
indicated in limitation
(f)
22
23
Claim 1 recites:
25
1. A method for detecting and handling a communication from an
unauthorized source on a network, the method comprising the steps
of:
26
(a) receiving the communication from the unauthorized source;
27
(b) analyzing the communication for detecting an information
gathering procedure;
24
28
15
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 16 of 58
1
2
3
4
5
6
7
8
9
United States District Court
Northern District of California
10
(c) if said information-gathering procedure is detected,
indicating a source address of the communication as a suspected
network reconnaissance collector;
(d) returning an earmark to said suspected reconnaissance
collector, such that said earmark includes specially crafted false
data, and such that said earmark includes data that can serve to
identify an unauthorized source;
(e) analyzing each subsequent communication for a presence of
said earmark;
(f) if said earmark is present, indicating source address of the
communication as a suspected network reconnaissance collector,
and
(g) if said source address is said intruder source address,
applying intrusion handling procedures towards the
communication from said intruder source address.
11
(’489 patent at claim 1 (emphasis added).) Fortinet argues that the disputed term is indefinite
12
because one cannot discern with reasonable certainty whether the “source address” refers to that in
13
limitation (c) or (f). Forescout responds that “source address” refers to that in limitation (f).
14
“A claim is indefinite when it contains words or phrases where the meaning is unclear,
15
which may be the result of the lack of an antecedent basis.” In re Downing, 754 F. App’x 988,
16
996 (Fed. Cir. 2018) (citing In re Packard, 751 F.3d 1307, 1310, 1314 (Fed. Cir. 2014)). “But the
17
lack of an antecedent basis does not render a claim indefinite as long as the claim apprises one of
18
ordinary skill in the art of its scope and, therefore, serves the notice function required by § 112 ¶
19
2.” Id. (cleaned up). “Whether th[e] claim, despite lack of explicit antecedent basis for [‘intruder
20
source address,’] nonetheless has a reasonably ascertainable meaning must be decided in context.”
21
Energizer Holdings, Inc. v. Int’l Trade Comm’n, 435 F.3d 1366, 1370 (Fed. Cir. 2006).
22
Here, “said intruder source address” lacks an antecedent basis. The parties agree that “said
23
intruder source address” refers to the “source address” in either step (c) or step (f). (Forescout
24
Resp. at 13; Fortinet Reply at 3.) The Court therefore determines whether the context informs a
25
POSITA to which “source address” the term refers.
26
Claim Language. The claim language indicates that “said intruder source address” refers
27
to the “source address” in limitation (f). The claimed method is directed to “detecting and
28
handling a communication from an unauthorized source.” (’489 patent at claim 1.) To
16
United States District Court
Northern District of California
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 17 of 58
1
accomplish that, Forescout’s expert, Dr. Cole, explains, the claimed invention indicates a “source
2
address” as a “suspected network reconnaissance collector” that seeks to gather information in
3
step (c). (Cole Decl. at ¶ 38.) In response, the invention “return[s] an earmark” to the “suspected
4
reconnaissance collector.” (Id.) Steps (e) and (f) identify the source address of the device that
5
sends the earmark, indicating that device as an intruder. (Id.) Using that identified address, step
6
(g) applies the intrusion-handling procedures if “said source address” from step (c) (the address of
7
the suspect) matches “said intruder source address” from step (f) (the address of the intruder who
8
attempted to use the earmark). (Id.) It may be argued that Forescout’s reading would render
9
meaningless the phrase “indicating source address of the communication as a suspected network
10
reconnaissance collector” in step (f). But reading it otherwise would render redundant steps (d),
11
(e), and (f), steps substantial and seemingly central to the patent. On balance, it is more logical to
12
interpret “said intruder source address” as referring to “the source address” indicated in step (f).
13
Specification. The specification supports Forescout’s interpretation. In response to
14
“probes,” i.e., information gathering, from unauthorized source 20, [ear]mark provisioning module
15
22 provides an earmark to it. (’489 patent at 4:61-5:6.) In subsequent communications from that
16
source, intrusion detection module 24 analyzes whether the communications include the earmark.
17
(Id. at 5:14-24.) Once the earmark is identified, “unauthorized source 20 is registered in an
18
intruder database 30,” including its source address or “other intruder identifying factor.” (Id. at
19
5:24-28.)
20
Figure 2, a flowchart of an exemplary method for probe and intrusion detection, also
21
reflects this process. (Id. at 5:61-62.) Step 1 in Figure 2 corresponds to step (a) in claim 1—
22
receiving the communication from an unauthorized source. (Id. at 6:6-7.) Next, the information is
23
analyzed for “scan detection,” i.e., information gathering, as in claim 1’s step (b). (Id. at 6:7-8.)
24
Once information gathering has been detected, an earmark is returned to the unauthorized source
25
which is also added to the intruder database. (Id. at 6:28-31.) “[I]f the source address is found in
26
the intruder database . . . the unauthorized source of the packet is proactively handled as described
27
with regard to FIG. 3.” (Id. at 6:57-60.)
28
17
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 18 of 58
1
2
3
4
5
6
7
8
9
10
United States District Court
Northern District of California
11
12
13
14
15
16
17
18
19
20
21
22
23
24
(Id. at Fig. 2.)
25
If “said intruder source address” in step (g) refers to “source address” in step (c), the
26
method teaches “applying intrusion handling procedures towards the communication” once
27
“information-gathering procedure is detected.” (Id. at claim 1.) But that would ignore the
28
specification that describes “provid[ing] false information to unauthorized source 20” in response
18
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 19 of 58
1
to information gathering. (Id. at 4:61-5:6.) In contrast, if “said intruder source address” in step (g)
2
refers to “source address” in step (f), the method teaches “applying intrusion handling procedures
3
towards the communication” once an “earmark is present” in an unauthorized source’s subsequent
4
communication. (Id. at claim 1.) That reading is consistent with the specification where an
5
unauthorized source communicating an earmark would be added to an intruder database (id. at
6
6:28-31), and “if the source address is found in the intruder database . . . the unauthorized source
7
of the packet is proactively handled.” (Id. at 6:57-60.).
In short, the specification supports that “said intruder source address” refers to the “source
United States District Court
Northern District of California
8
9
address” in limitation (f). Fortinet argues that referring to the specification is tantamount to
10
reading an embodiment into the claim. (Fortinet Reply at 3.) But Fortinet’s own authority
11
consulted the specification, and properly so. See Bushnell Hawthorne, LLC v. Cisco Sys., 813 F.
12
App’x 522, 527 (Fed. Cir. 2020) (finding “said different IP Address” indefinite where
13
specification provided several potential interpretations of “different IP Address”).
Prosecution history. The prosecution history does not shed much light on the meaning of
14
15
“said intruder source address.” After the patent issued, the patentee sought correction to provide
16
antecedent basis to the disputed term. The Examiner rejected that request, but provided no
17
reasoning.
18
On balance, the broader context suggests that a POSITA would have understood the
19
antecedent basis of “said intruder source address” to refer to the “source address” in limitation (f).
20
C.
21
U.S. Patent Nos. 8,590,004 (the “’004 patent”) and 9,027,079 (the “’079 patent”)
1.
“Dynamic Security Policy”
22
23
24
25
Fortinet’s Proposal
“dynamic security
policy” (’004 patent
Indefinite
claim 10; ’079
patent claim 10)
Forescout’s Proposal
Court’s Construction
Plain and ordinary
meaning
Plain and ordinary
meaning
26
The ’004 patent is directed to a method and system for controlling access to a computer
27
network. (’004 patent at Abstract.) They do so by authenticating, and granting a certain access
28
level to, an access point. (Id.) The ’004 patent shares a common specification with its
19
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 20 of 58
1
2
3
4
5
6
10. A method for regulating access to resources on a data network
comprising:
receiving authentication credentials from an access point
through which the client is attempting to connect to network
resources;
retrieving data from an authentication server;
11
retrieving data from a Dynamic Security Data & Policy
Database (DSDPD), which DSDPD includes rules indicating
network resource access provisions to be applied to a given
client device based on: (1) data received from the given client
device indicating the compliance of the given client device with
specific security policies and (2) security information said
DSDPD retrieves from a network security and monitoring
system (NSMS), wherein said NSMS monitors a history of
network resource access authorization requests, which history
includes:
12
(a) identities of parties who requested authorizations; and
13
(b) results of the authorization requests;
14
processing the retrieved data from the authentication server and
the DSDPD, wherein said processing is computed according to
a dynamic security policy; and
7
8
9
10
United States District Court
Northern District of California
continuation—the ’079 patent. The relevant claims recite:
15
16
17
18
19
20
21
22
23
24
25
26
27
28
sending a response to the network access point based on the
processing of the retrieved data.
(’004 patent at claim 10 (emphasis added).)
10. A method for regulating access via access points to resources on
a data network, said method comprising:
receiving authentication credentials from an access point
through which a device is attempting to connect to network
resources;
retrieving data from an authentication server;
retrieving data from a Dynamic Security Data & Policy
Database (DSDPD), which DSDPD includes rules indicating
network resource access provisions to be applied to a given
device based on: (1) compliance of the given device with
specific security policies and (2) security information said
DSDPD retrieves from a network security and monitoring
system (NSMS) comprising processing circuitry
communicatively coupled to the network and configured to
monitor access of end systems to the network via one or more
access points;
20
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 21 of 58
1
2
3
4
5
6
7
8
9
10
United States District Court
Northern District of California
11
performing a first processing of the retrieved data from the
authentication server and the DSDPD, wherein said first
processing is computed according to a dynamic security policy;
and
sending a response to the network access point granting the first
device quarantined access to the network, based on the
processing of the retrieved data;
performing further compliance testing of the first device via the
quarantined access;
re-determining access to network resources to be granted to the
first device based on results of the further compliance testing
and a second processing of the retrieved data from the
authentication server and the DSDPD.
(’079 patent at claim 10 (emphasis added).)
Fortinet contends that “dynamic security policy” is indefinite because the specifications do
12
not explain what is “dynamic” about the security policy. (Fortinet Br. at 8–9.) Specifically, it
13
argues that Forescout, through its expert, offers several definitions of “dynamic” and that those
14
definitions are highly subjective. (Id. at 9–10.) The Court disagrees.
15
First, although the specifications do not expressly define “dynamic security policy,” a
16
POSITA may ascertain its meaning from that of individual words. See Bancorp Services, L.L.C. v.
17
Hartford Life Ins. Co., 359 F.3d 1367, 1372 (Fed. Cir. 2004) (declining to find term indefinite
18
where “the components of the term have well-recognized meanings, which allow the reader to
19
infer the meaning of the entire phrase with reasonable confidence”). The parties agree that
20
“security policy” by itself is likely meaningful. (Shamos Decl. at ¶ 56; Cole Decl. at ¶ 56.)
21
Fortinet’s expert, Dr. Shamos, does not dispute that “dynamic” has several well-known
22
meanings but explains that each meaning covers a different scope. (Shamos Decl. at ¶ 56.)
23
Forescout’s expert, Dr. Cole, responds that the specifications and prosecution history support and
24
provide guidance on the term’s broad scope: a security policy may be “dynamic” by accounting
25
for changes to a device’s network provisions based on changes to that device’s security policy
26
compliance (Cole Decl. at ¶¶ 56, 57 (citing ’004 patent at claim 1, 3:40-44, 9:60-10:6, ’079 patent
27
at 3:62-66, 10:15-28, Resp. to Office Action of Oct. 6, 2011)); it may be “dynamic” by requiring
28
updates responding to the ever-changing nature of cyber security (id. (citing ’004 patent at 3:5521
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 22 of 58
1
2
“[B]readth is not indefiniteness.” BASF, 875 F.3d at 1367. Fortinet has failed to show that
3
Forescout’s proposed construction, though broad, falls outside a reasonable range of
4
implementations that the claim language permits. See Capital Sec. Sys. v. NCR Corp., 725 F.
5
App’x 952, 957 (Fed. Cir. 2018) (holding “ascertains an apparent signature” not indefinite as
6
POSITA would understand scope to include all four implementations suggested by patentee’s
7
expert).
8
United States District Court
Northern District of California
57, ’079 patent at 7:61-63)).
Second, the term “dynamic” is neither a term of degree nor a purely subjective claim
9
phrase. Although a security policy may be “dynamic” in several ways, Fortinet has not provided
10
evidence that whether it is considered dynamic “depends on the unpredictable vagaries of any one
11
person’s opinion.” Interval Licensing, 766 F.3d at 1371 (internal quotation marks and citation
12
omitted).
13
14
15
In sum, Fortinet has not shown clear and convincing evidence that “dynamic security
policy” is indefinite.
2.
“Dynamic Security Data & Policy Database”
16
17
18
Fortinet’s Proposal
“Dynamic
Security Data &
Policy Database”
Indefinite
Forescout’s Proposal
Court’s Construction
Plain and ordinary
meaning
Plain and ordinary
meaning
19
20
Fortinet contends “Dynamic Security Data & Policy Database” to be indefinite for two
21
reasons: (1) the term does not make clear what is “dynamic” about the component; (2) the claim
22
language and specification fail to recite sufficient structure, invoking § 112 ¶ 6 and rendering the
23
claim indefinite. (Fortinet Reply at 6.) The Court disagrees with the first reason as explained
24
above. For the reasons below, the second reason also fails.
25
Absent the term “means,” “Dynamic Security Data & Policy Database” is presumed not to
26
be a means-plus-function limitation. See Dyfan, 28 F.4th at 1365. Fortinet may overcome that
27
presumption by showing that the limitation “fails to recite sufficiently definite structure.” Id.
28
(internal quotation marks and citation omitted). It argues that “database” imparts insufficient
22
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 23 of 58
1
structure to perform the claimed functions, including “storing data,” “being ‘dynamic,’” and
2
“‘retriev[ing]’ security information from other components.” (Fortinet Br. at 11–12.) Fortinet has
3
failed to overcome that presumption here.
United States District Court
Northern District of California
4
The term “Dynamic Security Data & Policy Database” does not have an obvious claimed
5
function. The claim language simply describes what the database stores and how it operates—
6
namely, it stores rules that specify network access provisions and security policies. (See, e.g.,
7
’004 patent at claim 1 (“a Dynamic Security Data & Policy Database (DSDPD), which DSDPD
8
includes rules indicating network resource access provisions to be applied to a given client
9
device”).) “Without an identified function, the term ‘means’ in [a] claim cannot invoke 35 U.S.C.
10
§ 112, ¶ 6.” York Prod., 99 F.3d at 1574. This is more so here where the term does not recite
11
“means.” Cf. Microchip Tech., 2020 WL 978636, at *11–*12 (finding “port control module” not
12
means-plus-function limitation term where claim did not recite any function of said module).
13
The two cases cited by Fortinet are distinguishable because their disputed terms clearly
14
have claimed functions. See Egenera, Inc. v. Cisco Sys., 972 F.3d 1367, 1370 (Fed. Cir. 2020)
15
(finding claim language “configuration logic for receiving and responding to said software
16
commands” clearly identified claimed function as the portion after the word “for”); Synchronoss
17
Techs., Inc. v. Dropbox, Inc., 987 F.3d 1358, 1367 (Fed. Cir. 2021) (noting claimed function of
18
“user identifier module” was “identifying a user”).
19
20
21
In sum, Fortinet did not overcome the presumption that “Dynamic Security Data & Policy
Database” is not a means-plus-function term. The plain and ordinary meaning governs.
3.
“Dynamic Security Authentication Service Server”
22
Fortinet’s Proposal
23
24
25
26
27
28
“Dynamic Security
Authentication Service
Server” (’079 patent at
claims 1, 18, 20)
Forescout’s
Proposal
Plain and ordinary
meaning
Indefinite
Court’s
Construction
Plain and ordinary
meaning
The relevant claims recite:
1. A data network access security system for regulating access via
23
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 24 of 58
1
2
3
4
5
6
7
8
9
10
United States District Court
Northern District of California
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
access points to resources on a data network, said system
comprising:
a network security and monitoring system (NSMS) comprising
processing circuitry communicatively coupled to the network
and configured to monitor access of end systems to the network
via one or more access points, wherein an access point is any
network device adapted to provide computational devices access
to the network; and
a Dynamic Security Authentication Service Server (DSASS)
comprising processing circuitry communicatively coupled to the
network, the one or more access points, said NSMS and an
authentication server external to said DSASS, said DSASS
including:
a Dynamic Security Data & Policy Database (DSDPD),
which DSDPD includes rules indicating network resource
access provisions to be applied to a given device based on:
(a) compliance of the given device with specific security
policies; (b) security information received from said NSMS
and (c) authentication information received from the
authentication server
an access policy module adapted to:
(1) receive authentication credentials of a user, from an
access point through which the user is attempting to
connect to network resources using a first device,
(2) cause the access point to initially grant the first
device quarantined access to the network based on (i)
data received from the authentication server in relation to
the authentication credentials and (ii) compliance data
associated with the first device received from said
DSDPD;
(3) after the first device has been granted quarantined
access, facilitate further compliance testing of the first
device via the quarantined access;
(4) determine access to network resources to be granted
to the first device based on results of the further
compliance testing and the data received from: (i) the
authentication server external to said DSASS and (ii)
said DSDPD; and
(5) cause the access point to grant the first device the
determined access to the network resources.
(’079 patent at claim 1 (emphasis added).)
18. A data network access security system for regulating access via
access points to resources on a data network, said system
comprising:
24
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 25 of 58
1
2
3
4
5
6
7
8
9
10
United States District Court
Northern District of California
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
a network security and monitoring system (NSMS) comprising
processing circuitry communicatively coupled to the network
and configured to monitor access of end systems to the network
via one or more access points; and
a Dynamic Security Authentication Service Server (DSASS)
comprising processing circuitry communicatively coupled to the
network, the one or more access points, said NSMS and an
authentication server external to said DSASS, said DSASS
including:
a Dynamic Security Data & Policy Database (DSDPD),
which DSDPD includes rules indicating network resource
access provisions to be applied to a given device based on:
(a) compliance of the given device with specific security
policies; (b) security information received from said NSMS
and (c) authentication information received from the
authentication server external to said DSASS;
an access policy module adapted to:
(1) receive authentication credentials of a user, from an
access point through which the user is attempting to
connect to network resources using a first device,
(2) cause the access point to initially grant the first
device quarantined access to the network based on data
received from: (i) the authentication server external to
said DSASS and (ii) said DSDPD;
(3) after the first device has been granted quarantined
access, facilitate compliance testing of the first device via
the quarantined access;
(4) determine access to network resources to be granted
to the first device based on results of the compliance
testing and the data received from: (i) the authentication
server external to said DSASS and (ii) said DSDPD; and
(5) cause the access point to grant the first device the
determined access to the network resources.
(Id. at claim 18 (emphasis added).)
20. The system according to claim 18, wherein said DSASS is a
Dynamic Security Authentication Service Proxy Server.
(Id. at claim 20 (emphasis added).)
Fortinet argues that “Dynamic Security Authentication Service Server” (“DSASS”) is
27
indefinite for several reasons. None are persuasive. First, Fortinet argues that this term invokes §
28
112 paragraph 6 without any corresponding structure in the specification. (Fortinet Reply at 7.)
25
United States District Court
Northern District of California
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 26 of 58
1
“Dynamic Security Authentication Service Server” does not recite “means,” so Fortinet must
2
overcome the presumption that it is not a means-plus-function term. See Dyfan, 28 F.4th at 1365.
3
It has not done so here. At the outset, both parties’ experts agree that a POSITA would understand
4
the term to connote the structure of a server. (Shamos Decl. at ¶ 63 (“I believe a POSITA would
5
interpret ‘Dynamic Security Authentication Service Server’ as a server that provides ‘Dynamic
6
Security Authentication Service.’”); Cole Decl. at ¶ 63.) Moreover, claims 1 and 18 of the ’079
7
patent define DSASS to “compris[e] processing circuitry communicatively coupled to the
8
network, the one or more access points” and includes “a Dynamic Security Data & Policy
9
Database” and “an access policy module.” Although Fortinet’s expert, Dr. Shamos, finds this
10
term ambiguous because of the word “dynamic,” he does not opine that the term lacks structure.
11
(See Shamos Decl. at ¶¶ 58-63.) Fortinet thus has not overcome the presumption that DSASS is
12
not a means-plus-function term.
Second, Fortinet appears to argue that DSASS is indefinite because this patentee-coined
13
14
term does not appear anywhere in the specification. (Fortinet Reply at 7–8.) “There is no
15
requirement that the words in the claim must match those in the specification disclosure.” In re
16
Skvorecz, 580 F.3d 1262, 1268–69 (Fed. Cir. 2009) (quoting MPEP § 2173.05(e)). The claim
17
language itself defines the components of DSASS. And Fortinet’s own expert appears to
18
understand its meaning. (See Shamos Decl. at ¶ 63 (“I believe a POSITA would interpret
19
‘Dynamic Security Authentication Service Server’ as a server that provides ‘Dynamic Security
20
Authentication Service.’ . . . I believe a POSITA would find ‘Security Authentication Service’ to
21
likely refer to an ‘authentication service for computer security[.]’”).) Therefore, Fortinet has not
22
shown by clear and convincing evidence that the term is so “insolubly ambiguous” as to render it
23
indefinite. Nautilus, 572 U.S. at 911.
Finally, Fortinet again takes issue with the term “dynamic.” (Fortinet Reply at 7–8.) For
24
25
the same reason explained above, “dynamic” does not render this limitation indefinite.
26
///
27
///
28
///
26
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 27 of 58
1
D.
U.S. Patent No. 10,530,764 (the “’764 patent”)
2
3
4
5
6
Fortinet’s Proposal
“corporate
device” (claim 1)
Indefinite
Forescout’s Proposal
Plain and ordinary
meaning
Court’s Construction
“authorized device”
Claim 1 recites:
1. A system comprising:
7
a memory; and
8
a processing device operatively coupled to the memory, the
processing device to:
9
10
United States District Court
Northern District of California
11
detect a connection of an endpoint device at a network
switch coupled to a network;
12
restrict access of the endpoint device to prevent the endpoint
device from accessing resources of the network by applying
a VLAN assignment to the network switch;
13
establish a connection with the endpoint device;
14
validate a client certificate corresponding to the endpoint
device to authenticate the endpoint device as a corporate
device, wherein to validate the client certificate, the
processing device to:
15
16
17
18
19
20
21
receive the client certificate from the endpoint device, the
client certificate comprising a subject name, a client
public key and a digital signature of the client public key
by a certificate authority;
retrieve a certificate authority certificate from the
certificate authority, the certificate authority certificate
comprising a certificate public key;
verify the digital signature of the client public key using
the certificate authority public key; and
22
verify the subject name using the client public key; and
23
24
25
26
grant the endpoint device access to the resources of the
network.
(’764 patent at claim 1 (emphasis added).)
Fortinet argues that the term “corporate device” is indefinite “because it is fatally
27
ambiguous.” (Fortinet Br. at 16.) In Fortinet’s primary authority, the claim found to be indefinite
28
recites a step of displaying an image or images “in an unobtrusive manner.” Interval Licensing,
27
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 28 of 58
1
766 F.3d at 1368. The Federal Circuit first found the phrase “unobtrusive manner” “highly
2
subjective and, on its face, provides little guidance to one of skill in the art.” Id. at 1371. After
3
finding the term “purely subjective,” the court looked to the written description for guidance. Id.
4
The specification at issue included multiple embodiments, but it was unclear as to which
5
embodiment the phrase related. Id. at 1373. The court found that even taking a narrow view of the
6
specification and assuming that the phrase applied to only one of the embodiments, the lone
7
example in the specification left the skilled artisan “to wonder what other forms of display are
8
unobtrusive and non-distracting.” Id. A POSITA is left “to consult the unpredictable vagaries of
9
any one person’s opinion.” Id. (quotation omitted).
Unlike the term “unobtrusive manner,” “corporate device” is not “highly subjective” on its
United States District Court
Northern District of California
10
11
face subject to “vagaries of any one person’s opinion.” Id. Pointing to claim language, Dr. Cole,
12
Forescout’s expert, opines that “a POSITA would have recognized that a ‘corporate device’ is an
13
‘endpoint device’ that has been successfully authenticated” in accordance with the rest of the
14
method. (Cole Decl. at ¶ 70.) That is because, he explains, the claim so distinguishes between a
15
“corporate device” and other end point devices. (Id.; ’764 patent at claim 1 (“validate a client
16
certificate corresponding to the endpoint device to authenticate the endpoint device as a corporate
17
device”).)
The specification confirms that a “corporate device” is an authenticated device. The
18
19
specification recites, “NAC agent interface 215 may receive a client certificate from NAC agent
20
112, which may be used to authenticate endpoint device 110 and determine whether endpoint
21
device 110 is a corporate device.” (’764 patent at 5:29-32.) Forescout’s expert, Dr. Cole, explains
22
that “NAC agents use claimed certificates to authenticate endpoint devices to determine whether
23
they are a corporate device or not.” (Cole Decl. at ¶ 71.) Similarly, the specification distinguishes
24
between “corporate devices” and “unauthorized devices” (’764 patent at 1:51-62), as well as
25
between “corporate devices and “rogue device” (id. at 2:60-63). Thus, the specification teaches
26
that a “corporate device” is an “authorized device,” rather than an “unauthorized” or “rogue”
27
device.
28
Fortinet argues that Forescout’s interpretation would effectively read out the phrase “as a
28
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 29 of 58
1
corporate device” from the claim, requiring only the validation of the certificate. (Fortinet Br. at
2
16–17; Fortinet Reply at 9.) But “surplusage may exist in some claims,” ERBE Elektromedizin
3
GmbH v. Canady Tech. LLC, 629 F.3d 1278, 1286 (Fed. Cir. 2010), and thus the mere fact that
4
this claim may involve surplusage does not render the disputed term indefinite.
Fortinet also points to certain prosecution history to argue that a “corporate device” cannot
United States District Court
Northern District of California
5
6
simply mean any authenticated device. During prosecution, the applicant distinguished prior art
7
for failing to disclose the “authenticate the endpoint device as a corporate device” limitation. (Ex.
8
F at 202.) The applicant did not explain why, but the prior art appears to concern “user
9
authentication” as opposed to device authentication. (Id. (prior art describing “VPN handler 68
10
uses the selected certificate for user authentication . . .”).) The Court’s construction therefore does
11
not contradict the prosecution history.
In sum, Fortinet has not shown by clear and convincing evidence that “corporate device” is
12
13
indefinite and the Court construes it as “authorized device.”
14
E.
15
16
17
18
19
U.S. Patent No. 10,652,116 (the “’116 patent”)
Fortinet’s Proposal
“determine a device
type classification” Indefinite
(claim 11)
Forescout’s Proposal Court’s Construction
Plain and ordinary
meaning
Plain and ordinary
meaning
Claim 11 of the ’116 patent recites,
11. A system comprising:
20
a memory; and
21
a processing device, operatively coupled to the memory, to:
22
23
24
access data associated with a device, wherein the data
associated with the device comprises traffic analysis data
associated with the device and data received from an external
system;
25
periodically determine a device type classification for the
device based on the data associated with device; and
26
store the device type classification for the device; and
27
apply a security policy to classified device based on the
device meeting particular criteria of the security policy.
28
29
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 30 of 58
1
United States District Court
Northern District of California
2
(’116 patent at claim 11 (emphasis added).)
Fortinet argues that “determine a device type classification” is indefinite for two reasons.
3
First, Fortinet contends that the term does not define what a “device type” classification is, how it
4
differs from “a classification for the device” in claim 1, and what distinguishes a categorization
5
into groups that are based upon “device type” from groups that are not. Forescout responds that a
6
POSITA would understand the meaning and scope of the term based on the plain meaning of each
7
word individually, and the specification provides examples of classifying devices into groups
8
based on the types of devices.
9
The term “determine a device type classification” has a plain and ordinary meaning.
10
Fortinet’s expert opines—and Forescout’s expert offers no contrary testimony—that each word in
11
the claim term has a well-understood meaning to a POSITA. (Cole Decl. at ¶ 77.)
12
13
14
Moreover, the specification explains that devices may be classified into “groups based on
types of devices”:
18
A device classification heuristic may be used to classify devices into
different groups. . . . The groups may be based on types of devices.
For example, one group may be for devices that have a particular
operating system, a second group for medical devices (e.g., a
magnetic resonance imaging (MRI) device, a X-ray device, or
computed tomography (CT) scanning device), and a third group for
operational technology devices (e.g., device configured to detect or
cause changes in physical processes through direct monitoring or
control of physical devices such as valves, pumps, etc.).
19
(’116 patent at 3:59-4:7.) The specification also describes that a device type might be grouped by
20
how the device is connected to the network, such as by Ethernet or wireless connections:
15
16
17
21
22
23
24
While it may be possible to determine certain types of identifying
information (e.g., IP address, MAC address, etc.) with respect to
many types of network-connected devices (e.g., those connected via
a Ethernet connection or Wi-Fi™), in certain scenarios it may be
difficult to determine with a high degree of accuracy certain
characteristics of a particular device (e.g., whether such a device is
an access point) and thereby classify the device.
25
(Id. at 2:9-17 (emphasis added).) “Because the intrinsic evidence here provides a general
26
guideline and examples sufficient to enable a person of ordinary skill in the art to determine the
27
scope of the claims . . . the claims are not indefinite.” Enzo Biochem, Inc. v. Applera Corp., 599
28
F.3d 1325, 1335 (Fed. Cir. 2010) (citation and quotation marks omitted).
30
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 31 of 58
United States District Court
Northern District of California
1
Fortinet argues that “a device type classification” cannot simply refer to the classification
2
of device types under its ordinary meaning. According to Fortinet, claim differentiation mandates
3
that the disputed “a device type classification” in claim 11 must have a different meaning from “a
4
classification for the device” in claim 1—another independent claim. Forescout responds that the
5
patent does not have to “expressly define what is and is not a device type.” (Forescout Resp. at 8.)
6
Fortinet fails to show that claim differentiation applies. “‘[C]laim differentiation’ refers to
7
the presumption that an independent claim should not be construed as requiring a limitation added
8
by a dependent claim.” Curtiss-Wright Flow Control Corp. v. Velan, Inc., 438 F.3d 1374, 1380
9
(Fed. Cir. 2006). The Federal Circuit “has declined to apply the doctrine of claim differentiation
10
where ‘the claims are not otherwise identical in scope.’” Apple, Inc. v. Ameranth, Inc., 842 F.3d
11
1229, 1238 (Fed. Cir. 2016) (quoting Indacon, Inc. v. Facebook, Inc., 824 F.3d 1352, 1358 (Fed.
12
Cir. 2016)). Fortinet does not contend that claim 1—an independent method claim—has the same
13
scope as claim 11—an independent system claim. Fortinet’s sole authority construed a term in an
14
independent claim using dependent claims. Karlin Tech., Inc. v. Surgical Dynamics, Inc., 177
15
F.3d 968, 972 (Fed. Cir. 1999). That is not the case here, as both claims 1 and 11 are independent
16
claims. Claim differentiation therefore does not apply.
17
Fortinet similarly points to the specification to argue that “classification for a/the device”
18
must have a different meaning from “device type classification.” (Fortinet Br. at 18.) The
19
specification has indeed used both terms in the same paragraph:
20
21
22
23
24
Classification determiner 308 is configured to determine a
classification of a device based on information received from one or
more components (e.g., third party interface 302, agent interface
304, traffic analyzer 306, classification determiner 308, device
interface 310, and network interface 312) of system 300, as
described herein. Classification determiner 308 may further store a
device type classification of the device. Classification determiner
308 may be configured to determine the device type classification of
the device periodically.
25
(’116 patent at 8:44-53 (emphasis added).) Fortinet’s expert opines that “classification of the
26
device” must have a different meaning from “device type classification” because the classification
27
determiner 308 is configured to determine both. (Shamos Decl. at ¶ 72.) But that part of the
28
specification could be consistent with the opposite conclusion that the terms mean the same
31
United States District Court
Northern District of California
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 32 of 58
1
throughout that paragraph. Assuming the two “classification” terms are synonymous, the
2
specification simply describes that the classification determiner 308 can be configured to (1)
3
determine “a classification of a device” (or, synonymously, “device type classification”) (’116
4
patent at 8:44-45), (2) store that determination (id. at 8:49-50), and (3) determine that
5
classification periodically (id. at 51-53 (emphasis added)). The specification therefore does not
6
support Fortinet’s argument that “device type classification” cannot mean “classification for a/the
7
device.”
8
Additionally, Fortinet argues that “the patent leaves unclear what distinguishes a
9
categorization into groups that are based upon ‘device type’ from groups that are not.” (Fortinet
10
Br. at 18.) Forescout contends that “a type of device is essentially the group that it belongs to.”
11
(9/30/22 Hrg. Tr. at 84:11-12.) Forescout’s contention is consistent with the Court’s construction.
Second, Fortinet argues that the disputed term “is a pure recitation of function, with the
12
13
closest potential structure being a generic ‘processing device,’ invoking § 112(f), and the
14
specification lacks the disclosure of an algorithm for how this device type classification is made.”
15
(Fortinet Reply at 10.) In effect, Fortinet argues that a different term—“processing device”—is an
16
indefinite means-plus-function term. Forescout points out that Fortinet did not elect “processing
17
device” for the Court to construe. The Court agrees and does not construe it herein.
18
F.
19
20
U.S. Patent No. 10,652,278 (the “’278 patent”)
1.
“Standard Based Compliance Rule”
Fortinet’s Proposal
22
“standard based
compliance rule” Indefinite
(claim 1)
23
Claim 1 recites,
21
Forescout’s Proposal
Plain and ordinary
meaning
Court’s construction
Plain and ordinary
meaning
24
1. A method comprising:
25
detecting, by a compliance monitoring device, a device coupled to a
network in response to the device being coupled to the network;
26
27
determining a classification of the device based on traffic
information associated with the device;
28
accessing a compliance rule based on the classification of the
32
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 33 of 58
1
2
3
4
5
6
performing, by a processing device of the compliance monitoring
device, a compliance scan on the device based on the compliance
rule;
determining a compliance level of the device based on a result of the
compliance scan of the device; and
performing an action based on the compliance level.
7
(’278 patent at claim 1 (emphasis added).) Fortinet argues that “standard based compliance rule”
8
is indefinite because the term leaves open (1) what it means to be “based on a standard” and (2)
9
what a “standard” is. (Fortinet Reply at 11.) Neither argument is persuasive.
10
United States District Court
Northern District of California
device, wherein the compliance rule is a standard based compliance
rule;
Fortinet first argues that it is unclear whether “standard based” “requires the rule to be
11
defined in a language that is standardized, or to be implementing a rule that is described in a
12
standard.” (Fortinet Reply at 11 (emphasis in original).) Fortinet refers to the definition of
13
SCAP—an example of a “standard based compliance rules” (’278 patent at 2:28-31):
14
15
16
SCAP is a set of open standard XML based languages for writing
configuration benchmarks for computing devices. SCAP can also be
used to create a benchmark of vulnerabilities that devices should not
contain.
17
(Id. at 2:21-24.) “SCAP rules” is the only example of “standard based compliance rules”
18
described in the specification. (See id. at 2:28-31 (“[A] device communicatively coupled to a
19
network can be scanned using standard based compliance rules (e.g., SCAP rules) and a
20
compliance level is computed.”).)
21
The specification, viewed as a whole, suggests that a “standard based compliance rule” is
22
one implementing a standard, rather than a rule written in a standardized language. First, the ’278
23
patent—directed to “checking device compliance and remediation of device compliance issues”
24
(id. at 1:7-8)—does not concern the computer language in which one writes a compliance rule.
25
Second, the specification describes “perform[ing] compliance checks according to compliance
26
rules of the compliance benchmark,” (id. at 2:59-60), indicating that a “standard based compliance
27
rule” is akin to a “benchmark” based compliance rule. Such an understanding is consistent with
28
SCAP’s purpose of creating “benchmarks for computing devices.” (Id. at 2:21-24.) Put
33
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 34 of 58
1
differently, SCAP rules are “standard based compliance rules” because they are based on
2
benchmarks created by SCAP. Therefore, the claim and specification make clear that the term
3
does not refer to any standardized language, but rather a rule implementing a standard.
Fortinet then argues that “there is no definitive way of telling what is and what is not a
4
5
standard.” (Fortinet Br. at 20 (quoting Shamos Decl. at ¶ 77).) Its expert, Dr. Shamos, explains
6
that the “process by which a set of rules becomes a ‘standard’ is undefined—some ‘standards’
7
simply become de facto standards through common acceptance, although it is not clear exactly
8
when this occurs.” (Shamos Decl. at ¶ 77.) At the claim construction hearing, Forescout responds
9
that the “standard” in the disputed term “refers to industry standards.” (9/30/22 Hrg. Tr. at 35:14-
10
United States District Court
Northern District of California
11
15.)
Nothing in the claim or the specification limits the “standard” to an “industry standard”
12
and neither expert so opines. Forescout’s authorities do not help it. The disputed term in one case
13
cited by Forescout explicitly recited “industry standard” and no party asserted indefiniteness. E.
14
Digital Corp. v. New Dane, No. 13-CV-2897-H-BGS, 2014 WL 7139698, at *15 (S.D. Cal. Dec.
15
12, 2014) (construing “industry standard data storage format”). In the other case, the disputed
16
terms refer to various specific standards by name, such as USB, ADB, SCSI, and RS-232, and
17
standards from specific named organizations. See Hewlett-Packard Dev. Co., L.P. v. Gateway,
18
Inc., No. CIV. 04CV0613-BLSP, 2005 WL 6225388, at *1 (S.D. Cal. Sept. 7, 2005).
19
Nonetheless, the word “standard” has an ascertainable, ordinary meaning. Forescout’s
20
expert opines, and Fortinet’s expert does not dispute, that each word of the term has a well-
21
understood meaning to a POSITA. (Cole Decl. at ¶ 89.) Although different dictionaries offer
22
slightly varying definitions, all suggest that a “standard” refers to an agreed-upon protocol. (See
23
Dictionary of Computer Science (2016) (“A publicly available definition of a hardware or
24
software component, resulting from international, national, or industrial agreement.”); Newton’s
25
Telecom Dictionary (2016) (“standard . . . mean[s] something such as a specification established
26
as a yardstick, gauge, or criterion by authority, custom, or general consent”; “standards” means
27
“[a]n agreed-upon rule, regulation, protocol, dimension, interface and/or, technical
28
specification.”).) SCAP, an example of “standard based compliance rules” referred to the
34
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 35 of 58
1
specification, is consistent with that definition. It is an agreed-upon “secure content automation
2
protocol.” (’278 patent at 2:20-21; see also Security Content automation Protocol, Computer
3
Security Resource Center, National Institute of Standards and Technology, available at
4
https://csrc.nist.gov/projects/security-content-automation-protocol, last accessed on Nov. 22, 2022
5
(“The Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications
6
derived from community ideas.”).) A POSITA therefore can determine the scope of the invention
7
with reasonable certainty. See Bancorp, 359 F.3d at 1372 (declining to find term indefinite where
8
“the components of the term have well-recognized meanings, which allow the reader to infer the
9
meaning of the entire phrase with reasonable confidence”).
United States District Court
Northern District of California
10
Fortinet also argues that what constitutes “standard” may change with time. (Fortinet
11
Reply at 12.) In essence, Fortinet contends that the patent claim may cover a standard not
12
disclosed or even contemplated in the patent. Forescout responds that the natural evolution of
13
standards does not render the term indefinite, much like how the scope of “computing devices”
14
changes over time. (Forescout Sur-reply at 7.) Although a “standard” may change with time, the
15
meaning of “standard based compliance rule” does not—it always refers to a compliance rule
16
based on an agreed-upon protocol. Fortinet’s sole authority is in apposite. In Meds. Co. v. Mylan,
17
Inc., the Federal Circuit rejected a construction where, in an ongoing commercial production
18
process, a competitor would not know whether it is consistently producing batches of the requisite
19
impurity until all future batches are produced. 853 F.3d 1296, 1303 (Fed. Cir. 2017). No such
20
ongoing process exists here.
21
22
23
In sum, Fortinet has not proven the disputed term to be indefinite by clear and convincing
evidence. The Court accords “standard based compliance rule” its plain and ordinary meaning.
2.
“Compliance Level”
24
25
26
27
28
“compliance
level” (claim 1)
Fortinet’s Proposal
“quantitative score
indicating the extent to
which a device is in
compliance with
compliance rules”
Forescout’s Proposal
Plain and ordinary
meaning
35
Court’s Construction
Plain and ordinary
meaning
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 36 of 58
1
2
1. A method comprising:
3
detecting, by a compliance monitoring device, a device coupled to a
network in response to the device being coupled to the network;
4
5
6
7
8
9
10
11
United States District Court
Northern District of California
Claim 1 recites,
12
determining a classification of the device based on traffic
information associated with the device;
accessing a compliance rule based on the classification of the
device, wherein the compliance rule is a standard based compliance
rule;
performing, by a processing device of the compliance monitoring
device, a compliance scan on the device based on the compliance
rule;
determining a compliance level of the device based on a result of the
compliance scan of the device; and
performing an action based on the compliance level.
13
(’278 patent at claim 1 (emphasis added).) The parties primarily disagree on whether the
14
compliance level can include a simple binary “pass/fail” as well as gradation levels. (Fortinet
15
Reply at 13.) Forescout argues that it does, and Fortinet disagrees and construes “compliance
16
level” as “quantitative score indicating the extent to which a device is in compliance with
17
compliance rules.”
18
The plain and ordinary meaning of “compliance level” does not exclude a two-level
19
compliance. The word “level” generally refers to “a relative amount, intensity[,] or
20
concentration.” See Dictionary of Science and Technology (2007). Forescout’s expert agrees.
21
(See Cole Decl. at ¶ 84 (“[A] skilled artisan would have understood that ‘compliance level’ may
22
mean any indicator showing the extent to which a device is following compliance rules, such as a
23
(i) “high risk, medium risk, or low risk” indicator showing whether devices pose a security risk or
24
(ii) a “Pass/No Pass” indicator showing whether a device is or is not compliant with a particular
25
compliance rule.”).) Fortinet’s expert does not opine to the contrary. The Court therefore gives
26
“compliance level” its ordinary meaning which may encompass a simple binary “pass/fail.”
27
28
Fortinet observes that “every embodiment of or reference to a ‘compliance level’ in the
specification is quantitative in nature,” but that alone does not narrow the term’s plain and
36
United States District Court
Northern District of California
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 37 of 58
1
ordinary meaning. (Fortinet Br. at 22–23 (emphasis in original).) Each instance in which the
2
specification describes the “compliance level” as percentage or numerical points is in context of an
3
example. (See ’278 patent at 4:39-42 (“The compliance rules may have weights associated
4
therewith thereby enabling the calculating of a compliance score or level, e.g., as a percentage or a
5
number of points.”), 5:1-8 (“For example, if the compliance level is 20% or below, then operating
6
system updates may be initiated via an update management system on the network (not shown) to
7
attempt to update the device and increase compliance. The device may then be rescanned and upon
8
obtaining a compliance level of 80% or above, compliance monitoring device 102 may grant the
9
device network access.”), 6:10-14 (“The compliance level can be determined based on the result of
10
the scan according to each rule (e.g., whether the device meets a condition of a rule) and a weight
11
assigned to each rule (e.g., a certain number of points or a percentage assigned to each rule).”),
12
6:26-30 (“For example, the first threshold may be 70 percent compliance, so a device with a
13
compliance level that is 70 percent or above will be granted a relatively high level of network
14
access while a device with a compliance level below the first threshold may be granted different
15
network access, if any.”).) “Such examples are ‘not sufficient to redefine the term . . . to have
16
anything other than its plain and ordinary meaning.’” Ancora Techs., Inc. v. Apple, Inc., 744 F.3d
17
732, 735 (Fed. Cir. 2014) (quoting IGT v. Bally Gaming Int'l, Inc., 659 F.3d 1109, 1118 (Fed. Cir.
18
2011)) (where only instances of embodiments indicating narrower construction were found in
19
examples, holding that specification’s description for “preferred embodiment” was not limiting).
20
There is no indication that the examples in the specifications were intended to be treated as a
21
claims limitation. The specification also discloses computing a “compliance level” (see, e.g., id. at
22
2:28-31), but that does not preclude a simple pass/fail. For example, a computed “compliance
23
level” of 1 could indicate pass while 0 fail. The specification here therefore does not redefine
24
“level.”
25
Fortinet’s proposed construction—“quantitative score indicating the extent to which a
26
device is in compliance with compliance rules”—also is confusing. The word “score” typically
27
connotes numbers, such as test scores, and “quantitative score” strengthens that connotation. But
28
Fortinet contends that “compliance level” includes an indicator of “high,” “medium,” or “low”
37
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 38 of 58
1
risk, which are not numerical. Fortinet justifies such inclusion because high/medium/low
2
“expresses a comparable quantity (or level) of risk.” (Fortinet Br. at 22 (emphasis in original).)
3
No principled reason exists for why “compliance level” encompasses those three qualitative levels
4
but not the two “pass/fail” levels that also expresses a comparable quantity of risk. For example,
5
“pass” may correspond to low, and “fail” to high, security risk. Therefore, Fortinet has not
6
overcome the “heavy presumption” that a claim term carries its ordinary and customary meaning.
7
Teleflex v. Ficosa N. Am. Corp., 299 F.3d 1313, 1325 (Fed. Cir. 2002).
8
G.
9
U.S. Patent No. 9,369,299 (the “’299 patent”)
1.
“Said Network Access”
10
United States District Court
Northern District of California
11
12
Fortinet’s Proposal
“said network
access” (claims 1,
3, 4, 8)
No construction
required
Forescout’s Proposal
Court’s Construction
Indefinite
No construction
required
13
14
15
Claim 1 recites,
1. A system for out-of-band control of network access supporting
multiple connections comprising:
16
17
18
a network comprising a server device, at least one terminal
device, and a communication link between them;
at least one remote access device (RAD) comprising memory,
and communicatively coupled to said network; and
19
20
a Network Access Control Server (NACS) comprising memory,
controlling said network access, wherein said network access
control is out of band and comprises:
21
identity management of said connections;
22
endpoint compliance of said connections; and
23
usage policy enforcement of said connections;
24
25
26
wherein said enforcement is out of band and is accomplished on
said RAD, comprising communicating with said RAD to make
real-time changes to its running configuration, whereby said
enforcement is vendor-independent and said system is RADagnostic;
27
28
said network access control comprising receiving a connect
attempt to said network from a user device;
38
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 39 of 58
1
said RAD authenticating connecting user to said NACS for said
out of band network control;
2
said NACS capturing RAD identification, location;
3
4
restricting access to said network by said user device with a
network access filter (NAF) configured on said RAD;
5
said RAD directing said client device to an agent;
6
on said user device, running said agent;
7
said agent identifying client to said NACS;
8
modifying said NAF based on compliance; and
9
monitoring post-connection of successful connections.
10
(’299 patent at claim 1 (emphasis added).)
United States District Court
Northern District of California
11
2. The system of claim 1, wherein said network access comprises
agents whereby said agents collect identity and health information
about user and said RAD.
12
13
(Id. at claim 2 (emphasis added).)4
14
3. The system of claim 1, wherein said network access comprises:
15
a VPN concentrator that is said RAD;
16
at least one of a, Remote Access Server (RAS), firewall,
intrusion protection detection system, a switch, a router, an
authentication authorization and accounting (AAA) directory
server, Bootstrap Protocol (BOOTP), Dynamic Host
Configuration Protocol (DHCP), and Domain Name System
(DNS).
17
18
19
20
(Id. at claim 3 (emphasis added).)
21
4. The system of claim 1, wherein said network access comprises a
connection attempt comprising constructing a connection model
from information about user and said RAD.
22
23
(Id. at claim 4 (emphasis added).)
24
8. The system of claim 5, wherein said network access of said
connecting user device is controlled by filters based on identity and
location of connecting user and said RAD.
25
26
(Id. at claim 8 (emphasis added).)
27
28
4
Claim 2 is not asserted, but Forescout asks the Court to consider it for the purpose of construing
the disputed term. (Forescout Resp. at 14 n.2.) Fortinet did not oppose. (Fortinet Reply at 15.)
39
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 40 of 58
1
2
argues that the term lacks an antecedent basis and “no reasonably ascertainable meaning is
3
apparent.” (Forescout Resp. at 13.) Fortinet points to the preamble as the antecedent basis. The
4
preamble recites, “A system for out-of-band control of network access supporting multiple
5
connections comprising.” Forescout disagrees because the preamble refers to “network access
6
supporting multiple connections” generally but not any specific instance of “network access.” (Id.
7
at 14 (emphasis added).)
8
9
United States District Court
Northern District of California
Forescout contends that “said network access” is indefinite for two reasons. First, it
Bushnell, Forescout’s primary authority, is inapposite. 813 F. App’x at 526. The Federal
Circuit there found “said different IP Address” indefinite. After noting that the term lacks
10
antecedent basis, it found neither the claim language nor the specification clarifies which of the
11
three classes of IP address the disputed term references—“one or more IP Addresses,” “one or
12
more second IP Addresses,” or “one or more third IP Addresses.” Id. Each potential antecedent
13
basis “is presumed to have a separate meaning” and “presumed to refer to different classes of IP
14
addresses.” Id. (emphasis in original). Unlike that in Bushnell, the preamble provides the only
15
possible antecedent basis for “said network access.”
16
Forescout’s expert, Dr. Cole, does not persuade otherwise. He opines that “[a] POSITA
17
would ordinarily understand the term ‘said network access’ to apply to a specific instance of
18
network access, i.e. the ‘said’ network access as distinguished from other network accesses.” (Ex.
19
J (“5/21/21 Cole Decl.”) at ¶ 35.) He appears to have rested his conclusion on the fact that “said
20
network access” is singular, while access to network by multiple connections should be plural.
21
But the preamble clearly uses “network access” in singular form to refer to access by multiple
22
connections. Forescout has not provided any intrinsic evidence why “said network access” must
23
refer to a specific network access as opposed to “network access supporting multiple connections”
24
generally.
25
Second, Forescout points to dependent claims 2, 3, 4, and 8. It observes, “the phrase ‘said
26
network access’ refers to an unspecified network access (claim 1), (software) agents (claim 2), a
27
VPN concentrator (physical device) plus one other system such as a server or firewall (claim 3), a
28
connection attempt comprising constructing a connection model (claim 4), and is tied to a specific
40
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 41 of 58
1
connecting user device (claim 8).” (Forescout Resp. at 15.) Fortinet responds that the “dependent
2
claims just recite that ‘said network access . . . comprises’ various other components, much like
3
the preamble of Claim 1.” (Fortinet Reply at 15.)
United States District Court
Northern District of California
4
Neither party’s argument persuades. Contrary to Fortinet’s argument, the preamble of
5
claim 1 recites “[a] system . . . comprising” while the dependent claims recite “said network
6
access comprises.” The dependent claims thus simply do not “refer to ‘said network access’ in
7
exactly the same way as independent claim 1.” (Id.) Although Forescout may be correct that
8
“said network access” cannot technically include all the components in the dependent claims,
9
“[t]he dependent claim tail cannot wag the independent claim dog.” Multilayer Stretch Cling Film
10
Holdings, Inc. v. Berry Plastics Corp., 831 F.3d 1350, 1360 (Fed. Cir. 2016) (citation omitted).
11
“[T]he language of a dependent claim cannot change the scope of an independent claim whose
12
meaning is clear on its face.” Id. Because claim 1’s preamble clearly provides the requisite
13
antecedent basis, the Court declines to find “said network access” indefinite.
14
2.
“Said System”
15
16
17
18
19
20
21
22
Fortinet’s Proposal
“said system”
(claim 11)
“said NACS”
Forescout’s Proposal
Court’s Construction
Indefinite
“said NACS”
Claim 11 recites,
11. A method for out of band control for secure network access of a
user device to a network comprising the steps of:
receiving a connect attempt to said network from said user
device;
23
authenticating connecting user to a network access control server
(NACS) by a remote access device (RAD) for out of band
network control;
24
capturing RAD identification, location by said NACS;
25
providing out of band network enforcement comprising
restricting access to said network by said user device with a
network access filter (NAF) configured on said RAD; wherein
said enforcement is out of band and is accomplished on said
RAD, comprising communicating with said RAD to make realtime changes to its running configuration, whereby said
enforcement is vendor-independent and said system is RAD41
26
27
28
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 42 of 58
1
2
3
4
5
United States District Court
Northern District of California
6
agnostic;
directing said client device to an agent by said RAD;
running said agent on said user device;
identifying client to said NACS by said agent;
modifying said NAF based on compliance;
monitoring post-connection of successful connections.
7
(’299 patent at claim 11 (emphasis added).) Forescout argues that “said system” appears in claim
8
11 without an antecedent basis and a POSITA would not know whether it refers to the “remote
9
access device (RAD),” the “Intrusion Protection / Intrusion Detection System,” the “client
10
device,” or the network access control server (NACS). (Forescout Resp. at 15–16; 5/21/21 Cole
11
Decl. at ¶¶ 47, 50.) Dr. Shamos, Fortinet’s expert, opines that claim 11 recites no other system
12
besides NACS. (4/25/22 Shamos Decl. at ¶ 62.)
13
A POSITA would not understand “said system” to refer to RAD. Claim 11 describes “said
14
system” as “RAD-agnostic.” Fortinet correctly observes that “it is unclear how a RAD itself could
15
be RAD-agnostic.” (Fortinet Reply at 16.) And the claim recites “said RAD” in the same
16
limitation as “said system,” so they are “presumed to have different meanings.” Helmsderfer v.
17
Bobrick Wash-room Equip., Inc., 527 F.3d 1379, 1382 (Fed. Cir. 2008).
18
“Said system” could not refer to the “Intrusion Protection / Intrusion Detection System.”
19
That system is not actually claimed. Cf. In re Downing, 754 F. App’x 988, 996 (Fed. Cir. 2018)
20
(holding “the end user” refers to “end user” referenced in claim rather than other end users
21
disclosed in the specification).
22
“Said system” also could not refer to the “client device.” Nowhere does the specification
23
disclose a client device as RAD-agnostic. To the contrary, claim 11 describe the “client device” to
24
be “an agent by said RAD.”
25
Having ruled out all alternative, the Court finds that “said system” refers to NACS. The
26
specification confirms so. The claim makes clear that “said system” must be “RAD-agnostic.”
27
And the specification describes NACS as RAD-agnostic. (See, e.g., ’299 patent at 2:40-42 (“[T]he
28
network access control is RAD agnostic.”), 4:29-39 (“[T]he invention [a system and method for
42
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 43 of 58
1
network access control] . . . is remote access device (RAD) agnostic . . . .”).) The specification
2
thus establishes that “said system” refers to “said NACS.”
3
3.
“Said System Is RAD-Agnostic”
4
5
6
Fortinet’s Proposal
“said system is
RAD-agnostic”
(claims 1, 11)
“said NACS supports
RADs from multiple
vendors”
Forescout’s Proposal
“The state of being
unaffected by the
manufacturer of the
RAD”
Court’s Construction
“said system is
unaffected by the
manufacturer of RAD”
7
8
9
Claim 1 recites,
1. A system for out-of-band control of network access supporting
multiple connections comprising:
10
United States District Court
Northern District of California
11
12
a network comprising a server device, at least one terminal
device, and a communication link between them;
at least one remote access device (RAD) comprising memory,
and communicatively coupled to said network; and
13
14
a Network Access Control Server (NACS) comprising memory,
controlling said network access, wherein said network access
control is out of band and comprises:
15
identity management of said connections;
16
endpoint compliance of said connections; and
17
usage policy enforcement of said connections;
18
19
20
wherein said enforcement is out of band and is accomplished on
said RAD, comprising communicating with said RAD to make
real-time changes to its running configuration, whereby said
enforcement is vendor-independent and said system is RADagnostic;
21
22
23
said network access control comprising receiving a connect
attempt to said network from a user device;
said RAD authenticating connecting user to said NACS for said
out of band network control;
24
said NACS capturing RAD identification, location;
25
26
restricting access to said network by said user device with a
network access filter (NAF) configured on said RAD;
27
said RAD directing said client device to an agent;
28
on said user device, running said agent;
43
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 44 of 58
1
said agent identifying client to said NACS;
2
modifying said NAF based on compliance; and
3
monitoring post-connection of successful connections.
4
5
6
7
8
United States District Court
Northern District of California
9
(’299 patent at claim 1 (emphasis added).) Claim 11 recites,
11. A method for out of band control for secure network access of a
user device to a network comprising the steps of:
receiving a connect attempt to said network from said user
device;
authenticating connecting user to a network access control server
(NACS) by a remote access device (RAD) for out of band
network control;
10
capturing RAD identification, location by said NACS;
11
providing out of band network enforcement comprising
restricting access to said network by said user device with a
network access filter (NAF) configured on said RAD; wherein
said enforcement is out of band and is accomplished on said
RAD, comprising communicating with said RAD to make realtime changes to its running configuration, whereby said
enforcement is vendor-independent and said system is RADagnostic;
12
13
14
15
16
17
18
19
20
21
22
directing said client device to an agent by said RAD;
running said agent on said user device;
identifying client to said NACS by said agent;
modifying said NAF based on compliance;
monitoring post-connection of successful connections.
(Id. at claim 11 (emphasis added).)
A patentee may act as his or her own lexicographer if the patentee “clearly set[s] forth a
23
definition of the disputed claim term,” and “clearly express[es] an intent to define the term.” GE
24
Lighting Sols., LLC v. AgiLight, Inc., 750 F.3d 1304, 1309 (Fed. Cir. 2014) (quotation omitted).
25
The patentee’s lexicography must appear “with reasonable clarity, deliberateness, and precision.”
26
Renishaw PLC v. Marposs Societa’ per Azioni, 158 F.3d 1243, 1248 (Fed. Cir. 1998).
27
28
In the ’299 patent, the patentee expressly defined “(vendor)-agnostic” as follows:
Terms used in this application are described below.
44
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 45 of 58
…
(vendor)-agnostic—The state of being unaffected by the
manufacturer of network devices being managed in the network.
1
United States District Court
Northern District of California
2
3
(’299 patent, 4:40–51.) The parenthesis around “vendor” suggests that this definition must cover
4
more than “vendor-agnostic.” Besides the definition of “(vendor)-agnostic,” the specification only
5
mentions “agnostic” three times: one “vendor-agnostic” (id. at 5:54), and two “RAD agnostic” (id.
6
at 2:41, 4:36). Therefore, the definition of “(vendor)-agnostic” must relate to “RAD agnostic.” In
7
this regard, neither party advocates the swapping out “vendor” with “RAD,” i.e., “the state of
8
being unaffected by RAD,” presumably because NACS interacts with RAD and thus must be
9
affected. Instead, both parties’ proposed constructions of “RAD agnostic” involve RAD
10
manufacturers. It is therefore obvious that what the system is agnostic about must be of RAD
11
manufacturers. The Court therefore construes “said system is RAD-agnostic” as “said system is
12
unaffected by the manufacturer of RAD.”
13
The Court’s construction addresses the parties’ concerns with each other’s construction.
14
Unlike Forescout’s proposal, the Court’s construction is grammatically correct. It is consistent
15
with the specification’s characterization of a RAD-agnostic embodiment as a “multi-vendor
16
solution.” (Id. at 4:36.) It derives from patentee’s express definition of “(vendor)-agnostic” and is
17
therefore consistent with Forescout’s authority that “a patentee-specified definition controls.”
18
(Forescout Resp. at 17 (citing 3M Innovative Props. Co. v. Avery Dennis Corp., 350 F.3d 1365,
19
1371 (Fed. Cir. 2003)).) It further avoids using “multi-vendor” which Forescout argues to be
20
indefinite. (Forescout Sur-reply at 11.)
21
///
22
///
23
///
24
///
25
///
26
///
27
///
28
///
45
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 46 of 58
1
H.
U.S. Patent No. 8,458,314 (the “’314 patent”)5
2
Fortinet’s
Proposal
3
4
5
6
7
8
9
“said template
of said users
and devices is
associated”
(claim 1)
“said
templates of
said users and
devices are
associated”
“said template
of said
endpoint”
(claims 15, 20)
“said
template
records for
endpoints”
Forescout’s
Proposal
Indefinite
Court’s Construction
The Court construes the phrase of “said
template of said users and devices is
associated with said profile of said sponsor”
as “a said template of said users and devices
is associated with a said profile of said
sponsor.”
The Court construes the phrase “said
template of said endpoint is associated with
said profile of said sponsor” as “a said
template of said endpoint is associated with
a said profile of said sponsor.”
10
United States District Court
Northern District of California
11
Claim 1 recites,
12
1. A method for control of computer network resources connected to
a computer network supporting network endpoints by delegating
control from a network administrator to at least one sponsor
comprising the steps of:
13
14
creating templates for users and devices of said computer
network by said network administrator at an administrator
account on a workstation connected to said computer network;
15
16
17
creating profiles used to control said resources of said computer
network;
18
associating said templates with said profiles;
19
creating at least one said sponsor by said network administrator;
20
associating, by said network administrator, at least one of said
profiles with said sponsor;
21
22
delegating, by said network administrator, network management
administrative privileges to said sponsor,
23
transferring responsibility for said users and devices from said
24
25
26
27
28
On November 15, 2022, the Patent Trial and Appeal Board (“PTAB”) issued its Final Written
Decision in an Inter Partes Review proceeding determining that all challenged claims (claims 1–
13, 15–18, and 20) of the ’314 patent are unpatentable. (Docket No. 173.) This encompasses all
claims of the ’314 patent asserted by Fortinet in this litigation (claims 1, 3, 5–8, 10, 11, 13, and
17). If affirmed, “[t]hat affirmance . . . has an immediate issue-preclusive effect on any pending
or co-pending actions involving the patent.” XY, LLC v. Trans Ova Genetics, 890 F.3d 1282, 1294
(Fed. Cir. 2018). Since Fortinet’s time to appeal has not run, the Court still construes the disputed
term of the ’314 patent.
46
5
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 47 of 58
1
2
3
4
5
6
7
8
9
United States District Court
Northern District of California
10
network administrator to said sponsor when said template of
said users and devices is associated with said profile of said
sponsor; and
controlling of said computer network resources by said sponsor,
using said templates assigned to said sponsor by said network
administrator, wherein said sponsor is constrained by said
network administrator by said at least one associated profile,
said sponsors not having network management administrative
privileges over said network administrator.
(’314 patent at claim 1 (emphasis added).) Claim 15 recites,
15. A system for control of network resources supporting network
endpoints by delegating control from a network administrator to at
least one network sponsor comprising:
in a network database, creating template records for endpoints
of said network by said network administrator;
11
in said network database, creating at least one profile used to
control said endpoints;
12
associating said templates with said profiles;
13
in said network database, creating at least one sponsor record by
said network administrator;
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
associating at least one of said profiles with said sponsor record
by said network administrator;
delegating, by said network administrator, network management
administrative privileges to said sponsor,
transferring responsibility for said endpoint from said network
administrator to said sponsor when said template of said
endpoint is associated with said profile of said sponsor; and
by executing instructions in a microprocessor, controlling of said
network resources by said sponsor, using said templates
assigned to said sponsor by said network administrator, wherein
said sponsor is constrained by said network administrator by said
at least one associated profile.
(Id. at claim 15 (emphasis added).) Claim 20 recites,
20. An apparatus for control of network resources supporting
network endpoints by delegating control from a network
administrator to at least one network sponsor comprising:
a network database containing template records for endpoints of
said network, wherein said template comprises a set of rules or
patterns defining scope of IT task, limitations of said endpoint
and identification of an association between said endpoint and
said sponsor;
47
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 48 of 58
1
2
3
at least one microprocessor executing instructions associating
said templates with said profiles;
4
in said network database at least one sponsor record;
5
at least one microprocessor executing instructions associating at
least one of said profiles with said sponsor record;
6
7
8
9
10
11
United States District Court
Northern District of California
in said network database at least one profile used to control said
endpoints;
12
13
at least one microprocessor executing instructions delegating, by
said network administrator, network management administrative
privileges to said network sponsor,
transferring responsibility for said endpoint from said network
administrator to said network sponsor when said template of
said endpoint is associated with said profile of said sponsor
record of said network sponsor; and
at least one microprocessor executing instructions controlling
said network resources by said sponsor, using said templates
assigned to said sponsor by said network administrator, wherein
said sponsor is constrained by said network administrator by said
at least one associated profile.
14
(Id. at claim 20 (emphasis added).) Claim 1 is representative of the three claims. Although claims
15
15 and 20 recite “template record,” the parties agree that it is not distinct from “template.”
16
(Forescout Resp. at 18 n.1.)
17
The Court finds neither parties’ construction satisfactory. Forescout argues that “said
18
template” is indefinite because it lacks an antecedent basis and does not have a “reasonably
19
ascertainable meaning.” (Forescout Resp. at 18.) Specifically, the claims “first recite creating
20
‘templates’ plural and later recite transferring responsibility when a singular ‘said template’ is
21
associated with a profile.” (Id.) And the claims do not recite “which actor chooses the template or
22
how that singular template is chosen from among the multiple templates created.” (Id.) Dr. Cole
23
for Forescout testified that a POSITA would conclude that the reference to “said template”
24
singular has no reasonably ascertainable meaning. (5/21/21 Cole Decl. at ¶ 55.) Fortinet responds
25
that there is no other set of templates referenced in any of the claims, so “said template” must refer
26
to the “templates” plural. (Fortinet Reply at 18.)
27
28
The Court disagrees that “said template” singular has no ascertainable meaning. The claim
language does not require differentiation among the templates plural, so “said template” simply
48
United States District Court
Northern District of California
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 49 of 58
1
refers to one of the antecedent templates. The claimed method broadly recites “creating templates
2
for users and devices” and associating those templates with profiles. Whoever chooses a template
3
from the pool of templates through whatever means does not seem to make any difference to the
4
claimed method.
5
Forescout’s authorities are distinguishable. In two of the three cases, the plural terms that
6
could serve as the antecedent basis have multiple potential meanings. For instance, in Intelligent
7
Agency, LLC v. 7-Eleven, Inc., the disputed term “said reference point” could refer to multiple
8
reference points. No. 4:20-CV-0185-ALM, 2022 WL 760203, at *33 (E.D. Tex. Mar. 11, 2022).
9
Thus, it is unclear which reference point one should use to determine “which user among said
10
second plurality of users has the strongest connection with said reference point” as the claim
11
requires. Id. Similarly, as described earlier, the claim in Bushnell recites three classes of IP
12
addresses, each presumed to have a separate meaning. 813 F. App’x at 526. The specification
13
there in provided several potential interpretations of “different IP Address.” Id. In Imperium (IP)
14
Holdings v. Apple Inc., the claim recited “groups of pixels, wherein each of said groups of pixels
15
include[] a red pixel having an output” and “a first analog-to-digital converter connected to the
16
output of the red pixel for converting the output of the red pixels . . . .” 920 F. Supp. 2d 747, 751
17
(E.D. Tex. 2013). The mixed use of “red pixel” and “red pixels” created an ambiguity as to
18
“whether the outputs of multiple pixels are converted into one digital signal per pixel or are
19
instead combined into one digital signal for all pixels.” Id. at 757. In all three cases, the claim
20
language requires differentiation of a singular from among the plural. As discussed above, that is
21
not the case here.
22
Fortinet construes “said template of said users and devices is associated” as “said templates
23
of said users and devices are associated.” (Fortinet Reply at 18 (emphasis added).) It, in effect,
24
changes the singular to plural in order to obtain the equivalence it asserts was clearly intended. Its
25
own expert, however, appears to reject that construction. As Dr. Shamos opines:
26
27
28
If the limitation read, “when said templates of said users and
devices are associated with said profile of said sponsor,” the
antecedent basis would be all the templates created in the “creating”
step, and it is unlikely that all such templates would be associated
with a single profile. Therefore, the plural could not be used.
49
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 50 of 58
1
(4/25/22 Shamos Decl. at ¶ 71 (emphasis in original).)
Fortinet’s authorities are not on point. Baldwin Graphic v. Siebert merely describes the
2
3
general rule that “a” or “an” can “mean[] more than one.” 512 F.3d 1338, 1342–43 (Fed. Cir.
4
2008). There, the court held “said fabric roll” does not mandate the singular “a pre-soaked fabric
5
roll”—the term to which “said fabric roll” refers back. Id. at 1343. Here, in contrast, the referred-
6
back term is unequivocally plural while the anaphoric phrase is singular. Aircraft Tech Pubs. v.
7
Avantext, Inc. does not even concern any lack of antecedent basis. No. C 07-4154 SBA, 2009
8
U.S. Dist. LEXIS 105623, at *17–18 (N.D. Cal. Nov. 10, 2009).
Having found neither parties’ construction satisfactory and that the claim language does
United States District Court
Northern District of California
9
10
not differentiate among the templates, the Court agrees with Dr. Shamos that, in this context, “the
11
word ‘a’ is implied before ‘said template.’” (4/25/22 Shamos Decl. at ¶ 71.) “That is, the sponsor
12
only obtains privileges over a particular user or device when the template of that user or device
13
has been associated with the profile of that sponsor.” (Id.) Because the same issue exists for “said
14
profile,” the Court construes the entire phrase of “said template of said users and devices is
15
associated with said profile of said sponsor” as “a said template of said users and devices is
16
associated with a said profile of said sponsor,” and “said template of said endpoint is associated
17
with said profile of said sponsor” as “a said template of said endpoint is associated with a said
18
profile of said sponsor.” This construction is consistent with the structure of the patent claim’s
19
language. Cf. Novo Indus., L.P. v. Micro Molds Corp., 350 F.3d 1348, 1354 (Fed. Cir. 2003) (A
20
district court may correct an “obvious minor typographical [or] clerical” error in a patent if (1)
21
“the correction is not subject to reasonable debate based on consideration of the claim language
22
and the specification” and (2) “the prosecution history does not suggest a different interpretation
23
of the claims.”).
24
///
25
///
26
///
27
///
28
///
50
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 51 of 58
1
I.
U.S. Patent No. 9,948,662 (the “’662 patent”)
2
Fortinet’s Proposal
3
4
“trust level”
(claims 1 and 9)
Plain and ordinary
meaning
5
6
7
8
9
10
United States District Court
Northern District of California
11
12
13
Forescout’s Proposal
“one of multiple (two
or more) trust levels
corresponding to the
number of security
features that can be
disabled”
Court’s Construction
“one of multiple (two
or more) trust levels
corresponding to the
number of security
features that can be
disabled”
Claim 1 recites,
1. A method comprising:
receiving, by a network security device within an enterprise
network, an application protocol request directed to an external
network that is originated by a client device associated with the
enterprise network;
determining, by the network security device, based on the
application protocol request whether a network parameter of the
external network is associated with a set of trusted networks; and
17
selectively disabling, by the network security device, application
of a subset of security features of a plurality of security features
to be applied to network traffic exchanged between the client
device and the external network while the client device is
accessing the external network when a result of said determining
is affirmative, wherein the subset of security features are
selected based on a trust level associated with the external
network.
18
(’662 patent at claim 1 (emphasis added).) Claim 3 depends on claim 1 and recites,
19
3. The method of claim 1, further comprising assigning the trust
level to the external network, the trust level being selected from a
plurality of trust levels in which a higher trust level corresponds to
disabling a greater number of the plurality of security features and a
lower trust level corresponds to disabling a lesser number of the
plurality of security features.
14
15
16
20
21
22
23
24
(Id. at claim 3 (emphasis added).) Claim 9 recites,
9. A network security device comprising:
25
at least one processor; and
26
a computer-readable medium storing instructions that, when
executed by the at least one processor, cause the at least one
processor to perform a method comprising:
27
28
receiving an application protocol request directed to an external
51
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 52 of 58
1
2
3
4
5
6
7
United States District Court
Northern District of California
8
network that is originated by a client device associated with an
enterprise network protected by the network security device;
determining based on the application protocol request whether a
network parameter of the external network is associated with a
set of trusted networks; and
selectively disabling application of a subset of security features
of a plurality of security features to be applied to network traffic
exchanged between the client device and the external network
while the client device is accessing the external network when a
result of said determining is affirmative, wherein the subset of
security features are selected based on a trust level associated
with the external network.
(Id. at claim 9 (emphasis added).)
9
Forescout argues that a “trust level” must reflect more than a simple binary yes/no
10
determination of whether a network is trusted primarily for two reasons. First, Forescout argues
11
that claims 1 and 9 recite two separate limitations relating to trust; the first—the “determining”
12
limitation—is a simple yes/no determination, so the second limitation reciting “trust level” must
13
reflect more than a binary choice. Fortinet responds that the “determining” step describes whether
14
a “trust level” is assigned at all, rather than a yes/no determination. (Fortinet Reply at 20–21
15
(citing ’662 patent at 9:48-51 (“no match is found in the trusted network parameters database, the
16
network security device assumes that no trust level is assigned to the external network”).)
17
The Court agrees with Forescout. The “determining” limitation recites “determining . . .
18
whether a network parameter of the external network is associated with a set of trusted networks.”
19
(’662 patent at claims 1, 9.) Only “when a result of said determining is affirmative” (i.e., a “yes”
20
determination) do the claimed method or device selectively disable “application of a subset of
21
security features” that “are selected based on a trust level associated with the external network.”
22
(Id.) Simply put, a trust level is relevant for selecting security features only after an external
23
network is determined to be trusted. Thus, a trust level must encompass more than a trusted / not
24
trusted determination.
25
Second, as Forescout observes, every reference to trust levels in the specification relates to
26
multiple distinct trust levels. (Forescout Resp. at 20 (citing ’662 patent at 8:48-52 (“A trust level
27
to be assigned to an external network is selected from multiple trust levels, such that, a higher trust
28
level corresponds to disabling a greater number of security features and a lower trust level
52
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 53 of 58
1
corresponds to disabling a lesser number of security features.”), 8:53-9:7 (example of having five
2
trust levels corresponding to disabling different kinds and amounts of security features), 11:19-22
3
(An “administrator or user may be able to assign different trust levels to external networks based
4
on their own discretion.”)).)
Fortinet responds that dependent claim 3 corresponds to the embodiment with multiple
United States District Court
Northern District of California
5
6
trust levels, so the independent claim 1 must have a broader scope and encompass both multiple
7
trust levels and simple yes/no determinations. Otherwise, according to Fortinet, claims 1 and 3
8
would have identical scopes. Not so. Claim 1 simply requires selecting a subset of security
9
“based on a trust level.” Claim 3 further explains how to do so—“a higher trust level corresponds
10
to disabling a greater number of the plurality of security features and a lower trust level
11
corresponds to disabling a lesser number of the plurality of security features.” (’662 patent at
12
claim 3.) Construing a “trust level” to reflect more than a yes/no determination therefore does not
13
render claims 1 and 3 to have coextensive scopes. The Court adopts Forescout’s construction.
14
J.
U.S. Patent No. 9,894,034 (the “’034 patent)
15
16
17
18
19
Fortinet’s Proposal
“initialization of a
client security
application” (claim 1)
“startup of the client
security application”
“initialization of the
endpoint security
application” (claim 15)
“startup of the
endpoint security
application”
Forescout’s
Proposal
Indefinite
Court’s
Construction
Plain and ordinary
meaning
20
21
Claim 1 recites,
22
1. A method comprising:
23
during initialization of a client security application running on a
client device:
24
25
26
27
28
determining, by the client security application, a network
connection state of the client device with respect to a private
network;
selecting, by the client security application, a configuration for
the client security application based on the determined network
connection state; and
53
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 54 of 58
1
2
3
4
5
6
7
8
9
10
United States District Court
Northern District of California
11
12
13
14
15
launching, by the client security application, one or more
functions of the client security application that are designated by
the selected configuration to be performed by the client security
application, wherein the one or more functions include one or
more of web content filtering, anti-virus scanning and network
access logging.
(’034 patent at claim 1 (emphasis added).) Claim 15 recites,
15. A non-transitory computer-readable storage medium embodying
a set of instructions, representing an endpoint security application,
which when executed by one or more processors of a computer
system, cause the one or more processors to perform a method
comprising:
during initialization of the endpoint security application:
determining, by the endpoint security application, a network
connection state of the computer system with respect to a
private network;
selecting a configuration of the endpoint security application
based on the determined network connection state; and
launching, by the endpoint security application, one or more
functions of the endpoint security application that are
designated by the selected configuration to be performed by
the endpoint security application, wherein the one or more
functions include one or more of web content filtering, antivirus scanning and network access logging.
16
(Id. at claim 15 (emphasis added).) The parties’ dispute centers on the word “initialization.”
17
Forescout’s expert opines that “initialization” has many different meanings to a POSITA.
18
(5/21/21 Cole Decl. at ¶ 83.) From a user’s perspective, for example, initialization of a program
19
like Microsoft Word could be when the user clicks the icon and a loading window opens, or when
20
a blank document opens and the user can start typing. (Id.) Fortinet’s expert finds there to be
21
“nothing unclear to a POSITA about the initialization process of an application.” (4/25/22
22
Shamos Decl. at ¶ 84.) Fortinet proposes to construe “initiation” as “startup.”
23
The specification describes “initialization” consistent with its ordinary meaning. Both
24
experts agree that Figure 5 (reproduced below) explains a “startup procedure” (’034 patent at 8:57-
25
58) for the client security application, including the three claimed steps in claim 1. (4/25/22
26
Shamos Decl. at ¶ 86; 5/21/21 Cole Decl. at ¶ 86.) From starting the application in 501 to
27
launching the application in 506, Figure 5 describes the preparation of the client security
28
application to perform its tasks. Further, that meaning is supported by extrinsic evidence.
54
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 55 of 58
1
Initialization generally refers to the “prepar[ation] of hardware or software to perform a task.”
2
(Webster’s New World Computer Dictionary (10th ed. 2003).)
3
4
5
6
7
8
9
10
United States District Court
Northern District of California
11
12
13
14
15
16
17
18
19
20
21
22
(’034 patent at Fig. 5.)
The temporal connotation of “initialization’s” ordinary meaning also comports with the
23
prosecution history. During prosecution, the applicant emphasized that “initialization” is a
24
“timing requirement. (Ex. L at 3 (distinguishing prior art because it “overlooked limitations
25
requiring the timing of the ‘determining,’ ‘selecting,’ and ‘launching’ limitations to be ‘during
26
initialization of a client security application running on a client device.’”).) The ordinary meaning
27
of “initialization” has a temporal connotation because it relates to preparation of the application.
28
The Court thus accords the disputed term its plain and ordinary meaning.
55
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 56 of 58
1
Fortinet’s proposed construction simply swaps out “initialization” for “startup,” but as
2
Forescout’s expert, Dr. Cole, opines, “[t]he term ‘startup’ is no more clear than ‘initialized.’”
3
(5/21/21 Cole Decl. at ¶ 89.) The Court therefore declines to adopt Fortinet’s construction. It also
4
declines to find the term indefinite because the claim language provides the steps of the
5
preparation as consistent with the ordinary meaning of “initiation.”
6
K.
U.S. Patent No. 9,503,421 (the “’421 patent)
7
8
9
“security information
and event management
(SIEM) device”
10
United States District Court
Northern District of California
11
“SIEM device”
12
“SIEM system”
13
(claims 1, 8, 15-28)
Fortinet’s Proposal
Forescout’s
Proposal
Court’s
Construction
“a device that
collects logs of
security events from
security devices”
“a device/system
that identifies and
manages security
threats by collecting
and analyzing logs
of security events”
“a device/system that
identifies and
manages security
threats by collecting
and analyzing logs of
security events”
14
15
The parties agree that “SIEM” is a well-known term of art, that intrinsic evidence does not
16
expressly define this term, and that an SIEM device is a device that collects security event
17
information. (Fortinet Reply at 23; Forescout Sur-reply at 14.) The parties disagree whether the
18
construction of “SIEM” must include a requirement of purpose. (Fortinet Reply at 23.) After the
19
Court ordered the parties to further meet and confer on this term, they submitted revised
20
definitions shown above, but the fundamental dispute remains. (Docket No. 169.)
21
Evidence suggests that a POSITA would understand SIEM devices to identify security
22
threats. (5/28/21 Cole Decl. at ¶ 93.) Newton’s Telecom Dictionary (28th ed. 2014) defines
23
“SIEM” as “[t]he automated creation, updating, and analysis of event logs on an enterprise
24
network, for the purpose of identifying problems and/or threats, and/or to fulfill a legal or
25
regulatory requirement.” (Ex. P.) Similarly, Fortinet’s own website explains SIEM as follows:
26
27
28
Security information and event management (SIEM) solutions
collect logs and analyze security events along with other data to
speed threat detection and support security incident and event
management, as well as compliance. Essentially, a SIEM technology
system collects data from multiple sources, enabling faster response
56
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 57 of 58
1
2
Ex. O (https://www.fortinet.com/resources/cyberglossary/what-is-siem). Fortinet argues that
3
Forescout plucked the definition from Fortinet’s marketing material eight years after the priority
4
date of the ’421 patent. But Fortinet neither argues that the definition on its website deviated from
5
how a POSITA would understand the term, nor contends that SIEM’s definition has changed over
6
time. The Court therefore agrees with Forescout’s identified function of SIEM devices.
7
United States District Court
Northern District of California
to threats. If an anomaly is detected, it might collect more
information, trigger an alert, or quarantine an asset.
Although identifying security threats is “the typical purpose of an SIEM device” (Fortinet
8
Reply at 24), Fortinet contends that it would be “improper to give weight to it” because it “is
9
nowhere to be found in either the specification or the claims.” (Id.) Fortinet instead relies on
10
statement in the “Description of Related Art” that “[an] SIEM device may be deployed to collect
11
results of the tasks performed by the security devices.” (Id. (quoting ’421 patent at 1:30-32).)
12
Since “SIEM” is well known to a POSITA, the specification needs not describe its function. “The
13
law is clear that patent documents need not include subject matter that is known in the field of the
14
invention and is in the prior art, for patents are written for persons experienced in the field of the
15
invention.” S3 Inc. v. NVIDIA Corp., 259 F.3d 1364, 1371 (Fed. Cir. 2001).
16
Fortinet objects to construing a term to include the purpose for a structure because it “has
17
long been held to have no patentable weight.” (Fortinet Reply at 24; accord Docket No. 169 at 1.)
18
But the ’421 patent does not claim SIEM as an invention, so no “patentable weight” needs to be
19
given. Fortinet’s authorities also do not concern claim construction. Catalina Mktg. Int’l v.
20
Coolsavings.com, Inc. relates to a claim preamble’s limiting effects. 289 F.3d 801, 809 (Fed. Cir.
21
2002) (“[P]reambles describing the use of an invention generally do not limit the claims because
22
the patentability of apparatus or composition claims depends on the claimed structure, not on the
23
use or purpose of that structure.”). In re Schreiber held that prior art anticipates as long as it
24
discloses the structure even if for a different purpose. 128 F.3d 1473, 1477 (Fed. Cir. 1997) (“It is
25
well settled that the recitation of a new intended use for an old product does not make a claim to
26
that old product patentable.”).
27
28
Because the parties agree that SIEM devices identify and manage security threats, the
Court adopts Forescout’s construction.
57
Case 3:20-cv-03343-EMC Document 174 Filed 11/28/22 Page 58 of 58
1
V.
CONCLUSION
2
The Court construes the disputed terms as explained above.
3
4
IT IS SO ORDERED.
5
6
Dated: November 28, 2022
7
8
9
______________________________________
EDWARD M. CHEN
United States District Judge
10
United States District Court
Northern District of California
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
58
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
