Centripetal Networks, Inc. v. Cisco Systems, Inc.

Filing 621

OPINION AND ORDER. The Court FINDS the 856 Patent, the 176 Patent, the 193 Patent, and the 806 Patent claims valid and literally INFRINGED and the 205 Patent NOT INFRINGED. The Court FINDS the actual damages suffered by Centripetal as a result of inf ringement total $755,808,545; that the infringement was willful and egregious and shall be enhanced by a factor of 2.5x to equal $1,889,521,362.50. The Court awards pre-judgment interest of $13,717,925 applied to the actual damages bef ore enhancement plus its costs. This, accordingly, equals a total award of $1,903,239,287.50 payable in a lump sum due on the judgment date. The Court, additionally, imposes a running royalty of 10% on the apportioned sales of the accused p roducts and their successors for a period of three years, followed by a second three-year term with a running royalty of 5% on said sales upon the terms described supra. It DENIES any further relief to Centripetal at the termination of the second three-year term. Signed by District Judge Henry C. Morgan, Jr., on 10/5/20. (bpet, )

Download PDF
Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 1 of 178 PageID# 23887 IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF VIRGINIA Norfolk Division CENTRIPETAL NETWORKS, INC., Plaintiff, v. CISCO SYSTEMS, INC., Defendant. ) ) ) ) ) ) ) ) ) Civil Action No. 2:18cv94 OPINION AND ORDER After hearing the evidence presented by the parties during the trial on this matter, and considering the entire trial record before this Court, the Court enters the following findings of fact and conclusions of law pursuant to Federal Rule of Civil Procedure 52(a). Any item marked as a finding of fact which may also be interpreted as a conclusion of law is hereby adopted as such. Any item marked as a conclusion of law which may also be interpreted as a finding of fact is hereby adopted as such. I. PROCEDURAL POSTURE 1 1. This patent trial concerns five United States patents involving complex issues in cybersecurity technology heard by the Court without a jury. 2. The case began when Centripetal Networks, Inc. (“Centripetal”) filed a Complaint against Cisco Systems, Inc. (“Cisco”) for infringement of a number of Centripetal’s U.S. Patents on February 13, 2018. Doc. 1. 1 All matters discussed in this Procedural Posture are procedural background and findings of fact. Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 2 of 178 PageID# 23888 3. On March 29, 2018, Centripetal filed an Amended Complaint, asserting infringement of U.S. Patent Nos. 9,566,077 (“the ‘077 Patent”), 9,413,722 (“the ‘722 Patent”), 9,160,713 (“the ‘713 Patent”), 9,124,552 (“the ‘552 Patent”), 9,565,213 (“the ‘213 Patent”), 9,674,148 (“the ‘148 Patent”), 9,686,193 (“the ‘193 Patent”), 9,203,806 (“the ‘806 Patent”), 9,137,205 (“the ‘205 Patent”), 9,917,856 (“the ‘856 Patent”), and 9,500,176 (“the ‘176 Patent”). Doc. 29. 4. Cisco has filed numerous petitions for inter partes review (“IPR”), between July 12, 2018 and September 18, 2018, before the Patent Trial and Appeals Board (“PTAB”) against nine (9) of the eleven (11) Centripetal patents originally asserted against Cisco and filed a Motion to Stay Pending Resolution of IPR Proceedings. The Court granted the stay request on February 25, 2019. Doc. 58. 5. Upon the motion of Centripetal, on September 18, 2019, the Court issued an order, lifting the stay in part with respect to patents and claims not currently subject to IPR proceedings and set the case for trial in April 2020. Doc. 68. The parties later waived a jury trial following the jury trial limitations resulting from the COVID-19 pandemic. 6. At trial, Centripetal asserted that Cisco infringes Claims 63 and 77 of the ‘205 Patent, Claims 9 and 17 of the ‘806 Patent, Claims 11 and 21 of the ‘176 Patent, Claims 18 and 19 of the ‘193 Patent and Claims 24 and 25 of the ‘856 Patent (the ‘Asserted Claims’). Doc. 411 (“Amended Final Pre-Trial Order”). 7. Of the claims not at issue for trial, the PTAB granted institution of IPR of all of the claims of the ‘552 Patent, the ‘713 Patent, the ‘213 Patent, the ‘148 Patent, the ‘077 Patent, and the ‘722 Patent and granted institution of IPR of claims of the ‘205 Patent that are not the subject of this bench trial. Doc. 411. 2 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 3 of 178 PageID# 23889 8. The PTAB has, thus far, invalidated all of the claims of the ‘552 Patent, the ‘713 Patent, the ‘213 Patent, the ‘148 Patent, and the ‘077 Patent and invalidated the unasserted claims of the ‘205 Patent. Centripetal has appealed or may be appealing the PTAB decisions regarding the ‘552 Patent, the ‘713 Patent, the ‘213 Patent, the ‘148 Patent, the ‘077 Patent, and unasserted claims of the ‘205 Patent. Doc. 411. II. WITNESSES AT TRIAL 9. During the twenty-two-day bench trial, and at a later hearing on damages evidence, both parties were given the opportunity to present their evidence live through a video platform approved by the Eastern District of Virginia after Court’s staff was instructed in its operation. Cisco objected to proceeding through a video platform, and also objected to using the platform utilized in favor of its own platform. In its order of April 23, 2020, the Court overruled Cisco’s objections for the reasons stated therein. In light of the use of the video platform, the parties implemented specific trial protocols that are detailed in Appendix B. See Appendix B; Doc. 411 (Amended Pre-Trial Order). At the conclusion of the 22nd day of trial, the parties joined in congratulating the Court’s staff for their handling of the trial evidence by means of the video platform. 10. Due to the complex nature of the technology at issue in the case, the Court requested that each party present a technology tutorial on the first day of trial. The Court has compiled a list of the abbreviations used in the testimony and documents throughout the trial and attached it as Appendix A. For Centripetal, Dr. Nenad Medvidovic presented the technology tutorial and Dr. Kevin Almeroth presented the technology tutorial for Cisco. 11. Centripetal, in its case in chief, called a variety of live fact and expert witnesses including: 3 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 4 of 178 PageID# 23890 • Mr. Steven Rogers – Founder and CEO of Centripetal. Tr. 228:8; • Dr. Sean Moore – Chief Technology Officer and Senior Vice President of Research at Centripetal. Tr. 301:24-25. Dr. Moore is an inventor on all of the asserted patents in this case. Tr. 314:25, 315:1-2; • Dr. Michael Mitzenmacher – an independent expert witness in cybersecurity who presented opinion testimony that the accused products infringe the ‘193 Patent, the ‘806 Patent and the ‘205 Patent. Tr. 431:16-23; • Dr. Eric Cole – an independent expert witness in cybersecurity who presented opinion testimony that the accused products infringe the ‘856 Patent and the ‘176 Patent. Tr. 886:9-11, 975:19-21; • Dr. Nenad Medvidovic – an independent expert witness in cybersecurity who opined about the importance of the patent technology in relation to the accused products. Tr. 1144:22-25, 1145:1-2; • Mr. Jonathan Rogers – Chief Operating Officer at Centripetal. Tr. 1194:11; • Mr. Christopher Gibbs - Senior Vice President of Sales at Centripetal. Tr. 1297:1-2; • Dr. Aaron Striegel – an independent expert witness in computer networking who opined regarding apportionment and the top-level infringing functions of the accused products. Tr. 1337:19-23; • Mr. Lance Gunderson – an independent expert witness in patent damages who opined regarding damages and a reasonable royalty. Tr. 1441:2-14; • Mr. James Malackowski – an independent expert witness in business, intellectual property valuation and patent licensing who opined regarding 4 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 5 of 178 PageID# 23891 the impact of the asserted infringement on Centripetal and damages going forward. Tr. 1573:14-19. 12. Centripetal, additionally, presented testimony from Cisco employees by video deposition including: • • Mr. Rajagopal Venkatraman; • Dr. David McGrew; • Mr. Sunil Amin; • 13. Mr. Saravanan Radhakrishnan; Mr. Sandeep Agrawal. Cisco, in its case in chief, called a variety of live fact and expert witnesses including: • Mr. Michael Scheck – Senior Director of Incident Command at Cisco. Tr. 165:23-24; • Dr. David McGrew – Cisco Fellow who was responsible for leading a research and development project at Cisco that became the Encrypted Traffic Analytics solution. Tr. 1759:10-12; • Dr. Douglas Schmidt – an independent expert witness in networking and network security who opined regarding non-infringement, invalidity, and damages of the ‘856 Patent. Tr. 1813:4; • Mr. Daniel Llewallyn – Software Engineer for Cisco who previously worked at Lancope. Tr. 2141:19; 5 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 6 of 178 PageID# 23892 • Dr. Kevin Almeroth – an independent expert witness in computer networks and network security who opined regarding non-infringement, invalidity and damages of the ‘176 Patent. Tr. 2212:12-18; • Dr. Mark Crovella – an independent expert witness in networking and network security who opined regarding non-infringement, invalidity and damages of the ‘193 Patent. Tr. 2349:18-24; • Mr. Hari Shankar – Principal Engineer and Software Architect at Cisco who is responsible for the design of certain features of the accused products. Tr. 2500:3-5; • Mr. Peter Jones – Distinguished Engineer in the Enterprise Network Hardware Group at Cisco. Tr. 2543:12-17; • Dr. Narasimha Reddy – an independent expert witness in computer networking and computer security who opined regarding non-infringement, invalidity and damages of the ‘806 Patent. Tr. 2580:6-10; • Mr. Matt Watchinski – a Cisco employee responsible for Cisco’s Talos organization, which is Cisco’s threat intelligence organization. Mr. Watchinski previously worked for Sourcefire. Tr. 2682:11-13; • Dr. Kevin Jeffay – an independent expert witness in computer networks and network security who opined regarding non-infringement and damages of the ‘205 Patent. Tr. 2727:11-19; • Mr. Timothy Keanini – Distinguished Engineer at Cisco involved with the Stealthwatch product line. Tr. 2810:4-6; 6 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 7 of 178 PageID# 23893 • Mr. Karthik Subramanian – Partner at a venture capital firm called Evolution Equity Partners. Mr. Subramanian previously led Cisco’s Corporate Development Team for Cybersecurity for about four to four and a half years. Tr. 2827:23, 2828:17-18; • Dr. Stephen Becker – an independent expert witness in economic damages analysis who opined regarding damages if the Court finds the Asserted Patents are infringed and valid. Tr. 2863:3-18. 14. Cisco, additionally, presented testimony from current and former Centripetal employees by video deposition including: • • Mr. Haig Colter; • Dr. Sean Moore; • Mr. Jess Parnell; • Mr. Justin Rogers; • Mr. Christopher Gibbs; • 15. Mr. Douglas DiSabello; Mr. Gregory Akers. Centripetal, in its rebuttal validity case, called live expert witnesses: • Dr. Alexander Orso – an independent expert witness in computer networking and security who opined regarding the validity of the ‘193 Patent and the ‘806 Patent. Tr. 2989:22-25; • Dr. Trent Jaeger – an independent expert witness in computer and network security who opined regarding the validity of the ‘856 Patent and the ‘176 Patent. Tr. 3102:18-23; 7 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 8 of 178 PageID# 23894 • Dr. Aaron Striegel – an independent expert witness in computer networking who opined regarding secondary considerations of non-obviousness for the Asserted Patents. Tr. 3196:16-18. 16. Having had the opportunity to observe the demeanor and hear the live testimony of witnesses by video / audio and by deposition at trial, the Court has made certain credibility determinations, as well as determinations relating to the appropriate weight to accord the testimony. Such determinations are set forth herein where relevant. III. TECHNOLOGY TUTORIAL A. NETWORKING AND CYBERSECURITY TUTORIAL The asserted patents in this case deal with systems that engage in complex computer networking security functions. Accordingly, the Court heard detailed technological testimony regarding the structure and function of computer networks in general, as well as the specific processes employed to secure these networks. The Court begins its factual findings by reciting a review of the presented technology tutorial. i. Overview of Networking The three principal devices that comprise computer networks are switches, routers and firewalls. Tr. 20:5-10. Beginning with switches, Centripetal’s expert Dr. Medvidovic used analogies to explain these complex network devices. He compared the operation of a switch to that of a telephone switchboard operator. Tr. 20:13-22. Therefore, similar to an operator connecting people, switches in a network operate to automatically connect different devices together such as a computer with another computer or a computer to a printer. Tr. 20:24-21:2; see Fig. 1. 8 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 9 of 178 PageID# 23895 FIG. 1 Comparatively, routers function similarly to a 911 dispatcher who sends and controls the distribution of emergency vehicles to the intended location. Tr. 22:9-19. Routers decide the most optimal way to automatically send computing data to a desired location. Tr. 22:24-23:2. They are constantly evaluating current computer traffic and sending data along the most efficient path to its intended destination. Tr. 23:8-14. The combination of routers and switches are the fundamental building blocks of computer networks. Tr. 23:17-23. Together, switches connect local devices into small networks and routers operate to transmit data between these smaller networks – thus forming larger networks. Tr. 26:1-4; see Fig. 2. FIG. 2 The next and final relevant device in computer networks is the firewall. Firewalls, in the context of computer networking, are similar to that of a firewall in an office building or hotel. Tr. 9 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 10 of 178 PageID# 23896 24:13-19. They operate to automatically put a “wall” between valuable assets and any potential danger. Tr. 24:13-19. Therefore, data entering a network is often transmitted in through a firewall and the firewall can perform a variety of functions, such as disallowing the data to enter the network by blocking it. Tr. 25:1-4; see Fig. 3. FIG. 3 Dr. Medvidovic used video access to ESPN.com from a web server as an example of the operation of a firewall. He explained that: any data you try to see or retrieve from the ESPN servers would be on that web server. And that data would travel to you, but before it gets to your computer, it would first go through this firewall, and the firewall may decide to permit that data to go through because it does not violate any policies or rules that you may have for the firewall. . . . So for example, it [the firewall] could be in a company where the company policy is you can’t watch sports during work hours. So in that case, that data from ESPN would be dropped at the firewall and never arrive to you. Tr. 25:8-20. Accordingly, firewalls often sit at the edge of individual networks to control the entry of data from the internet. Tr. 26:1-12. As technology develops, firewall type functionality is often now included inside of other devices such as routers and switches. These devices may be located at different locations within a network – not just at the outside barrier. Tr. 82:8-18. This inclusion of firewall functionality in other devices is in contrast with older network technology where firewalls were responsible for the security of the network, by blocking malicious packets from 10 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 11 of 178 PageID# 23897 entering it, while the routers and switches focused on speed and performance in the transmitting data. Tr. 26:16-22. The combination of thousands of these networking devices into larger and larger networks is responsible for the creation of nationwide networks and the global internet. Tr. 23:24-25, 24:13. Therefore, the global internet as we know it is a network of networks. Tr. 74:1-12. Internet providers, such as Earthlink, Verizon, AT&T, and Cox are in the business of creating large scale networks to connect users to other business networks in order to access data. Tr. 74:1-12, 76:1019. Companies like Netflix, Facebook, Zoom, Google and Amazon operate their own independent networks that connect to the larger internet to send data across the internet to end-users. Tr. 75:2376:9; see Fig. 4. FIG. 4 The international nature of the internet requires that the sending of data between all of these providers be based on uniformly developed standards that are globally applicable. Tr. 77:5-17. One such organization, the Internet Engineering Task Force (“IETF”) is responsible for developing universal internet related standards. Tr. 77:5-17. There are many different standards that are developed to facilitate the transmission of data over the internet. Tr. 77:5-17. These standards are often in the form of protocols. Protocols are the rules of engagement for two computers that specify 11 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 12 of 178 PageID# 23898 how the two computers can work together to communicate back and forth. Tr. 954:5-17. For example, the Hypertext Transfer Protocol (“HTTP”) is used in web pages to transfer data over the internet from computer to computer, the Internet Protocol (“IP”) is a building block in allowing data to use interconnected networks, and the Transmission Control Protocol (“TCP”) is used to deliver information across the internet. Tr. 77:23-78:2, 89:18-21. These protocols are the methods by which data transfer is possible over nationwide and global networks. Tr. 88:19-21. This is a general “high level” overview of these networking concepts. Internet professionals and “experts” use the term “high level” to categorize these basic concepts involved in the transmission of data electronically, as well as the imposition of security upon such transmissions. Moving into the specifics, the transmission of computing data through these devices is done in the form of a network packet or packets. Tr. 26:23-25. The packet is similar to that of a package sent through the United States Postal Service. Tr. 26:24-27:3, 89:2-3. For example, when a user on their computer attempts to watch a video from ESPN.com, that video is a very large amount of information and cannot efficiently be sent in one package. It is, therefore, broken up into a number of smaller units known as packets. Tr. 27:3-14. The packet will flow from the internet and through multiple devices on the network and transmit the requested information to the end user. Tr. 88:114. At any time, there are trillions of packets being exchanged through global networks. Tr. 88:1619. 12 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 13 of 178 PageID# 23899 Packets consist of two different parts: the header and the payload; see Fig. 5. FIG. 5 The header contains information such as the source address, source port, destination address, destination port number, and the protocol being used to transmit the packets. Tr. 107:16-23. These five pieces of information are known as the “5-tuple.” Tr. 108:4. The information contained in the header is inspected by the router or switch to determine where and how to send that individual packet. Tr. 108:7-16. This information can be thought of as a mailing label on a package which contains an individual’s name and mailing address as well as a return address. Tr. 27:24-25. The payload is the portion of the packet that contains the actual content of the data. This information is similar to the content within a postal package, such as a new football or baseball glove. In the ESPN video hypothetical, this would be the actual portion of the video sent by each individual packet. Tr. 28:4-10. This data in the payload part of the packet can be encrypted, meaning the information in the payload can be transmitted in code. Tr. 28:18-25. For example, the hypothetical video from ESPN.com would not usually be encrypted, but often data sent in a packet’s payload containing sensitive information, such as banking or credit card data, will be encrypted. Encryption becomes vital so that this sensitive data is not stolen by bad actors hacking the network. Tr. 28:1825. Encryption works to lock up the data in the payload section of the packet so it cannot be seen 13 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 14 of 178 PageID# 23900 without decryption. Tr. 29:1-5. Consequently, just as with a sealed package, snoopers of network traffic would be unable to see what is in the packet unless it could be unlocked and opened, which is generally known as decrypting the data. But, even when a packet is encrypted, the header information, such as the source and destination, is not encrypted and is visible. Tr. 29:10-16; see Fig. 6. FIG. 6 As previously noted, the hypothetical ESPN video is set in a collection of packets that comprise the video. The collection of all the packets together that make up the transmitted video is known as a packet flow. Tr. 106:15-16. Thus, the header of each packet in this particular flow would contain identifying information that distinguishes this collection of packets from other flows. Tr. 107:16-13. This allows for routers to keep the packets in order and properly distribute the packets to the correct destination. ii. Overview of Networking Security As explained supra, the internet is a very large and complex organization of networks that utilize protocols to relay data from one network device to another resulting in the transmission of data to an end user. Tr. 112:1-6. As a result of the internet’s complexity, there are many methods employed by cyber criminals to transmit malware and gain access to encrypted, secure and confidential information. Tr. 112:7-14. Cyber criminals can use malware or other methods to infect 14 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 15 of 178 PageID# 23901 a network and steal data using a process known as exfiltration. Tr. 343:19-15. Exfiltration is the process by which cyber criminals “exfiltrate” data out of a network by stealing valuable confidential data. Tr. 343:19-15. 2 Therefore, to prevent malware and data exfiltration, cyber defense systems often use a concept known as defense-in-depth, the deployment of a variety of network security devices at different layers of the network, to protect sensitive network data. Cisco’s expert, Dr. Almeroth, compared network defense-in-depth to that of the security used by a federal courthouse, which contains a series of secured entry points to the building, a courtroom or a judge’s chambers. Tr. 112:18-22. Consequently, just like any type of modern security system, there must be different layers of security in a network to be effective in preventing evolving methods of cyberattacks. Tr. 113:3-10, 51:17-21. Therefore, to maximize effectiveness, security measures are often placed at different devices/locations in a network, such as within a firewall, a security gateway, in routers and switches, and also within the end user’s computer. Tr. 113:11-18. Dr. Almeroth outlined that there are multiple approaches used by cybersecurity professionals to effectively develop defense-in-depth security systems. Tr. 117:22-24. Two of the relevant approaches, for purposes of this trial, are known as detect and block through “inline” analysis and “out-of-band” also known as allow and detect. Tr. 118:2-7. These approaches can be used unilaterally or combined to create different styles of network security based on the needs of network administrators. Older security technology focused on a firewall at the border of the network to detect and block malicious packets from entering a network. Tr. 118:8-119:25. The process begins when a packet is sent from the internet to another smaller network. A firewall device, usually located at the entry of the network, operates by inspecting information in the packet to determine if that 2 Typically, this sensitive data often consists of usernames and passwords to your bank accounts, Social Security Numbers, credit card numbers, or confidential financial data of a business. Tr. 444:4-8. 15 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 16 of 178 PageID# 23902 packet is malicious. Tr. 119:18-25. This process is completed by matching information from the header or payload of the packet to rules that are pre-enabled in the firewall type device. Tr. 119:1825. These rules are comprised of previously known information about sources of malicious or otherwise unauthorized traffic. Tr. 122:11. Thus, if information from a packet header is matched to a rule, then the packet is unauthorized to enter the network and is blocked / dropped. 3 Tr. 120:612. A blocked packet is virtually thrown away or could be re-routed to another location for additional inspection. Tr. 120:15-18. If there is no rule that matches the packet, the packet is allowed to proceed into the network and to its final destination. Tr. 120:2-5. Rules are the mechanism that determines which packets are allowed in and out of the network. The collection of rules that are being applied by network devices can also be referred to as Access Control Lists (“ACLs”). Tr. 537:18-21, 2550 1-4. Threats are continually evolving, and as a result, rules can be automatically updated or swapped in switches, routers and firewalls by other management devices in the network that intake “threat intelligence” information. Tr. 126:511. Threat intelligence information is an everchanging collection of information from known viruses and malware that is compiled by third-party providers. Tr. 126:5-11. Devices that manage switches, routers and firewalls often operate by digesting threat intelligence, converting that intelligence into rules, and sending those rules out to intra-network devices such as firewalls, routers and switches that match rules to packets. Tr. 126:5-11. The ability to apply measures in real-time to new or different rules after the packet has cleared the gatekeeping firewall is called proactive security, which is a newer and more effective technology. This process of proactively blocking packets as they travel through the network comes with distinct challenges. The efficacy of this method rests on the ability of network devices to 3 Dropping and blocking can be used interchangeably as they have the same definition in the context of cybersecurity. Tr. 466:23-467:4 16 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 17 of 178 PageID# 23903 continually apply new or different rules to packets. Therefore, as the volume of packets and rules increase, so must the number of devices or the processing speed of current devices to remain effective. Tr. 124:6-19. Without increased speed or adding hardware, there will be extensive delay/latency because the system will be overwhelmed trying to match new or different rules to an overwhelming number of packets. Consequently, this delay can affect user performance on the network (i.e., increase web page loading times). Tr. 126:20-24. Another issue is that a network might have different entry points or destination points for data. Tr. 127:5-8. Therefore, firewall capable devices must be placed at all possible entry and destination points or risk that data could reach an improper destination without the application of updated rules. Tr. 127:5-8. The older allow and detect model operates retroactively by monitoring the entry of packets into the network based upon prior threats to the network. Tr. 129:2-11. The flows are monitored by sensors in network devices and sent to another management device for review. Tr. 132:13-19. When malicious traffic is found, the devices can operate retrospectively, and update rules based upon information found in the forensic investigation. Tr. 133:2. Instead of blocking traffic at the gate, this method allows traffic to go through to its destination and then performs post facto analysis on the flow of the information in the packet headers to determine if there was malicious activity afoot. Tr. 133:24-134:2. The challenges of this model include the lack of the ability to be proactive. It is different than an inline intrusion prevention system because malicious packets are still allowed into the network and then passed on to the destination without blocking. Tr. 141:1114. Both approaches may be combined in different ways to create a defense-in-depth strategy. Tr. 144:5-11. Network administrators can use different combinations of these devices and methods to achieve optimal security personalized for their network. Tr. 144:5-11. 17 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 18 of 178 PageID# 23904 B. OVERVIEW OF THE ACCUSED PRODUCTS In this case, Centripetal accuses various Cisco network devices of using its new solutions and infringing the Asserted Patents. The Court will provide a brief summary of these products. i. Cisco’s Switches The switches at issue in the case are the Catalyst 9000 series (“Catalyst Switches”) including the Catalyst 9300, 9400 and 9500. Tr. 53:20-23. This newer line of switches contains functionality utilized by Cisco to integrate proactive security capabilities within the network. Tr. 54:1-3. ii. Cisco’s Routers There are three different types of routers at issue. These routers are the 1000 series Aggregation Services Router (“ASR”) and the 1000 / 4000 series Integrated Services Router (“ISR”). Tr. 54:22-25, 55:1-2. Their purpose in the network is to provide performance, reliability, and integrate proactive security functionality within networks. Tr. 55:7-10. Like the switches, the routers contain functionality utilized by Cisco to integrate proactive security capabilities within the network. iii. Cisco’s Digital Network Architecture Cisco’s Digital Network Architecture (“DNA”) operates as a network management device. Tr. 55:17-21. It operates to configure and troubleshoot problems in the network. Tr. 55:17-21. Therefore, the primary function is to interact and operate routers and switches. Tr. 55:17-21, 147:19-21. DNA may continually provision the routers and switches so they are capable of being used effectively in the operation of the network. Tr. 56:1-7. The DNA device uses advanced artificial intelligence and machine learning to observe past traffic on the network and has the 18 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 19 of 178 PageID# 23905 capability to change configuration in the network in real time. Tr. 57:20-25. Accordingly, DNA takes that intelligence, operationalizes it, and turns it into rules and policies that Cisco’s switches and routers use for security purposes. Tr. 451:3-24. iv. Cisco’s Stealthwatch The new and improved Stealthwatch device currently provides the ability to collect various security analytics and use it to predict network threats. Tr. 59:1-7. Stealthwatch is, now, enabled to work with other Cisco technologies, such as Cognitive Threat Analytics (“CTA”) and Encrypted Traffic Analytics (“ETA”). Tr. 59:10-15. v. Cognitive Threat Analytics Cognitive Threat Analytics (“CTA”) has various features for monitoring the network. For example, CTA monitors for security breaches within the network by using machine learning. Tr. 60:17-23. CTA is embedded in the Stealthwatch device. Tr. 60:21-23 vi. Identity Services Engine The Identity Services Engine (“ISE”) is a device that ensures user control over the network from any location. Tr. 61:10-16. It provides network-based security regardless of location of the user. Tr. 61:10-16. It is also responsible for tracking the identity of users and user computers on a network and for setting the limits of user and user computer access to other devices in the network. Tr. 149:20-23. vii. Encrypted Traffic Analytics Encrypted Traffic Analytics (“ETA”) is an element of the new Stealthwatch technology and also is embedded in Cisco’s switches and routers. Tr. 61:17-24. ETA deals with the ability to track and analyze encrypted traffic in the network without decrypting said traffic. Tr. 61:19-21. 19 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 20 of 178 PageID# 23906 ETA completes this objective by looking at non-encrypted information in the packet (i.e., header information, 5-tuple) in order to track and analyze particular packet flows. Tr. 62:1-5. viii. Cisco’s Firewalls There are five different firewall products at issue. Tr. 63:10-17. First, there is the Adaptive Security Appliance (“ASA”) with Firepower. Tr. 63:10-17. Then, there are the four series of firewalls: the 1000; 2100; 4100; and the 9300. Tr. 63:10-17. These devices are newly equipped to operate proactively with packet filtering functionality. Tr. 151:23-25. ix. Firepower Management Center The Firepower Management Center (“FMC”) operates the firewalls and does typical firewall functions like managing the network at that particular point in the network, protecting against malware, and checking and proactively blocking attempts at malicious intrusions into the network. Tr. 64:7-10. The FMC, in particular, can configure and operate all the firewall devices in the network. Tr. 153:6-8. x. Complete Picture of a Cisco Network To put all the devices and components together, Figure 7 depicts a Cisco network that utilizes all of the Accused Products: 20 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 21 of 178 PageID# 23907 FIG. 7 (FROM CENTRIPETAL’S TECHNOLOGY TUTORIAL SLIDES) C. THE PARTIES Centripetal is a corporation duly organized in 2009 and existing under the laws of the State of Delaware, with its principal place of business in Herndon, Virginia. Doc. 411 at 1; Tr. 233:22. Centripetal formed as a start-up cybersecurity company focused on using threat intelligence software and firewall hardware to protect cyber networks. Tr. 235:23-25. Centripetal operated to solve the conventional cybersecurity problems in an ever changing and developing industry using both inline and out-of-band methods. Tr. 239:6-15; see PTX-1591; DTX 1270. Cisco is a California corporation with its principal place of business in San Jose, California. Doc. 411. Cisco was founded in 1984 as a hardware networking company. Cisco has dealt in network devices throughout its operation, selling hardware including routers, switches, firewalls and other technologies. Cisco represents itself as the largest provider of network infrastructure and services in the world. PTX-570 at 991. More recently, Cisco has started conducting market 21 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 22 of 178 PageID# 23908 research and has acquired technology start-up companies specialized in software advancements to incorporate security functionality into its hardware. IV. OVERVIEW OF THE EVIDENCE As the technology at issue involves important cybersecurity technology, the Court endeavored to accommodate Centripetal’s motion for an early trial date. The many requests for inter partes review, by necessity, delayed the trial. The Court, therefore, scheduled a trial on those asserted patent claims for which such review had not been requested, as well as those which had survived this review process. Both parties’ technologies are not only at the forefront in protecting intellectual property and confidential personal information, but also operate in the national defense context. With the rapidly developing technology in the field, the Court found it would not be in the public interest to delay the trial until the unknown time when courtrooms would open for traditional civil trials. Accordingly, the Court first scheduled the trial in April of 2020, then due to the restrictions imposed by the COVID-19 pandemic, finally scheduled it for May 8, 2020, to be heard on a court approved video platform. See Doc. 74; 328. Following the tutorial, the initial phase of the trial dealt with Centripetal’s allegations of infringement of ten patent claims, two of which were contained in each of five different patents. However, the two claims at issue in each patent were identical, save for their being designed for different forms of hardware or media utilization. Therefore, the Court dealt with the issues of infringement, validity and damages as to five sets of claim elements. In the presentation of its infringement case, Centripetal called its top-level employees in person, Cisco employees by video deposition, and two expert witnesses. Centripetal presented numerous Cisco technical documents and other Cisco publications which postdated the alleged initial infringement date of June 20, 2017. Cisco’s own documents from this time frame, and the 22 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 23 of 178 PageID# 23909 evidence in general, strongly supported Centripetal’s infringement case as to four of the five asserted patents. Therefore, the Court FINDS that the ‘856 Patent, the ‘176 Patent, the ‘193 Patent, and the ‘806 Patent are valid and directly infringed. Cisco abandoned its claim that the ‘205 Patent was invalid, but argues that it was not infringed and the Court agrees and so FINDS. With regard to the infringement and validity claims, Cisco presented different independent experts witness as to each of the four. All four testified that based upon the infringement theories of Centripetal’s experts, there was no infringement, but if the Court found infringement, that the asserted patents were invalid. Each of them also testified that the prosecution history of the patents precluded the application of the doctrine of equivalents. They also testified that if the patents were found infringing and valid, each of the four had minimal value. The alleged date of the first infringement was June 20, 2017, but virtually all of Cisco’s exhibits, technical documents and demonstratives presented in its infringement and invalidity defense focused on its old technology, not on the current accused products. Their demonstratives of the functionality of Cisco’s accused products were not based upon their own current technical documents, but rather upon inaccurate animations produced post facto for use in the litigation which served to confuse the issues, rather than inform the Court. By contrast, Centripetal utilized Cisco’s own technical documents as exhibits and demonstratives to illustrate the functionality of Cisco’s post June 20, 2017 technology and how it infringed the asserted claims. Moreover, Cisco’s experts also testified that Cisco’s products did not infringe any of the claims of any of the patents at issue, while focusing on distinct elements of the claims. The testimony of these experts on infringement and validity all focused on old Cisco technology, as did most of the testimony of Cisco’s employee witnesses. Cisco’s lockstep strategy of denying any infringement of any of the elements of the four claims where infringement is found, and 23 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 24 of 178 PageID# 23910 backstopping this position by contending that if the Court found infringement the patents were ipso facto invalid, led to a number of factual conflicts in its presentation of its evidence. Cisco’s retained expert witnesses often contradicted Cisco’s own documents as well as Cisco’s own engineers. This common thread weaved a very tangled web, as is illustrated by Dr. Reddy, Cisco’s expert on the ‘806 Patent. Dr. Reddy, in referring to slide 29 of his presentation, opined: SLIDE 29 OF DR. REDDY’S PRESENTATION Q. And, Dr. Reddy, I would like to turn to an exhibit that the Court just saw with Mr. Jones. And I think Mr. Jones provided a pretty good explanation of this exhibit, but if you could just focus on what we’ve highlighted in red and explain to the Court why that will be relevant to your opinions. A. Okay. So the highlighted box at the bottom that says, “network interfaces,” that’s the box to which packets come into the switch, router, or the firewall. And in this example we’re only talking about the switch here. And the packet, as it comes through the network interface, goes through the ingress FIFO, FIFO center, first-in-first-out, and from there the packet is moved into the packet buffers complex, on the top, and the header of the packet is given to the ingress forwarding controller, and the ingress forwarding controller consults the lookup tables, compares the packet header information, and makes decision about this 24 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 25 of 178 PageID# 23911 packet; whether to allow this packet to go forward or to drop the packet or to take any other action at the level of the lookup table. Q. And just to be clear, what is the lookup table? A. This is the product that has the information related to the ACLs, Access Control Lists. Q. Now, Dr. Reddy, have you prepared an animation that shows how the Cisco systems that are being accused process packets that is basically using the diagram we just discussed? A. Yes, I have. Q. Okay. So let’s turn to that, and if you could explain to the Court what this diagram is showing. A. Okay. THE COURT: Can you explain it on the prior slide? THE WITNESS: Yes, Your Honor. MR. JAMESON: This one here, Your Honor? THE COURT: Yes. This is the one that Mr. Jones explained it on, so why not use the same one. MR. JAMESON: He is using the same one. This is an animation, Your Honor, that he has created to try to provide an easier explanation as to what’s happening in the accused products, using the component parts that are shown here. THE COURT: All right. Go on. BY MR. JAMESON: Q. Explain what you’re showing here, Dr. Reddy. THE COURT: Well, that’s a whole different setup. That doesn’t help me any. MR. JAMESON: Okay. BY MR. JAMESON: Q. Dr. Reddy, if you can walk through the steps of the ordinary course of processing packets, even when a rule swap is not being implemented in the accused products, using diagram 29. 25 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 26 of 178 PageID# 23912 A. Okay, will do. So what is -- the box that is highlighted here, the packet enters the switch through the network interface – that’s the yellow/orange box at the bottom -- and the packet is moved from there to ingress FIFO, first-in-first-out, and the packet from there is copied into the packet buffers complex, which is at the top, which is in green. The header of the packet is copied to the ingress forwarding controller to make decision on what to do with this packet. Now, the ingress forwarding controller looks up the ACL rules, the Access Control List rules in the lookup table, and makes decision about this packet, whether packet should be allowed, denied, or whatever other action we need to take. And what I’m going to show, in order to simplify this process, in the next slide as I show the animation, I’m going to start with ingress FIFO and show the packet buffers complex, show the ingress forwarding controller and the lookup table, so those four boxes as we move forward, of the packets. Q. Dr. Reddy, using slide 29, does every packet that comes into the Cisco accused products go through this process? A. The process that I just described is exactly the same for every packet that comes through the switch. Q. So with respect to the packet buffer, does every packet go into the packet buffer as part of processing? A. That’s correct. Every packet is copied there, and the header is inspected by the ingress forwarding controller to make a decision about that packet. Q. And does the packet go into that packet buffer whether a rule swap is taking place or not? A. That’s correct. So every packet -- for every step of the way, every packet that comes in through the switch, no matter what’s going on, is moved into the packet buffer. Q. Okay. Now, using slide 29, what happens when a new rule set has been downloaded and Cisco wants to swap rule sets? A. While the new rule set is being configured, the switch continues processing with the old rule set. So while the new rule set is being configured, the process -- the Cisco switches will continue using the old rule set and continue processing, contrary to what ‘806 teaches, and this is exactly what’s in the background of the ‘806 patent. It’s a continuous processing of the old rule set. Q. And while the accused system is continuing to process packets with the old rule set, are packets moved into a cache? A. No, there is no notion of a cache here. Every packet is taking the same sort of steps. Whether the rule set is being swapped or during the normal course of action, the packets 26 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 27 of 178 PageID# 23913 come though the network interface, into the ingress FIFO. From there, the packets are moved to the packet buffers complex, and there’s no notion of a cache here. Q. Okay. And what happens when the new rule set, rule set 2, has been configured and it’s ready for use? A. At that point, we continue processing the packets as in the normal course of action, and the only difference is that when the packet is now being processed against the rule set, the pointer that was pointing to the old rule set now points to the new rule set, and the packet will be processed for the ingress forwarding controller during the normal course, and now, instead of using the old rule set, it starts using the new rule set. Tr. 2615:2-2619:13. Slide 29 is a representation of a Cisco technical document described by Dr. Jones, DTX-562. The animated slide 29 includes ex post facto red highlighting that limits the operation of transmitting packets to only the ingress and completely ignores egress. Cisco’s noninfringement argument was based upon the packets being subjected to rules only one time and at only one step in the process. Therefore, Dr. Reddy opined on only the application of rules on the ingress half of packet processing performed by the switches and routers. In contrast, Mr. Jones specifically noted that rules are applied on both ingress and egress in describing the processing of packets by using strictly the Cisco technical document in an unaltered form. A more detailed explanation of all these issues in contained in the findings of fact and conclusions of law with respect to the ‘806 Patent. Here is Cisco’s technical diagram used by Mr. Jones in his testimony: 27 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 28 of 178 PageID# 23914 DTX-562 In this diagram, there is a full picture of a packet’s process through a switch or router without any highlighting limitation only on ingress. Therefore, Mr. Jones provided a complete picture of how rules are applied within the accused products on both ingress and egress. To support his opinions, Mr. Jones used Cisco’s own technical documents where Dr. Reddy used an animation prepared for litigation in addition to his own modified version of the technical documents. Tr. 2614-2616. In addition to using a highlighted version of the technical document, Dr. Reddy, in his testimony, ignored Mr. Jones’s egress explanation of the technical document itself, and attempted to explain the product’s functionality by using his own created animation on slide 31: 28 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 29 of 178 PageID# 23915 SLIDE 31 OF DR. REDDY’S PRESENTATION In this animation produced solely for litigation, Dr. Reddy continues to omit the egress processing of packets out of Cisco’s switches and routers. The Court made distinct note of Dr. Reddy’s use of an animation during his direct examination. Tr. 2616:10-20. Dr. Reddy’s testimony is just one example of how Cisco’s experts used their own modified exhibits and ex post facto animations while Centripetal’s experts and Cisco’s own employees relied on Cisco’s technical documents in an unaltered form. Cisco’s experts attempted to challenge every element of all of the claims at issue in its noninfringement case. However, the Court FINDS that Centripetal has proven the direct infringement of each element of the asserted claims in the ‘856 Patent, the ‘176 Patent, the ‘493 Patent, and the ‘806 Patent by a preponderance of the evidence. Most of Cisco’s challenges amounted to no more than conclusory statements by its experts without evidentiary support. Accordingly, in its findings of fact and conclusion of law, the Court has focused on only those elements cited by Cisco’s 29 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 30 of 178 PageID# 23916 infringement experts in their patent by patent outlines of noninfringement theories. The Court will analyze each patent individually, and outline all relevant findings of fact and conclusions of law regarding infringement, validity, and damages. The Court will address the patents in the following order: the ‘856 Patent; the ‘176 Patent; the ‘193 Patent; the ‘806 Patent; and the ‘205 Patent. V. FINDINGS OF FACT AND CONCLUSIONS OF LAW REGARDING INFRINGEMENT AND VALIDITY A. THE ‘856 PATENT i. Findings of Fact Regarding Infringement 1. The ‘856 Patent has been informally known as the Encrypted Traffic Patent. Tr. 884:25. 2. The ‘856 Patent was issued on March 13, 2018. JTX-5. The application for the ‘856 Patent was filed on December 23, 2015. JTX-5. 3. The asserted claims of the ‘856 Patent are Claim 24 and Claim 25. Doc. 411. Claim 24 and Claim 25 are, respectively, a system and computer readable media claims. 4. Claim 24 is laid out below: A packet-filtering system comprising: at least one hardware processor; and memory storing instructions that when executed by the at least one hardware processor cause the packet-filtering system to: receive data indicating a plurality of network-threat indicators, wherein at least one of the plurality of network-threat indicators comprise a domain name identified as a network threat; identify packets comprising unencrypted data; identify packets comprising encrypted data; determine, based on a portion of the unencrypted data corresponding to one or more network-threat indicators of the plurality of network- 30 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 31 of 178 PageID# 23917 threat indicators, packets comprising encrypted data that corresponds to the one or more network-threat indicators; filter, based on at least one of a uniform resource identifier (URI) specified by a plurality of packet-filtering rules, data indicating a protocol version specified by the plurality of packet-filtering rules, data indicating a method specified by the plurality of packetfiltering rules, data indicating a request specified by the plurality of packet-filtering rules, or data indicating a command specified by the plurality of packet-filtering rules: packets comprising the portion of the unencrypted data corresponding to one or more network-threat indicators of the plurality of network-threat indicators; and the determined packets comprising the encrypted data that corresponds to the one or more network threat indicators; and route, by the packet-filtering system, filtered packets to a proxy system based on a determination that the filtered packets comprise data that corresponds to the one or more network-threat indicators. JTX-5. 5. Claim 24 is identical to Claim 25 in every respect except that Claim 25 is a computer readable media 4 claim. Tr. 885:14-24. Claim 25 modifies the introductory language of Claim 24, replacing “[a] packet-filtering system comprising: at least one hardware processor; and memory storing instructions that when executed by the at least one hardware processor cause the packet-filtering system to:” with “[o]ne or more non-transitory computer-readable media comprising instructions that when executed by at least one hardware processor of a packet-filtering system cause the packet-filtering system to:.” JTX-5. For purposes of infringement, the parties treated Claims 24 and 25 the same. 4 Computer readable media is software comprising of source code that is loaded into computer hardware through a device such as a CD-ROM, memory card or flash drive. This media comprises of readable instructions for the intended computer to operate. Tr. 473:4-23. 31 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 32 of 178 PageID# 23918 6. Dr. Sean Moore, an inventor of the ‘856 Patent, describes the ‘856 Patent as a system for stopping cyber-attacks even when the malicious data is embedded within encrypted packets. Tr. 347:8-9. Therefore, the ‘856 Patent deals specifically with Centripetal’s threat filtering technology as applied to encrypted packets. Tr. 347:8-9. 7. The process at the core of this technology involves using unencrypted information located in a packet to determine if there is a threat embedded in the encrypted portion. Centripetal developed this technology as a response to the ever-growing trend of cyber criminals encrypting packets as a way to bypass traditional security procedures. See Tr. 310:20-24, 889:6-12. Thus, Dr. Moore identifies the ‘856 Patent as one of Centripetal’s solutions to operationalize threat intelligence to determine if encrypted packets contain network threats. Tr. 348:1-16. 8. This system is considered an advancement over previous security systems that would fail to detect hidden attacks because the payload was encrypted by cyber criminals. Tr. 887:4-17. 9. Centripetal accuses Cisco’s Catalyst 9000 series switches, the Aggregation Services Router 1000 series routers and Integration Services Router 1000 and 4000 series routers in combination with Cisco’s Stealthwatch and Identity Services Engine of infringing Claims 24 and 25 of the ‘856 Patent. Tr. 886:9-11. Source code for Stealthwatch is compiled in Atlanta. PTX1932. 10. All of the accused devices for the ‘856 Patent are embedded with Cisco’s new 2017 technology known as Encrypted Traffic Analytics (“ETA”). Tr. 887:25-888:6, 890:19-22; PTX561 at 630. Cisco utilized ETA as a response to the growing number of attackers that were using encrypted traffic to bypass standard security protocols. Tr. 889:2-12; PTX-561 at 629 (Cisco 32 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 33 of 178 PageID# 23919 noting that “attackers are also using encryption to conceal malware and evade detection by traditional security products.”). 11. ETA became a critical component of Cisco’s security infrastructure because it provided a new method for identifying hidden threats within encrypted traffic without having to perform the time consuming process of decryption. PTX-561 at 630 (Cisco, in 2019, highlighting ETA as an “innovative and revolutionary technology” that “illuminate[s] the dark corners in encrypted traffic without any decryption by using new types of data elements or telemetry . . .”). 12. In order to detect threats in encrypted traffic without decryption, ETA uses data from the unencrypted portion of the packet and performs advanced security analytics. Tr. 892:710; PTX-561 at 630. Cisco’s documents describe the four main elements of information that is extracted from packets by the ETA technology: 1. Sequence of Packet Lengths and Times (“SPLT”) – SPLT conveys the length (number of bytes) of each packet’s application payload for the first several packets of a flow, along with the interarrival times of those packets. 2. Initial Data Packet (“IDP”) – IDP is used to obtain packet data from the first packet of a flow. It allows extraction of interesting data such as an HTTP URL, DNS hostname and address, and other data elements. 3. Byte Distribution – The byte distribution represents the probability that a specific byte value appears in the payload of a packet within a flow. 4. TLS Specific Features – The TLS handshake is composed of several messages that contain interesting, unencrypted metadata used to extract data elements, such as cipher suite, TLS version, and the client’s public key length. 33 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 34 of 178 PageID# 23920 PTX-561 at 630 (A 2019 Cisco Technical Document). Cisco’s ETA amended NetFlow technology to enable the capture of new information from packets including the IDP and SPLT. Tr. 3127:613; see PTX-996 at 005 (showing that a 2019 version of ETA was updated to include these new categories). 13. Centripetal’s infringement expert, Dr. Eric Cole, outlined and showed Cisco’s technical documents that illustrated the analytical process of how these elements are used by Stealthwatch to detect threats in encrypted traffic. Tr. 910:10-913:4. 14. First, the accused routers and switches will make a determination if the packets are encrypted or unencrypted. Tr. 910:15-17, 943:9-14, 1064:8-14; PTX-989 at 004, 033 (the text accompanying Cisco’s ETA PowerPoint presentation from 2019 that denotes that Cisco “enhanced the network as a sensor to detect malicious patterns in not only non-encrypted traffic but also in encrypted traffic); PTX-1849 at 244 (source code confirming that there is a determination made whether the packet flow is encrypted or unencrypted). 15. After this determination, representations of information from the unencrypted portion of encrypted packets are sent up to Stealthwatch, which is running both ETA and Cognitive Threat Analytics (“CTA”). Tr. 910:15-911:9; PTX-989 at 033; PTX-578 at 061 (noting ETA “[m]akes the most out of the unencrypted fields” in the packet). 16. This information from the unencrypted packets is sent up to Stealthwatch using Cisco’s proprietary logging framework known as NetFlow. Tr. 1078:10-18, 1082:20-24. 17. Using ETA and CTA, Stealthwatch analyzes the NetFlow from the packets and identifies malware threats in encrypted traffic without running any form of standard decryption. Tr. 910:15-911:9, 936:4-20, 941:4-8; PTX-989 at 033; PTX-1010 at 001 (stating Stealthwatch “can detect malware in encrypted traffic without any decryption using Encrypted Traffic 34 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 35 of 178 PageID# 23921 Analytics.”) (emphasis in original); PTX-1009 at 012 (Cognitive Threat Analytics technical release notes illustrating that ETA “[e]nhances existing Stealthwatch / CTA integration with malware detection capability for encrypted traffic without decryption.”). 18. In order to perform the required analysis, Stealthwatch receives real-time threat intelligence indicators contributed by a third-party intelligence provider or directly from Cisco’s Threat Intelligence Group known as Talos. Tr. 912:16-19, 921:13-16; PTX-20 at 001 (showing Stealthwatch has the ability to take threat indicators and “correlate[] suspicious activity in the local network environment with data on thousands of known command-and-control servers . . .” and indicating that Stealthwatch uses ETA to “pinpoint malicious patterns in encrypted traffic to identify threats . . .”); PTX-1081 at 013 (illustrating Stealthwatch’s integration of CTA by using the Global Risk Map to identify known malicious domain data). 19. This threat intelligence sent into Stealthwatch contains many known malicious IP addresses, domain names, protocol versions and other indicators of malicious traffic. Tr. 927:410; PTX-1926 (Mr. Amin, a principal engineer at Cisco, confirming that the new Stealthwatch receives IP addresses and domain names in its threat intelligence information). 20. Using these indicators, Stealthwatch filters the representation of packets in the form of NetFlow. Then, Stealthwatch determines if any encrypted traffic in the network matches any known malicious signatures based on unencrypted information provided in NetFlow such as the IDP, Server Name Indicator (“SNI”) or Transport Layer Security (“TLS”). Tr. 920:22-921:10, 956:3-958:8, 1054:15-20; see PTX-1009 at 012; PTX-996 at 005. 21. Using a platform known as xGRID, Stealthwatch then sends the results of its analysis to the Identity Services Engine (“ISE”). Tr. 910:15-911:9, 912:1-12; PTX-989 at 033. 35 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 36 of 178 PageID# 23922 22. After this communication, ISE will provision rules or change of authorizations (“CoAs”) to the switches and routers. The switches and routers operate inline and are able to drop incoming packets from the malicious source and outgoing packets containing sensitive data attempting to be exfiltrated by embedded malware. Tr. 1965:16-18. 23. Blocked packets are routed to a proxy system, known as a null interface, that is used to drop packet traffic. Tr. 963:24-966:19; PTX-256 at 082,083; see Tr. 2199:21-2203:25. 24. This process is shown by a Cisco technical demonstration of ETA provided in February of 2018. PTX-989. The title page and relevant page are shown below: PTX-989 Cisco Encrypted Traffic Analytics Technical Presentation from February of 2018 36 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 37 of 178 PageID# 23923 25. Cisco’s expert has failed to cite any Cisco technical document produced post June 20, 2017. 26. Cisco has not called any witness who authored any of the Cisco technical documents relied upon by Centripetal in their infringement case. 27. Cisco’s expert witness relies on animations, produced ex post facto, which were designed for litigation and do not accurately portray the current functionality of the accused products. ii. Conclusions of Law Regarding Infringement The Federal Circuit has concisely stated that “[i]nfringement analysis is a two-step process: ‘[f]irst, the court determines the scope and meaning of the patent claims asserted ... [and secondly,] the properly construed claims are compared to the allegedly infringing device.’” N. Am. Container, 37 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 38 of 178 PageID# 23924 Inc. v. Plastipak Packaging, Inc., 415 F.3d 1335, 1344 (Fed. Cir. 2005) (quoting Cybor Corp. v. FAS Techs., Inc., 138 F.3d 1448, 1454 (Fed. Cir. 1998)). First, the Court hereby incorporates its Markman Claim Construction Order for purposes of construing the terms in the Asserted Claims. Doc. 202. The Court has made a modification to one of the terms previously construed via Markman due to a developed understanding of the technology in the case. See Pressure Prods. Med. Supplies v. Greatbatch Ltd., 599 F.3d 1308, 1316 (Fed. Cir. 2010) (“district courts may engage in a rolling claim construction, in which the court revisits and alters its interpretation of the claim terms as its understanding of the technology evolves”). The Court, in analyzing the applicable law, includes a table of the previously construed terms: Term Construction Configured to Plain and ordinary meaning which requires that the device be capable of configuring to do the function. (amended definition) Correlate, based on a plurality of log entries Packet correlator may compare data in one or more log entries with data in one or more other log entries. A changeable set of one or more rules, messages, instructions, files, or data structures, or any combination thereof, associated with one or more packets. Dynamic security policy Generate, based on the correlating, one or more rules. Plain and ordinary meaning. log entries Notations of identifying information for packets. 38 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 39 of 178 PageID# 23925 Indicators of packets associated with network threats, such as network addresses, ports, domain names, uniform resource locators (URLs), or the like. network-threat indicators A gateway computer configured to receive packets and perform a packet transformation function on the packets. packet security gateway Packets Plain and ordinary meaning in the context of the claim in which the term appears. Preambles Preambles are limiting. Proxy system A proxy system which intervenes to prevent threats in communications between devices. Responsive to correlating Plain and ordinary meaning. Rule A condition or set of conditions that when satisfied cause a specific function to occur. Security policy management server A server configured to communicate a dynamic security policy to a packet gateway. The Court has made one notable change from the previous claim construction order. The Court revises the construction of the term “configured to” from “Plain and ordinary meaning which requires that the action actually do the function automatically” to “Plain and ordinary meaning which requires that the device be capable of configuring to do the function.” See Tr. 1646:111647:1. This change is made in light of the Court’s developing knowledge of the patented technology. 39 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 40 of 178 PageID# 23926 To prove infringement, the plaintiff must show the presence of every claim element or its equivalent in the accused device by a preponderance of the evidence. Uniloc USA, Inc. v. Microsoft Corp., 632 F.3d 1292, 1301 (Fed. Cir. 2011); see Cross Med. Prods., Inc. v. Medtronic Sofamor Danek, Inc., 424 F.3d 1293, 1310 (Fed. Cir. 2005) (showing preponderance of the evidence as the proper standard for infringement analysis). This standard does not require a patent owner to present “definite” proof of infringement, but instead requires the patent owner to establish that “infringement was more likely than not to have occurred.” See Warner–Lambert Co. v. Teva Pharms. USA, Inc., 418 F.3d 1326, 1341 n.15 (Fed. Cir. 2005) (citing Advanced Cardiovascular Sys., Inc. v. Scimed Life Sys., Inc., 261 F.3d 1329, 1336 (Fed. Cir. 2001)). This comparison of the claims to an accused product is a fact specific inquiry and may be based on “direct or circumstantial evidence.” W.L. Gore & Assoc, Inc. v. Medtronic, Inc., 874 F. Supp. 2d 526, 541 (E.D. Va. 2012) (citing Martek Biosciences Corp. v. Nutrinova, Inc., 579 F.3d 1363, 1372 (Fed. Cir. 2009)). Literal infringement requires an accused product to embody each and every limitation of the patented claim. V-Formation, Inc. v. Benetton Group SpA, 401 F.3d 1307, 1312 (Fed. Cir. 2005). In contrast, “under the doctrine of equivalents, ‘a product or process that does not literally infringe upon the express terms of a patent claim may nonetheless be found to infringe if there is ‘equivalence’ between the elements of the accused product or process and the claimed elements of the patented invention.’” W.L. Gore & Associates, Inc., 874 F. Supp. 2d at 541 (quoting Warner– Jenkinson Co. v. Hilton Davis Chem. Co., 520 U.S. 17, 21 (1997)). A finding that the doctrine of equivalents applies requires either that “the difference between the claimed invention and the accused product or method was insubstantial or that the accused product or method performs substantially the same function in substantially the same way with substantially the same result as 40 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 41 of 178 PageID# 23927 each claim limitation of the patented product or method.” Id. (quoting AquaTex Indus., Inc. v. Techniche Sols., 479 F.3d 1320, 1326 (Fed. Cir. 2007)). Based on the Court’s factual findings, Centripetal has proven by a preponderance of the evidence that Cisco’s Catalyst 9000 series switches, the Aggregation Services Router 1000 series routers and Integration Services Router 1000 and 4000 series routers in combination with Cisco’s Stealthwatch and Identity Services Engine literally INFRINGE Claims 24 and 25 of the ‘856 Patent. Cisco’s expert on the ‘856 Patent, Dr. Douglas Schmidt testified: I was asked to look first at whether or not the accused Cisco product suite infringed the ‘856 patent. I was also asked to opine on whether the ‘856 patent was valid relative to the prior art. And I was also asked to assume if, in fact, the patent was valid and the accused products infringed, what damages should be assessed, looking at this from a technical point of view of any benefit that the patent provided over what was already known in the prior art. Tr. 1817:13-23. Dr. Schmidt opined that the ‘856 Patent is not-infringed on three different theories, First, Dr. Schmidt concludes that the current Cisco system is exclusively after the fact analysis and does not work on determined packets as required by the claims. Second, he states that the null interface used in the Cisco system is not a proxy system as required by the claims. Third and finally, he argues that packets are not filtered by the Cisco system. The Court disagrees with all of Dr. Schmidt’s theories of non-infringement. Turning to the first theory, Dr. Schmidt began his infringement analysis with a description of slide five of his demonstrative presentation. This slide was used in various forms throughout his presentation, as well as by other Cisco experts, and is reproduced here: 41 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 42 of 178 PageID# 23928 SLIDE FIVE OF DR. SCHMIDT PRESENTATION Dr. Schmidt used the animated slide five, produced ex-post facto for use in the litigation, to support the following opinion: Q. And by the time that telemetry information gets sent along that blue dotted line to the right-hand side -- by the time that happens, where is the packet itself? A. The packets will have long since been received. The packets will typically arrive in a millisecond time frame, which is extremely fast, and the information that’s processed on the right-hand side by the so-called after-the-fact management devices could take minutes, hours, perhaps even days to be processed. Tr. 1815:10-18. Dr. Schmidt indicates throughout his testimony that the new Cisco system is all after the fact analysis and the system “doesn’t work on determined packets.” In his testimony and on slide five, Dr. Schmidt opined that after the fact management devices include Identity Service Engine (“ISE”), Stealthwatch (based on NetFlow), and Encrypted Traffic Analytics (“ETA”). He opined: Q. The accused systems don’t block. 42 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 43 of 178 PageID# 23929 A. Again, don’t block, don’t block what? What are we talking about? Q. Don’t block malware before it infects the host. A. I think my testimony this whole time has been that the accused products here, particularly the ones that are the after-the-fact ones, allow the information to go to the destination and then conduct so-called after-the-fact analysis in order to determine what issues have occurred and what remediations to take place. Tr. 1923:14-23. Dr. Schmidt presented excruciatingly detailed evidence, including animations and text of the old Stealthwatch product, which it acquired from Lancope. Before 2017, Stealthwatch functionality appeared to focus on after the fact forensics, however this was not the case beginning in 2017, as its own software engineer, Mr. Llewallyn, testified while referring to PTX-965: Q. Do you see this is a Cisco Stealthwatch document? It looks like it’s “At a Glance.” Do you see that? A. Yes. Q. And there’s a copyright date on the bottom there of 2017. It might be hard to see, but I'll pull it up. This is a 2017 document? A. Uh-huh. Q. Now, you talked about how Stealthwatch works to monitor internal in the network, correct? A. That’s correct. Q. You also mentioned how it is integrated with Cisco’s Identity Services Engine, right? A. That’s correct. ... Q. It says, “Helps organizations get 360-degree view of their extended network.” Now, what I want to focus on is at the bottom, where it says, “Simplify segmentation throughout your network with centralized control and policy enforcement and address threats faster, both proactively with threat detection and retroactively via advanced forensics.” Now, Stealthwatch, working with other 43 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 44 of 178 PageID# 23930 products in Cisco’s Security Suite, in this case the Identity Services Engine, can proactively protect against threats, correct? A. Well, it’s based on a manual operation, though. Q. But it’s in the code. The computers can do it, right? A. Yes. It provides a way to quarantine the host, by clicking a button. Q. And you can address threats faster, you can proactively -- both proactively with threat detection and retroactively via advanced forensics, correct? A. That’s correct. Tr. 2198:5-2198:20, 2199:3-2199:20. Significantly, Cisco and Dr. Schmidt failed to cite any technical documents or diagrams illustrating the new post 2017 Stealthwatch or other products accused of infringing the ‘856 Patent. An examination of Cisco’s own technical documents and diagrams from post 2017, illustrating the functionality of the accused products, explain why it adopted this new functionality. The diagrams and the accompanying text from Cisco’s technical explanation of ETA, PTX-584 and PTX-570, illustrate why slide five, and the testimony grounded upon it and its variations, are inaccurate: 44 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 45 of 178 PageID# 23931 PTX-584 Cisco Encrypted Traffic Analytics Technical White Paper from 2019 PTX-584 at 402. 45 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 46 of 178 PageID# 23932 PTX-570 Cisco Encrypted Traffic Analytics Technical Deployment Guide from July 2019 PTX-570 at 593. This is further supported by the Cisco Stealthwatch Technical Data Sheet, PTX482: Analyzing this data can help detect threats that may have found a way to bypass your existing controls, before they are able to have a major impact. The solution is Cisco Stealthwatch, which enlists the network to provide end-toend visibility of traffic. This visibility includes knowing every host-seeing who is accessing which information at any given point. From there, it’s important to know what is normal behavior for a particular user or “host” and establish a baseline from which you can be alerted to any change in the user’s behavior the instant it happens. PTZ-482 at 664 (emphasis added). Moreover, Dr. Schmidt’s testimony attempting to contradict PTX-1287, a 2018 Cisco document, is revealing: 46 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 47 of 178 PageID# 23933 Q. So we go to 1287. This is a document describing the Catalyst 9000 switch. “Foundation for a New Era of Intent-based Networking.” Do you see that, Dr. Schmidt? A. I do. Q. Okay. You know Dr. Cole relied on this document in his direct testimony of infringement, correct? A. I believe so. Q. Okay. Now if we turn to Page 28 of that document ending in Bates Number 028, there’s a graphic at the top here and it talks about the Catalyst 9000 Advanced Security Capabilities. Do you see that? A. I do. Q. And you recall Dr. Cole relying on this document, correct? A. Not particularly, no. Q. Okay. Well, if you look at the very bottom it says, “Detect and stop threats, exclamation point.” Do you see that? A. I do. Q. And Dr. Cole used it to show that the Catalyst switches and the routers that have the same operating systems can detect and stop threats prospectively right? Or proactively, correct? A. I don’t believe that that’s what it says, no. Q. So you don’t think this says it’s going to detect and stop threats proactively? A. I don’t know what this slide says in this context. I know that Dr. Cole had an analysis that read the claims in a way that was essentially a non-sequitur, a series of non-sequiturs, and accused things as being part of -- the read on the claims, the patent claims that had nothing to do with the way in which the products operate. Q. I’m asking about your opinion now. When it says, “Detect and stop threats,” does that mean it’s detecting and stopping the threat before they get to the host? A. It’s not clear what it means in this context. I see the words “detect and stop threat.” I don’t see how it applies to the patent that we’re talking about here. 47 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 48 of 178 PageID# 23934 Q. So you don’t know what “detect and stop threat” means is what you’re telling the Court? A. No. I’m just saying I don’t know whether it means what you’re saying it means. THE COURT: Well, what do you think it means over on the right where it says “Before, During and After”? THE WITNESS: It looks like it’s saying that -- so it looks like it’s talking about the fact it’s possible to quarantine something, but I don't know how that refers to the - I don’t know how that refers to the way in which it reads on the claims and whether what Dr. Cole was alleging has anything to do with what the claims are asserting. BY MR. ANDRE: Q. So when it says “During”, during the packets coming in, Full NetFlow-based behavior analytics, Encrypted Traffic Analytics, Policy Enforcement Analytics. You don’t have an understanding of what that’s referring to? A. Again, this particular slide is coming out of thin air here, so I would have to spend a little bit of time looking at it to understand the way it’s being used in this particular context. Tr. 1925:16-1927:21; see PTX-1287 at 028 (depicted below). 48 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 49 of 178 PageID# 23935 PTX-1287 Cisco Catalyst 9000 Switching Technical Presentation from 2018 It’s difficult to comprehend why Dr. Schmidt would state, in his rebuttal of Dr. Cole, that he cannot understand a Cisco post 2017 document because it is “coming out of thin air.” In his preparation for his expert testimony, the Court is unaware how or why he overlooked this crucial Cisco document. Dr. Schmidt, when questioned again about this point, stated: Q. When we talk about Stealthwatch, if we go to the next page, you keep talking about this after-the-fact stuff. On that table on the left there it says, “Real-time detection of attacks by immediately detecting malicious connections from the local environment to the Internet.” Do you see that? A. I do. Q. So does that make you rethink your opinion that the real-time doesn’t mean immediately? A. No, it does not. 49 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 50 of 178 PageID# 23936 Q. So the word “immediately” doesn’t mean immediately in that sentence? A. Again, immediately is always relative to something. We already know that the packets are always delivered to the destination by the time the work goes up, by the time the NetFlow goes up to Stealthwatch and Cognitive Threat Analytics. And so it will detect it as quickly as it can, but it doesn’t say, it doesn’t say before the packets are delivered to the destination, does it? It says real-time detection of attacks by immediately detecting malicious connections. But there’s nothing there about it blocking the traffic, it just says it’s detecting it. Tr. 2113:17-2114:12. Dr. Schmidt’s testimony is directly refuted by Cisco’s own technical documents. For example, Cisco’s Catalyst 9000 at-a-glance guide highlights that this line of switches can “detect and stop threats, even with encrypted traffic.” PTX-199 at 224. (emphasis added). Cisco portrays the benefits of Stealthwatch as “[r]eal time detection of attacks by immediately detecting malicious connections from the local environment to the Internet.” PTX383 at 356. The Stealthwatch Data Sheet confirms that Stealthwatch uses “advanced security analytics to detect and respond to threats in real time.” PTX-482 at 664 (emphasis added). These documents confirm that the accused products are not solely used for detecting, but also for stopping those threats. Furthermore, the Stealthwatch Data Sheet notes that “Stealthwatch can recognize these early signs [of attacks] to prevent high impact . . . [o]nce a threat is identified, you can also conduct forensic investigations to pinpoint the source of the threat . . .” PTX-482 at 665 (emphasis added). The Court asked Dr. Schmidt about the word “also” in PTX-482: THE COURT: Why do you think it says “also” there? THE WITNESS: I think what it’s talking about there, Your Honor, if you take a look, it says “You can determine where else it may have propagated.” If you look at the -THE COURT: Do you think maybe it means you can do the things in the first two sentences and also do the thing in the third sentence? Do you think that’s what “also” means? THE WITNESS: I think it’s trying to say, sir, that if you look -- the forensic investigations they are specifically calling out here are pinpointing where the 50 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 51 of 178 PageID# 23937 problem was, so identifying who the bad guy is, and then determining what else might be infected. So that’s the problem with network threats; they often spread rapidly like viruses. That’s why they’re called viruses. So this is saying you can do additional analysis to not just say one person has a problem, but all the other things in the network that that person’s connected to somehow, that computer has been connecting to, may also be a problem too. I think that’s what “also” means here. THE COURT: I think “also” means “also” . . . Tr. 1974:13-1975:6. Notably when Mr. Schmidt previously read the same sentence from PTX482, he omitted the word “also” “Once a threat is identified, you can ____ conduct forensic investigations.” Tr. 1936:16-17. From his own testimony, it is clear to the Court that Dr. Schmidt is solely limiting his testimony to the forensic after the fact analysis feature in the old pre-2017 Stealthwatch. The Court accepts that Stealthwatch has the features to conduct forensic investigations after the fact. However, Dr. Schmidt, throughout his testimony ignores the presence of the word “also” and “detect and stop” in the technical documents, which denotes that the after the fact investigation is a feature that operates in addition to the ability to stop threats in real time. See Tr. 1974:3-1975:8. Turning to the second theory, this Court, in its Claim Construction Order, has construed a proxy system as a “A proxy system which intervenes to prevent threats in communications between devices.” Mr. Llewallyn, a Cisco software engineer, confirms that Stealthwatch and ISE, working in conjunction, can reconfigure the switches and routers to re-route malicious packets intended for a particular host to a null interface. Tr. 2199:21-2203:25. Cisco contends this use of a null interface falls outside of the Court’s Markman construction. It clearly does not. Cisco’s technical documents describe the null interface as a “virtual interface [that] never forward[s] or receive[s] traffic but packet[s] route[ed] to null interface are dropped.” PTX-256 at 082, 083 In this manner, the null interface causes “packets destined for a particular network to be dropped.” PTX-256 at 082, 083. The technical evidence shows that the null interface is a method, 51 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 52 of 178 PageID# 23938 incorporated into Cisco’s quarantine procedure, for re-routing packets from the intended host serving as an intervening process in the communication to drop packets. Dr. Schmidt opined that the proxy system required by the ‘856 Patent specification must perform some form of decryption. Dr. Schmidt testified as follows: Q. And you actually cited to the specification to show that a proxy system, the analysis had to actually decrypt, correct? You said that this claim requires decryption. Do you recall that? A. I do. Q. All right. So let’s go back to the patent. Column 10, line 15. 15 to 20. Now, this is the point that’s part of the specification you pointed to. Proxy device may receive the packet and decrypt the data in accordance with the parameters as in session 306. Do you see that? A. I do. Q. And you took that to mean that it must decrypt the data in accordance with the parameters, correct? Not that it may, that it must. A. Well, so to be consistent, there’s quite a number of places in columns, basically 8 through 12, where they talk about the role of proxy device, 112, which is the part here. And when they talk about proxy device 112, they’re talking about it in the context, going back to figure 3B, where there is a SSL/TLS session set up that involves sending encrypted packets. And whenever they talk about it in all those different places in columns 8, 9, 10, 11, and 12, they always make it clear that proxy device 12 [sic] receives packets that are encrypted packets and then decrypts them, and then sends the unencrypted data to what they call the man in the middle RuleGate, which is RuleGate 124. And RuleGate 124 then, as it talks about just a little bit further down in the specification, it talks about actually doing the filtering. And it talks about filtering based on the URI, they talk about filtering based on the request, on the method, on the command and so on. And then right after that it talks about how RuleGate 124 sends that information, which at that point is still decrypted – because of course we couldn’t be analyzing it unless it was decrypted -- it then sends it to proxy device 114. And as you read in the spec, it makes it very clear that proxy device 114 then re-encrypts the data and sends it on to the destination. So in all the cases where proxy system is disclosed – and like I said, there are three or four of them in the specification – it’s always talked about in the context of receiving encrypted data and then proxy device 112 will decrypt it and then pass it on in some way. So those are the ways that proxy system are -- proxy system is used in the spec. So that’s where I come up with the reasoning that, A, proxy system is involving decryption and encryption, because it says so very clearly 52 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 53 of 178 PageID# 23939 in the specification, and then reading claims F, F1 and F2, it’s very clear that the analysis that’s done to the filtering, for the most part can’t be done unless the packets are decrypted. MR. ANDRE: Your Honor, I don’t want to interrupt the witness, but I move to strike most of that. It’s not even responsive to my question. He’s going on these long tirades and -- I just asked a very simple question. Anyway. I’ll just ask this question: BY MR. ANDRE: Q. Okay. So I looked at this entire patent. I did a word search. The word “decrypt” shows up one time in this entire patent. One single time. And it’s right there. A. That’s true. And the word unencrypted – Q. Doctor, you just said that – A. -- appears in multiple places. Q. You said that decryption shows up every time they talked about the proxy server. You just testified to that just two seconds ago. A. No, what I said was that if you read the other parts of the patent spec they don’t use the word decrypt, they talk about unencrypting the data. So it says it will send over unencrypted data. So the word decrypt and unencrypted or sending unencrypted data necessarily implies that the data is unencrypted or decrypted. Unencrypted and decrypted are essentially synonyms. So it makes it very clear throughout the specification that, especially to the parts in columns 9, 10, 11 and 12, that that’s what proxy device 112 is doing on the outgoing path. And also they talk about it in terms of proxy device 114 on the incoming path. Q. So you’re saying that unencrypted data -- data that has never been encrypted ever -- and decrypted are synonyms? A. No, thats that’s not what I’m saying. Q. You just said that. A. Well, that’s not what I’m saying. What I’m saying here is very clear: The patent spec talks repeatedly, especially in reference to figure 3B, where information is being received from, I believe it’s on session 306, I think it’s from host 108, if I’m not mistaken, and that information is coming in over an encrypted session. And it makes it very clear in the patent spec that this is an encrypted session. And then it says proxy device 112 receives the encrypted data and then either decrypts it or they sometimes say then send on unencrypted data. 53 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 54 of 178 PageID# 23940 ... Q. Is there ever a disclosure of the proxy system in the specification that doesn’t do any analysis at all; that just drops without first doing analysis? A. No. Q. And a null interface, does it do any analysis at all before it drops a packet? A. No, it does not. Tr. 1941:2-1944:15, 1976:14-20. The specification specifically confirms that another option is to drop the packets. Column 8 starting at line 5 provides: 5 10 15 20 25 30 and one or more of log or drop the packets. Responsive to receiving the packets from proxy device 112, host 106 may generate packets comprising data configured to establish the connection between proxy device 112 and host 106 (e.g., a TCP:ACK handshake message) and, at step #14, may communicate the packets to proxy device 112. Rules 212 may be configured to cause rule gate 120 to one or more of identify the packets, determine ( e.g., based on one or more network addresses included in their network-layer headers) that the packets comprise data corresponding to the network-threat indicators, for example, by correlating the packets with one or more packets previously determined by packet-filtering system 200 to comprise data corresponding to the network-threat indicators based on data stored in logs 214 (e.g., log data generated by packetfiltering system 200 in one or more of steps #6, #7, #12, or #13), and one or more of log or drop the packets. Responsive to receiving the packets from proxy device 114, host 142 may generate packets comprising data conFigured to establish the connection between proxy device 114 and host 142 (e.g., a TCP:SYN-ACK handshake message) and, at step #15, may communicate the packets to proxy device 114. Rules 212 may be configured to cause rule gate 128 to one or more of identify the packets, determine ( e.g., based on one or more network addresses included in their network-layer headers) that the packets comprise data corresponding to the network-threat indicators, for example, by correlating the packets with one or more packets previously determined by packet-filtering system 200 to comprise data corresponding to the network-threat indicators based on 54 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 55 of 178 PageID# 23941 35 40 45 50 55 60 data stored in logs 214 (e.g., log data generated by packetfiltering system 200 in one or more of step #s 6, 7, or 12-14), and one or more of log or drop the packets. Responsive to receiving the packets from host 142, proxy device 114 may generate packets comprising data configured to establish the connection between proxy device 114 and host 142 ( e.g., a TCP:ACK handshake message) and, at step #16, may communicate the packets to host 142. Rules 212 may be configured to cause rule gate 128 to one or more of identify the packets, determine ( e.g., based on one or more network addresses included in their network-layer headers) that the packets comprise data corresponding to the networkthreat indicators, for example, by correlating the packets with one or more packets previously determined by packetfiltering system 200 to comprise data corresponding to the network-threat indicators based on data stored in logs 214 (e.g., log data generated by packet-filtering system 200 in one or more of step #s 6, 7, or 12-15), and one or more of log or drop the packets. Referring to FIG. 3B, proxy device 112 may receive the packets comprising data configured to establish the connection between proxy device 112 and host 106 communicated by host 106 in step #14, and connection 302 (e.g., a TCP connection) between proxy device 112 and host 106 may be established. Similarly, host 142 may receive the packets comprising data configured to establish the connection between proxy device 114 and host 142 communicated by proxy device 114 in step #16, and connection 304 (e.g., a TCP connection) between proxy device 114 and host 142 may be established. JTX-5 at 724. Columns 9-12 of the specification all contain the same alternate phrase “or drop the packets.” In fact, there is at least one mention of “or drop the packets” in each of columns 8-23 of the specification. These multiple references directly contradict Dr. Schmidt. Therefore, it is abundantly evident that Cisco’s null interface serves as a proxy system because it prevents threats in communications between devices, and this type of dropping of packets is shown by the specification to be an alternative to the further analysis of the packets. Therefore, the Patent does not require decryption as “or drop the packets” is already identified as an alternative. 55 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 56 of 178 PageID# 23942 Lastly, Cisco contends that Stealthwatch does not “filter” packets as required by the asserted claims. The Court disagrees. As outlined, Stealthwatch receives NetFlow, which contains representations of the unencrypted portions of encrypted packets. See PTX-578 at 061 (noting ETA “[m]akes the most out of the unencrypted fields” in the packet). These representations contain relevant header information from the packet and flow information utilized by Stealthwatch’s system to determine if the packets were being used in a malicious communication within the network. In this manner, sending these representations containing all header and flow information is no different than sending the packet directly to Stealthwatch because the representation is essentially a copy of the unencrypted portion of the packet. Using this unencrypted data, Stealthwatch discovers a user device infected with malware and “a malicious encrypted flow can be blocked or quarantined by Stealthwatch.” PTX-584 at 403. The Stealthwatch user interface known as the Stealthwatch Management Console (“SMC”) “provides a view of affected users identified by risk type.” Tr. 1920:20-22 (Dr. Schmidt confirming that Stealthwatch may provide alarms and alerts based on views within Stealthwatch), 2205:25-2206:4 (Mr. Llewallyn, a Cisco engineer, confirming Stealthwatch triggers alerts). The SMC allows for the representation of packets currently being processed within the network to be filtered and ordered by information within the unencrypted part of the packet such as protocol version, server name or domain name. Tr. 951:16-20; PTX-570 at 640. Dr. Cole highlights that this process meets the filter element because the Cisco system can identify and filter flows of packets that use certain versions of protocols that may be more vulnerable to malware incorporation. Tr. 953:22-954:2. For example, an outdated version 1.0 of a specific protocol such as TCP may be more vulnerable to be infected with malware than an updated and more secure version 2.0. See Tr. 953:22-955:24; see PTX-570 at 640. The Cisco system is able to filter the 56 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 57 of 178 PageID# 23943 flows of packets to visualize outdated versions and filter flows based on outdated and vulnerable protocol versions. See Tr. 953:22-955:24. Seeing those packet flows, the system responds by implementing rules based solely on blocking an older protocol that may leave the network open to attack. Tr. 953:22-954:2, 2202:5-25 (Mr. Llewallyn highlighting that Stealthwatch and ISE can send rules to routers and switches based on identified packet information such as protocol). Additionally, besides protocol version, Stealthwatch can perform this filtering based on server name, a component embedded within a Uniform Resource Identifier (“URI”). Tr. 957:12-21; see PTX-996 at 005 (noting that server name is part of the Initial Data Packet sent up in a Flow Record to Stealthwatch). URI, like protocol version, can be used to design rules that prevent the exfiltration of packets to that identified destination server. Accordingly, Cisco’s technical documents, as well as its own engineers, confirm that the Cisco system filters packets as required by the asserted claims of the ‘856 Patent. For all the aforementioned reasons, the Court FINDS the accused Cisco products literally infringe Claims 24 and 25 of the ‘856 Patent. iii. Findings of Fact Regarding Validity 28. The priority date of the ‘856 Patent is December 23, 2015. JTX-5. 29. As prior art, Cisco asserts multiple different versions of the old Stealthwatch system (i.e., versions 6.3, 6.5.4, and 6.5.5), and Identity Services Engine version 1.3 including NetFlow functionality embedded in other switches and routers. DTX-311, DTX-312, DTX-343, DTX-364, DTX-380, DTX-409 (All of which are pre-2017 documents). 30. The old Stealthwatch system received information from NetFlow provided by Cisco’s switches and routers. DTX-311 at 010; Tr. 3112:5-11. 57 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 58 of 178 PageID# 23944 31. The old Stealthwatch system operated as an after the fact analysis tool to gather information, after packets reached their final destination, and displayed that information to network administrators. Tr. 3123:18-21. Old Stealthwatch lacked the functionality to use unencrypted portions of data to determine if encrypted portions of traffic had threats hidden within. Tr. 3124:12-3125:6; see DTX-409. Old Stealthwatch did not possess the functionality to differentiate between unencrypted and encrypted traffic. Tr. 3112:4-11, 3122:13-3126:7, 3127:243133:10. 32. The technical documents for the old Stealthwatch system contain no mention of the ability of determining network threat indicators with respect to encrypted packets or analyzing data with respect to the unencrypted portion of encrypted packets, as it did not possess the functionality to determine what portion of the packets are unencrypted or encrypted. Tr. 3111:225. 33. Cisco incorporated the functionality from Centripetal’s technology to differentiate the unencrypted portion of packets from the encrypted portion of packets with its Encrypted Traffic Analytics (“ETA”) technology. ETA was added to Cisco’s network devices after it was released around November 2017. PTX-1009 at 012; PTX-1135 at 046-047; PTX-464 at 066, 069-070; PTX970 at 969; Tr. 3219:13-3223:6; 3238:21-3239:2, 3239:18-24. 34. The prior art asserted by Cisco contained no mention of the identification of encrypted information and/or packets. Tr. 3124:1-3125:1; see DTX-312, DTX-409. 35. Before the addition of ETA, Cisco’s system required using expensive and time- consuming decryption measures to detect threats in encrypted traffic. Tr. 2100:24-2101:18; PTX1417 at 107. 58 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 59 of 178 PageID# 23945 36. Cisco’s ETA also amended Cisco’s preexisting NetFlow technology in 2017 to enhance the capture of new and different information from the unencrypted portion of encrypted packets including the Initial Data Packet (“IDP”) and Sequence of Packet Lengths and Times (“SPLT”). Tr. 3127:6-13, 2103:5-6; see PTX-996 at 005. iv. Conclusions of Law Regarding Validity Patents and their claims are presumed to be valid. 35 U.S.C. § 282(a). This presumption may be rebutted by clear and convincing evidence that the patent at issue is invalid. Sciele Pharma Inc. v. Lupin Ltd., 684 F.3d 1253, 1260 (Fed. Cir. 2012); Tech. Licensing Corp. v. Videotek, Inc., 545 F.3d 1316, 1327 (Fed. Cir. 2008). This high burden of proof lends the necessary deference to the Patent and Trademark Office’s decision to grant the patent. See Sciele Pharma Inc., 684 F.3d at 1260 (“This notion stems from our suggestion that the party challenging a patent in court bears the added burden of overcoming the deference that is due to a qualified government agency presumed to have done its job.”). The clear and convincing standard “is an intermediate standard which lies somewhere between ‘beyond a reasonable doubt’ and a ‘preponderance of the evidence.’” Buildex Inc. v. Kason Indus., Inc., 849 F.2d 1461, 1463 (Fed. Cir. 1988) (quoting Addington v. Texas, 441 U.S. 418, 425 (1979)). This standard is met when the evidence “produces in the mind of the trier of fact an abiding conviction that the truth of [the] factual contentions are highly probable.” Id. Throughout the trial, Cisco’s experts opined that the patents were invalid based on anticipation, obviousness, and in some claims, lack of adequate written description. Starting first with anticipation, in order to anticipate a claim, “a single prior art reference must expressly or inherently disclose each claim limitation.” Finisar Corp. v. DirecTV Group, Inc., 523 F.3d 1323, 1334 (Fed. Cir. 2008). This disclosure must go beyond a mere mention of each 59 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 60 of 178 PageID# 23946 claim limitation, as anticipation “requires the presence in a single prior art disclosure of all elements of a claimed invention arranged as in the claim.” Id. (emphasis in original). To invalidate a patent on the basis of obviousness, a party “must demonstrate by clear and convincing evidence that a skilled artisan would have been motivated to combine the teachings of the prior art references to achieve the claimed invention, and that the skilled artisan would have had a reasonable expectation of success in doing so.” Cumberland Pharms. Inc. v. Mylan Institutional LLC, 846 F.3d 1213, 1221 (Fed. Cir. 2017) (quoting Kinetic Concepts, Inc. v. Smith & Nephew, Inc., 688 F.3d 1342, 1360 (Fed. Cir. 2012)). Dr. Schmidt, in his invalidity testimony, assumed the infringement analysis by Dr. Cole and opined that all of the same functionality that Dr. Cole relies on for infringement was in the accused products prior to the priority date of the ‘856 Patent. Tr. 1984:23-1985:4. Cisco’s technical documents refute this characterization and confirm that Encrypted Traffic Analytics (“ETA”) was truly a new advancement in the identification of threats within encrypted traffic without decryption and not simply an improvement over the previous system. The Catalyst 9000 Switch Guide shows how the accused products, with the addition of ETA, solved difficulties of detecting threats in encrypted traffic: Before the introduction of the Catalyst 9000 series, detecting attacks that hide inside encrypted sessions required unwieldy and expensive measures. In short, it meant installing decryption hardware in the middle of encrypted flows . . . PTX-1417 at 107. Dr. Schmidt’s testimony on the Catalyst 9000 switches confirmed this technical statement that the prior art system employed by Cisco, before ETA, required some form of decryption to detect threats in encrypted traffic. He testified: Q. Okay. Well, why don’t we turn to Page Bates No. 107 of this document. I want to turn your attention to the second -- this is talking about the Encrypted Traffic Analytics on the Catalyst switches. I want to turn your attention to the second paragraph. It states “Before the introduction of the Catalyst 9000 series, detecting 60 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 61 of 178 PageID# 23947 attacks that hide inside encrypted sessions required unwieldy and expensive measures. In short, it meant installing decryption hardware in the middle of encryption flows.” Do you see that? A. I do. Q. And you agree with that statement that’s in the Catalyst manual? A. I think that’s referring -- I think that’s contrasting the so-called inline systems which I believe the ‘856 patent to be focusing on with the after-the-fact analysis that they’re talking about here. Because if you look, “In short, it means installing decryption hardware in the middle of encrypted flows.” I believe that’s what a firewall does and that’s what the prior art Cisco Systems did, and that’s also of course what the ‘856 patent covers. Tr. 2100:24-2101:18 (emphasis added). Dr. Schmidt stated that he accepted Dr. Cole’s construction of the claims to find that the prior art system performs all of the infringing functionality. Based on this testimony, Dr. Schmidt opined that the ‘856 Patent covers a system that uses “decryption hardware” to detect threats in encrypted traffic. The Court agrees that the functionality of Cisco’s prior art primarily employed decryption to deal with threats in encrypted traffic. See PTX-1417 at 107. However, accepting Dr. Cole’s infringement construction of the asserted claims, the Court, in order to find invalidity, would be required to find that Cisco’s prior art disclosed the functionality to identify threats in encrypted traffic without the use of decryption. It is evident to the Court that Cisco lacked this functionality before 2017, yet this infringing functionality is exactly what was embedded in the accused products with the addition of ETA in 2017. The technical documents confirm that Cisco represented it had solved the problems of expensive decryption by delivering “Encrypted Traffic Analytics (ETA) on Catalyst 9000 switches. ETA identifies malware communications in encrypted traffic via passive monitoring: no extra equipment is required and unnatural traffic redirection need not be performed.” PTX-1417 at 107. Cisco completed malware identification in encrypted traffic by “ETA introducing new flow 61 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 62 of 178 PageID# 23948 metadata to help it identify malicious activity hiding within an encrypted flow.” PTX-1417 at 107. Cisco, through ETA, added both the “Initial Data Packer (IDP) and the Sequence of Packet Length and Times (SPLT)” to its use of NetFlow. PTX-1417 at 107. ETA was incorporated into all of the accused products in order to implement the functionality of detecting threats in encrypted traffic by using unencrypted portions of those packets. When asked about the functionality employed in the old Stealthwatch technology, Dr. Schmidt asserted that the 2013 version of Stealthwatch was able to detect and stop threats in encrypted traffic without decryption: Q. All right. Let’s talk a little bit about Stealthwatch. You’re saying that Stealthwatch from 2013 is the same as the Stealthwatch from today essentially? Functionally equivalent? A. I don’t think that’s quite what I said, but my point was with respect to what Dr. Cole is alleging in his infringement analysis as far as what does the filtering and the determining the filtering and the routing, that the capabilities existed in the prior art version of the accused products to do the same capabilities, to be able to detect threats in encrypted traffic without decrypting the traffic as we saw with the botnets, for example; the ability to do other kinds of analysis. I believe his use of the word filtering is inconsistent with the specification, but if that’s the way he wants to use it, there were ways to filter information as we saw in the bot net example as well in my testimony yesterday. Tr. 2110:17-2111-7 (emphasis added). This opinion is directly refuted by Dr. Schmidt’s own prior testimony, Tr. 2100:24-2101:18, as well as the technical documents that describe the functionality of Stealthwatch. PTX-383, a Stealthwatch technical guide from 2018, incorporated language that the 2017 ETA solution enabled Stealthwatch as the “first and only solution in the industry that can detect malware in encrypted traffic without any decryption using Encrypted Traffic Analytics.” PTX-383 at 355. Dr. Schmidt continually attempts to characterize the ETA solution as enhancing previously existing technology to identify threats in encrypted traffic but cites to no Cisco documents pre-2017 showing that the older Stealthwatch system had the capability to do the same functionality as the ETA solution. The only technical documents that confirm this functionality 62 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 63 of 178 PageID# 23949 are from later than the priority date of the ‘856 Patent. In this manner, the technical documents affirm that the infringing functionality was added after the priority date of the ‘856 Patent. Cisco’s press releases from the 2017 timeframe reinforce Centripetal’s contentions based on the technical documents. These releases show Cisco considered Encrypted Traffic Analytics as solving a “network security challenge previously thought to be unsolvable.” PTX-452 at 648. David Goeckeler, Cisco’s senior vice president and general manager of networking and security, highlighted the main advancement as: “ETA uses Cisco’s Talos cyber intelligence to detect known attack signatures even in encrypted traffic, helping ensure security while minting privacy.” PTX452 at 648; see PTX-1135. These statements are shown in PTX-1135, a Cisco Press Release from June 20, 2017, reproduced below: 63 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 64 of 178 PageID# 23950 64 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 65 of 178 PageID# 23951 Dr. Schmidt testified to his characterization of these press releases: Q. But is it your testimony that Cognitive Threat Analytics was on Stealthwatch in 2013? A. It was my testimony that Stealthwatch was capable of doing behavioral analytics, enabling it to be able to detect encrypted threat -- encrypted threats -- or threats in encrypted traffic without requiring decryption. That was my testimony when I talked yesterday. Q. So all these testimony we, all this, the press releases, the documents about Encrypted Traffic Analytics, that’s just all marketing puff; it was really not true, they could do it way before then, right? A. I didn’t say it was marketing puff, I said that the capabilities that were added with ETA, Encrypted Traffic Analytics, were very valuable, and the value came from the additional machine learning insights and classification capabilities that were added at that time frame. It was, in fact, possible for them to do it before that, but they were able to do it better now because they’ve added these additional capabilities. Q. So when they said they solved the unsolvable problem, they had it solved years before, right? A. Well, we don’t know what the unsolvable problem is from that quote. It could very well have been solving it more precisely or solving it more efficiently or solving it more thoroughly. So the insurmountable or unsolvable problem, I never saw an actual definition of that term, so I’m simply assuming that what they meant was they could do a much better job now that they added these enhancements, but that in no way, shape or form means they couldn’t do a good job before. Tr. 2105:1-2106:4. This characterization by Dr. Schmidt of Cisco’s language of “solving the unsolvable problem” as simply an improvement of a previous functionality is insupportable when compared with the technical documents. For all these reasons, Cisco has failed to present clear and convincing evidence that the ‘856 Patent is invalid for anticipation or obviousness. The prior art does not disclose the functionality to identify encrypted packets and then make determinations based on unencrypted information within those packet headers and flows. 65 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 66 of 178 PageID# 23952 The Court now turns to Cisco’s written description argument. To meet the written description requirement, the patentee “must ‘convey with reasonable clarity to those skilled in the art that, as of the filing date sought, he or she was in possession of the invention,’ and demonstrate that by disclosure in the specification of the patent.” Idenix Pharms. LLC v. Gilead Scis. Inc., 941 F.3d 1149, 1163 (Fed. Cir. 2019) (quoting Carnegie Mellon Univ. v. Hoffmann-La Roche Inc., 541 F.3d 1115, 1122 (Fed. Cir. 2008)); see Hynix Semiconductor Inc. v. Rambus Inc., 645 F.3d 1336, 1351 (Fed. Cir. 2011); Ariad Pharms., Inc. v. Eli Lilly & Co., 598 F.3d 1336, 1351 (Fed. Cir. 2010). The hallmark of the written description test is disclosure. Ariad, 598 F.3d at 1351. Therefore, the “test requires an objective inquiry into the four corners of the specification from the perspective of a person of ordinary skill in the art.” Id.; see Idenix, 941 F.3d at 1163. Dr. Schmidt contends that the ‘856 Patent specification does not disclose any type NetFlow invention and, therefore, the claims fail for lack of written description. He opined that if the claims are infringed for filtering representation of packets, then the Patent is invalid for lack of written description because there is no disclosure of this type of scenario within the specification. Tr. 2067:6-25. The Court disagrees with Dr. Schmidt’s conclusion. The specification specifically contains language that a “Packet-filtering system may be configured to correlate packets identified by the packet-filtering system with packets previously identified by packet-filtering system based on data stored in logs.” JTX-5 col. 5 ln. 25-30. The specification continues to mention that: 35 40 For example, for one or more packets logged by packetFiltering system 200 (e.g., the packets comprising the DNS query or the packets comprising the reply to the DNS query), logs 214 may comprise one or more entries indicating one or more of network-layer information (e.g., information derived from one or more network-layer header fields of the packets, such as a protocol type, a destination network address, a source network address, a signature or authentication information (e.g., information from an Internet protocol security (IPsec) encapsulating security payload (ESP)), 66 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 67 of 178 PageID# 23953 45 50 55 or the like), transport-layer information (e.g., a destination port, a source port, a checksum or similar data ( e.g., error detection or correction values, such as those utilized by the transmission control protocol (TCP) or the user datagram protocol (UDP)), or the like), application-layer information (e.g., information derived from one or more applicationLayer header fields of the packets, such as a domain name, a uniform resource locator (URL), a uniform resource identifier (URI), an extension, a method, state information, media-type information, a signature, a key, a timestamp, an application identifier, a session identifier, a flow identifier, sequence information, authentication information, or the like), other data in the packets (e.g., payload data), or one or more environmental variables ( e.g., information associated with but not solely derived from the packets themselves, such as one or more arrival (or receipt) or departure (or transmission) times of the packets . . . JTX-5 col. 5 ln. 31-56; see Tr. 3144:3-21. This section of the specification clearly illustrates the ‘856 Patent invention discloses the logging of certain information from the packets by the packet filtering system. Dr. Jaegar confirmed that viewing this section of the specification as a person skilled in the art would disclose the information required to be used by the packet filtering system. Tr. 3144:3-21. This is the exact type of network information that is contained in NetFlow records. Therefore, looking at the four corners of the ‘856 Patent’s specification, it is evident to a person skilled in the art that the ‘856 Patent made the required disclosure of the logging of information from packets to be used by the packet filtering system. Accordingly, the Court FINDS that Cisco has not proven by clear and convincing evidence that the ‘856 Patent was anticipated, obvious or lacked adequate written description. B. THE ‘176 PATENT i. Findings of Fact Regarding Infringement 1. The ‘176 Patent has been informally known as the “Correlation” Patent. 67 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 68 of 178 PageID# 23954 2. The ‘176 Patent was issued on January 31, 2017. JTX-3. The ‘176 Patent was filed on May 15, 2015 as a continuation of application No.14/618,967, giving the ‘176 Patent a priority date of February 10, 2015. JTX-3. 3. The asserted claims of the ‘176 Patent are Claim 11 and Claim 21. Doc. 411. Claim 11 and Claim 21 are, respectively, a system and computer readable media claim. 4. Claim 11 is laid out below: A system comprising: at least one processor; and a memory storing instructions that when executed by the at least one processor cause the system to: identify a plurality of packets received by a network device from a host located in a first network; generate a plurality of log entries corresponding to the plurality of packets received by the network device; identify a plurality of packets transmitted by the network device to a host located in a second network; generate a plurality of log entries corresponding to the plurality of packets transmitted by the network device; correlate, based on the plurality of log entries corresponding to the plurality of packets received by the network device and the plurality of log entries corresponding to the plurality of packets transmitted by the network device, the plurality of packets transmitted by the network device with the plurality of packets received by the network device; and responsive to correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device: generate, based on the correlating, one or more rules configured to identify packets received from the host located in the first network; and 68 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 69 of 178 PageID# 23955 provision a device located in the first network with the one or more rules configured to identify packets received from the host located in the first network. 5. Claim 11 is identical to Claim 21 in every respect except that Claim 21 is a computer readable media claim. Tr. 885:14-24. Claim 21 modifies the introductory preamble language of Claim 11 replacing “[a] system comprising: at least one processor; and a memory storing instructions that when executed by the at least one processor cause the system to:” with “[o]ne or more non-transitory computer-readable media comprising instructions that when executed by a computing system cause the computing system to:”. JTX-3. For purposes of infringement, the parties have treated the two claims as identical. 6. Dr. Moore, an inventor of the ‘176 Patent, describes the technology of the ‘176 Patent as the development of a system for identifying malware-infected computers through use of correlation. Tr. 341:3-15. 7. A single communication between two computers on different networks is often broken down into many different segments of packets. Tr. 340:20-341:2. These segments are compared to ascertain if they are a part of the same communications and then the system can make a determination that a computer within the network has been communicating with a computer of a cybercriminal. Tr. 341:3-15. Therefore, the correlation technology in the ‘176 Patent serves as a method to identify computers in a network that have been infected with malware. Tr. 341:18-19. 8. Centripetal accuses Cisco’s Catalyst 9000 series switches, the Aggregation Services Router 1000 series routers and Integration Services Router 1000 and 4000 series routers in combination with Cisco’s Stealthwatch of infringing Claims 11 and 21 of the ‘176 Patent. Tr. 975:19-21. 69 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 70 of 178 PageID# 23956 9. The accused Cisco’s switches and routers share the same operating system known as IOS XE. Tr. 448:11-24; 449:19-450:4; PTX-242 at 816, 817. 10. The accused switches and routers contain processors and memory that stores software instructions. Tr. 477:12-478:14, 484:13-485:3; PTX-1303 at 056. 11. The accused Cisco switches and routers contain processors that function to transmit packets across different external and internal networks. Tr. 977:18-21. 12. Cisco has utilized its own proprietary packet logging technology known as NetFlow. Tr. 983:18-25; PTX-1060 at 008. 13. As packets are transmitted, the accused switches and routers generate NetFlow logs, which are summaries of information from the transmitted packets. Tr. 977:18-25; 984:7-13; PTX1060 at 008. NetFlow includes information such as the source and destination IP address, the source and destination port, and the protocol being used. Tr. 984:7-13; PTX-1060 at 008. 14. The accused switches and routers are capable of generating NetFlow records for packets at both the ingress of the packet into the device and on egress out of the device. Tr. 986:18987:1; PTX-1060 at 023 (showing that the Catalyst 9400 switch is capable of supporting 384,000 NetFlow entries – 192,000 on ingress and 192,000 on egress); PTX-572 at 762; see Tr. 988:12-22 (Dr. Cole explaining PTX-572 showing “When you configure a flow record, you are telling the device to show all of the flow data traffic that enters” -- which is ingress – “or leaves” -- egress – “the device.”). 15. These NetFlow records are sent up to Stealthwatch, which by 2018 was embedded with Cognitive Threat Analytics (CTA) that digests the information from the ingress and egress NetFlow records. PTX-1009 at 009; Tr. 1009:3-14. The new Stealthwatch with CTA also has the functionality to be sent data from proxy sources using another type of logging called Syslog. PTX- 70 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 71 of 178 PageID# 23957 1065 at 005; Tr. 1115:4-116:13 (noting the Stealthwatch “solution uses the Proxy ingestion feature to consume Syslog information . . .”) Customers may use either NetFlow or Syslog data or both within Stealthwatch. PTX-1065 at 005. 16. Stealthwatch correlates NetFlow and/or Syslog information sent by devices on the network and correlates the information to provide a detailed overview of all traffic that is occurring on the network. PTX-1065 at 005. CTA, working within Stealthwatch, can leverage the correlations of NetFlow telemetry to detect malicious threats to the security of the network. PTX1009 at 009; PTX-591 at 522 (using identical language to PTX-1009 in the Stealthwatch Release Notes); see Tr. 997 at 7-12 (“‘telemetry’ is just another word for the NetFlow log information. So the NetFlow telemetry, the NetFlow logs, these are all synonymous terms, so this is another way of referring to logs”). 17. In response to these correlations, Stealthwatch creates a baseline of normal traffic behavior within the network. Based on these normal patterns and known threat indicators, Stealthwatch employs a funnel of analytical techniques to detect advanced threats. PTX-569 at 272; PTX-584 at 402. 18. Stealthwatch, in response to suspicious activity or threats, allows the Identity Services Engine or Stealthwatch Management Console to provision rules to proactively stop that threat. Tr. 1002:13-1003:21; PTX-1089 (showing the use of the Adaptive Network Control (“ANC”) to implement rules). The ANC operates by applying new policies and changing individual user’s authorization on the network according to rules and policies configured by the Identity Services Engine in response to correlated threats on the network. PTX-595 at 179; Tr. 1005:10-19. Both the Identity Services Engine and the Stealthwatch Management Console operate in this fashion. Tr. 1006:19-1007:5. PTX-989. 71 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 72 of 178 PageID# 23958 ii. Conclusions of Law Regarding Infringement Based on the Court’s factual findings, Centripetal has proven by a preponderance of the evidence that Cisco’s Catalyst 9000 series switches, the Aggregation Services Router 1000 series routers and Integration Services Router 1000 and 4000 series routers in combination with Cisco’s Stealthwatch literally INFRINGE Claims 11 and 21 of the ‘176 Patent. Cisco’s expert on the ‘176 Patent, Dr. Kevin Almeroth: was asked to offer opinions, after performing an analysis, on noninfringement as it related specifically to the ‘176 patent; similarly, to offer opinions about whether or not the ‘176 patent was valid; and then several additional opinions relating to the benefits of the patent, technical issues related to damages, and then also copying, to the extent it still exists in this trial. Tr. 2212:12-18. Dr. Almeroth advanced two non-infringement theories. Tr. 2239:17-2240:14. First, that the accused system does not correlate a plurality of transmitted packets with a plurality of received packets as required by the asserted claims of the ‘176 Patent. Tr. 2247:18-2248:4. Second, that the accused system does not generate and provision rules in response to those claimed correlations. Tr. 2247:18-2248:4. Turning to the first theory, Dr. Almeroth opined that Dr. Cole’s infringement opinion relied on the systems’ use of logs provided by Cisco’s proprietary logging technology, NetFlow, as the logs outlined by the claim language. Dr. Almeroth construed the claims to require identification and generation of logs out of the same network device on ingress and egress. Therefore, Dr. Almeroth avers that the Cisco system cannot infringe, because in his opinion, the accused switches and routers do not generate NetFlow on both ingress into a device and egress out of one network device. Tr. 2249:4-18. Cisco’s technical documents refute Dr. Almeroth’s conclusion. Dr. Cole pointed directly to PTX-1060, a Cisco technical document dated December of 2017, showing that the Catalyst switches have the ability to export NetFlow on ingress and egress. 72 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 73 of 178 PageID# 23959 Tr. 986:18-987:1; PTX-1060 at 023 (showing that the Catalyst 9400 switch is capable of supporting 384,000 NetFlow entries – 192,000 on ingress and 192,000 on egress). Dr. Almeroth, on cross-examination, even admitted that the accused switches and routers can be configured to export ingress and egress NetFlow. Q. Isn’t it correct, Dr. Almeroth, that this Cisco document says right here that MPLS Egress and NetFlow Accounting feature can be used -- being use to capture ingress and egress flow statistics for router B, one device. Is that correct? A. That’s what it says. But my last answer was qualified for Stealthwatch. This document, at least what you’re pointing me to here, does not mention Stealthwatch. And that was really my whole point: That you can certainly configure NetFlow ingress and egress, but when you get to troubleshooting Stealthwatch, it’s considered an error within Stealthwatch. Tr. 2286:10-19. In this exchange, Dr. Almeroth confirms that NetFlow can be configured on ingress and egress but shifts the crux of his non-infringement opinion to the fact that Stealthwatch produces an error based on producing both types of NetFlow. To support that claim, Dr. Almeroth relied solely on the presentation of source code from the 6.5.4 version of Stealthwatch that operated without enhanced NetFlow or the integration of Cognitive Threat Analytics (CTA). Tr. 2287:119; see DTX-1616 (showing source code from a previous 6.5.4 version of Stealthwatch that is not accused by Centripetal). He cites to no technical document that confirms that the accused/current version of Stealthwatch produces an error when exporting both ingress and egress NetFlow. In fact, the technical release notes for CTA, which was incorporated into Stealthwatch in 2018, support that CTA produced the ability for the correlation of NetFlow telemetry. PTX-1009 at 009. Dr. Cole, in his infringement opinion on the “identify and generate” elements, relied on a similar claim scope as Dr. Almeroth to show that the claims required that one network device generate logs on a packets’ ingress and egress out of the device. Moreover, Dr. Cole does not explicitly limit his construction of the asserted claims to the limitation of only ingress and egress 73 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 74 of 178 PageID# 23960 out of one device. The Court FINDS, based on the testimony and technical documents, that the accused switches and routers do identify and generate logs on ingress and egress. However, a look at the specification of the ‘176 Patent informs the Court that this is not the only construction that would infringe the asserted claims. These claim elements would also be met if there was identification, generation and correlation of logs from two different network devices on either ingress or egress. Column 8 line 46 of the specification highlights that: 50 55 60 At step 16, packet correlator 128 may utilize log(s) 142 to correlate the packets transmitted by network device(s) 122 with the packets received by network device(s) 122. For example, packet correlator 128 may compare data in entry 306 with data in entry 312 (e.g., network-layer information, transport-layer information, application-layer information, or environmental variable(s)) to correlate Pl' with Pl (e.g., by determining that a portion of the data in entry 306 corresponds with data in entry 312). Similarly, packet correlator 128 may compare data in entry 308 with data in entry 314 to correlate P2' with P2, packet correlator 128 may compare data in entry 310 with data in entry 316 to correlate P3' with P3, packet correlator 128 may compare data in entry 318 with data in entry 324 to correlate P4' with P4, packet correlator 128 may compare data in entry 320 with data in entry 326 to correlate PS' with PS, and packet correlator 128 may compare data in entry 322 with data in entry 328 to correlate P6' with P6. JTX-3 col. 8 ln. 46-63. This section of the specification indicates that the network device that generates the correlated logs may be plural as well as singular. Additionally, this section is showing the correlation may occur between data entries that were processed through two different network devices. Compare JTX-3 col. 8 ln. 46-63 with JTX-3 Fig. 3. Dr. Almeroth, on cross examination, confirms that the use of “a network device” in the claim language may mean more than one network device: Q. And then you said this had to be a single network device, correct? 74 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 75 of 178 PageID# 23961 A. Not quite. It says a network device here, and then later it’s the network device. So it’s the same network device across the limitations. Q. But you do understand that in a patent, when it says A, it can mean one or more; is that correct? A. That’s my understanding. Q. So this could be more than one network device, correct? A. It could be. Tr. 2278:11-20. Therefore, even if the Court were to accept Dr. Almeroth’s conclusion that the accused devices do not process ingress and egress out of the same device, it would still find infringement on the basis that the Cisco system correlates logs between multiple devices within the network on either ingress or egress. Moreover, Dr. Almeroth states that the accused system does not generate and provision rules in response to correlation performed as a result of Stealthwatch and CTA. Dr. Almeroth admits that Stealthwatch with CTA performs correlations, just not those required by the claim language. In explaining the diagram of PTX-1065, Dr. Almeroth opined: Q. Can you explain what’s going on here, Dr. Almeroth? A. Yes. What’s being shown here, if you start in the bottom, it shows two different sources of information that ultimately get correlated. There’s proxy data and there’s NetFlow data. And when Dr. Cole testified, he represented that that NetFlow data included ingress and egress records from the same device, which was actually not the case, as the evidence and the correct operation of the devices show. And then from there, his analysis principally turned on the fact that these documents describe correlation. They absolutely use the word correlation, but it’s not the correlation of the type required by the claims. And the example that’s shown in this particular figure and what’s described in the text below is that you’re correlating NetFlow data, which is not the NetFlow data required by the claim for the reasons I’ve given, with other data. In this case, proxy data. And so even though these documents use the word correlate, what they’re correlating is not the kind of correlation that’s required by the claims. Q. Okay. And if we look, Mr. Simons, at the text below? 75 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 76 of 178 PageID# 23962 BY MR. JAMESON: Q. And I don’t want to go through all of this, but is the same point made in the text below with respect to the comments you made, about the diagram? A. Yes. It’s absolutely the case that Stealthwatch correlates I think what we’ve referred to as threat intelligence with NetFlow records. But what it is not comparing, what it is not correlating is it’s not correlating the NetFlow records to themselves as required by the elements of the claims, because it tries to block or double count those NetFlow records. And so all of this evidence that Dr. Cole relied on that uses the word correlate, over and over again it describes correlation of threat intelligence with NetFlow data, which is not what the claim requires and also is not what the ‘176 patent is about. Tr. 2256:3-2257:10. PTX-1065 Cisco Technical Presentation Involving Operation of Stealthwatch in Combination with CTA in November 2017 76 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 77 of 178 PageID# 23963 The Court agrees with Dr. Almeroth’s assessment that Stealthwatch correlates NetFlow and Syslog information with global threat indicators. PTX-202 states that Stealthwatch “correlates local traffic models with global threat behaviors to give you rich threat context around network traffic . . . and applies encrypted traffic analytics to enhance NetFlow analysis.” PTX-202 at 242. Therefore, it is clear that Stealthwatch uses the NetFlow information within the network to correlate those records to global threat indicators. However, this is not the only use of correlation that Stealthwatch uses in its operation. In order to make use of behavioral analytics, Stealthwatch correlates NetFlow that passes through network devices to create a baseline of normal types of traffic that would pass through the network. This correlation occurs between both NetFlow and other logs provided to Stealthwatch in the form of WebFlow telemetry through the use of Syslog. Therefore, along with matching threats to global threat indicators, Stealthwatch can also detect threats based on abnormal activity that occurs within the network. For example, a large amount of data being transported throughout the network at a time where an office is closed or not conducting business would send up an alert that something malicious may be afoot. Cisco’s technical guide for configuring Netflow and Stealthwatch, PTX-569, illustrates how Stealthwatch “[c]reates a baseline of normal behavior” and “correlates threat behaviors seen in the local environment with those seen globally.” 77 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 78 of 178 PageID# 23964 PTX-569 Cisco Technical Guide for Configuring and Troubleshooting NetFlow for Cisco Stealthwatch from 2018* *The heading in the blue box above states ‘Collect and analyze telemetry’. PTX-569 at 272. This process would require Stealthwatch to correlate NetFlow within the network between multiple devices in order to recognize normal traffic patterns within the network. Accordingly, it is axiomatic that Stealthwatch could then provision rules to stop threats that are detected based on internal network NetFlow correlation with or without global threat indicators. PTX-595 at 179. Therefore, the Court FINDS by a preponderance of the evidence that 78 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 79 of 178 PageID# 23965 Stealthwatch performs the exact type of correlation and provisioning of rules in response to correlations required by the ‘176 Patent. iii. Findings of Fact Regarding Validity 19. The priority date of the ‘176 Patent is February 10, 2015. JTX-4. 20. Sometime in 2012 or 2013, Cisco released and marketed a system known as the Cyber Threat Defense Solution. This system was a collection of Cisco switches and routers, the Identity Services Engine and Lancope’s Stealthwatch. Compare Tr. 2430:1-3; DTX-311 with Tr. 2485:5-10; DTX-664 at 004. 21. Cisco asserts its Cyber Threat Defense Solution, using an older version of Stealthwatch, as the prior art that renders the ‘176 Patent invalid. DTX-311; DTX-312; DTX-343; DTX-463 (All documents from pre-2017). 22. The asserted prior art system leverages Cisco networking technology, including NetFlow, Identity Services Engine, and Stealthwatch. The Stealthwatch version asserted as prior art is version 6.5.4. Tr. 2344:22. This version of Stealthwatch incorporated Stealthwatch Labs Intelligence Center (“SLIC”) threat intelligence information, which contained human collected threat indicators. Tr. 3153:14-19; DTX-312 at 001. 23. Old Stealthwatch was able to automatically respond to alarms generated by worms, viruses and internal policy violations. DTX-463 at 014 (noting Stealthwatch responds to alarms). There is no indication in the pre-2017 documents that Stealthwatch issued rules in response to correlations of NetFlow. 24. Cisco Stealthwatch incorporated Cognitive Threat Analytics in Stealthwatch in 2017. Tr. 2342:6-7. In version 7.0.0 of Stealthwatch released in 2019, CTA was improved with 79 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 80 of 178 PageID# 23966 the ability to leverage threat detection from the analysis of WebFlow, produced by Syslogs, and NetFlow telemetry by correlating the data. PTX-1893 at 011. 25. In response to these correlations, new Stealthwatch creates a baseline of normal traffic behavior within the network. Based on these normal patterns and known threat indicators, Stealthwatch, using CTA, employs a funnel of analytical techniques to detect advanced threats. PTX-569 at 272; PTX-584 at 402 (post-2017 documents). 26. Stealthwatch, in response to suspicious activity or threats, allows the Identity Services Engine or Stealthwatch Management Console to provision rules to proactively stop that threat. Tr. 1002:13-1003:21; PTX-1089 (showing the use of the Adaptive Network Control (“ANC”) to implement rules). The new ANC, which replaced the old quarantine functionality, operates by applying new policies and changing individual user’s authorization on the network according to rules and policies configured by the Identity Services Engine in response to correlated threats on the network. PTX-595 at 179; Tr. 1005:10-19. Both Identity Services Engine and the Stealthwatch Management Console operate in this fashion. Tr. 1006:19-1007:5. iv. Conclusions of Law Regarding Validity Dr. Almeroth opined that the ‘176 Patent is invalid for anticipation, obviousness, and based on written description. Turning first to obviousness, Dr. Almeroth averred, by using Dr. Cole’s testimony, that all of the infringing functionality of the Cisco products is present in the prior art, particularly the Cisco Cyber Threat Defense System. Tr. 2304:9-20. Specifically, Dr. Almeroth contended that prior to the priority date of the ‘176 Patent, Stealthwatch was able to “raise alarms, and then be able to generate and provision rules [based on] the routers and switches exporting NetFlow in combination with Stealthwatch.” Tr. 2305:2-5. The Court disagrees with Dr. Almeroth’s characterization. 80 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 81 of 178 PageID# 23967 Dr. Jaegar, Centripetal’s validity expert in his rebuttal testimony, highlights that the prior art confirms that the old Stealthwatch system is designed as a visibility system allowing administrators to view traffic in the network: Q. How do they characterize the old Stealthwatch Management Console? A. Well, I would characterize the old Stealthwatch systems, Stealthwatch Management Console, or SMC as its shown here, as the core visibility component of the old Stealthwatch system. This is the component that does the showing of information about flows in your network. And as you can see in the bottom paragraph, it talks about administrators, and so this SMC or Stealthwatch Management Console is designed for administrators to be able to look at what’s going on in their networks. Tr. 3152:13-22. The technical documents, from 2014, confirm Dr. Jaegar’s opinion highlighting that [t]he Stealthwatch system by Lancope is a leading solution for network visibility and security intelligence . . . .” PTX-343 at 001. Stealthwatch operates by providing “in-depth visibility and security context needed to thwart evolving threats . . . [and] quickly zooms in on any unusual behavior, immediately sending an alarm to the SMC . . . .” PTX-343. Additionally, the old Stealthwatch operated in response to these alarms. Dr. Jaegar opined: Q. Could you give us your memory of Dr. Almeroth’s testimony and why you disagree with it? A. My recollection is that he was saying that this shows that this adaptable mitigation that’s responsive to alarms, this would satisfy the responsive to correlation limitation. Q. And why do you disagree with his interpretation of this? A. Well, it specifically says in the first sentence that “Lancope customers can direct the Stealthwatch appliance to automatically respond to alarms generated by worms, viruses and internal policy violations.” And so this indicates that the, any -- any addition or automation or -- well, activation, I guess is the word I’m looking for -of these mitigation actions in the old Stealthwatch system is done in response to alarms being triggered and not in response to correlation of logs as is required by the claims. And my understanding is that previous inter partes reviews found that technology that only discloses being responsive to alarms rather than responsive to 81 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 82 of 178 PageID# 23968 correlation of log entries as required by the claim elements, that doesn’t satisfy the responsive to correlation claim element. Tr. 3154:6-25; see DTX-463 at 014. The post-2017 documents illustrate that the generation of rules responsive to correlations was an added functionality with the addition of CTA into Stealthwatch. The release notes for Version 7.0.0 of Stealthwatch, PTX-1893, contain a section titled “What’s New” which shows the additions made to Stealthwatch in this version. PTX-1893 at 011. In this section, the technical document indicates that “CTA can now leverage detections from the analysis of WebFlow telemetry to improve the efficacy of analyzing NetFlow telemetry from Stealthwatch. This is accomplished by the system through correlation of both telemetry types.” PTX-1893 at 011 (a technical document from 2019 showing this type of correlation is an enhancement to the Cognitive engine). Cisco identifies that this technology increases the number of both confirmed and detected threats in the network. Id. Cisco’s presentation on the incorporation of CTA into Stealthwatch shows that the technology “uses the Proxy ingestion feature to consume Syslog information sent from proxy sources . . . [and] then correlate the received syslog and relates it to the flows collected from network devices before and after the proxy . . . .” PTX-1065 at 005 (November 2017 document). This same document highlights that “[b]ringing CTA and Stealthwatch detection together gives us unique ability to combine our local and global detection capabilities.” Id. In response to the local correlations of WebFlow and NetFlow, new Stealthwatch can provision Adaptative Network Control policies based on the identification of behavioral anomalies. See PTX-569 at 272; PTX-595 at 179 (a technical document from 2019 showing how “ANC policies have replaced the previous quarantine and unquarantine feature”). Accordingly, Cisco has failed to present clear and convincing evidence that the “correlate” and “responsive to” functionality was in the Cisco prior art system. Therefore, the prior art does not render the asserted claims anticipated or obvious. 82 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 83 of 178 PageID# 23969 Switching to Cisco’s argument regarding written description. Dr. Almeroth opined that the specification does not disclose to a person skilled in the art that the inventors were in possession of the invention that is covered by the scope of the claims that is alleged in Centripetal’s infringement allegations. Tr. 2333:2-8. He avers that the ‘176 Patent is invalid because the specification of the ‘176 Patent contains no description of Cognitive Threat Analytics, machine learning, artificial intelligence, integrating threat feeds, or NetFlow. Tr. 2333:22-2334:12. The Court FINDS that both the challenged “correlate” and “responsive to” claim elements are adequately disclosed in the specification to meet the written description requirement. Dr. Jaegar opined that a person skilled in the art would be able to look at column 8, lines 46 through 63 of the ‘176 Patent specification and determine that the invention “utilize[s] logs to correlate packets transmitted by one or more network devices with packets received by one or more network devices.” Tr. 3155:16-18; see JTX-3 at col. 8 ln. 46-63. Additionally, for the “responsive to” element, Dr. Jaegar points to column 12, line 55 through column 13, line 13. This section of the specification clearly shows that the invention identifies hosts associated with malicious entities and communicates messages identifying that host. JTX-3 at col. 12 ln. 55 – col. 13 ln. 13. Further, the specification notes that this process occurs in response to the correlation of data, as described in column 8, lines 46 through 63 of the specification. Tr. 3156:9-3157:14. Based on these sections of the specification, the Court finds that a person skilled in the art would have been in possession of the invention at issue. Accordingly, the Court FINDS that Cisco has not proven by clear and convincing evidence that the ‘176 Patent was anticipated, obvious or lacked sufficient written description. 83 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 84 of 178 PageID# 23970 C. THE ‘193 PATENT i. Findings of Fact Regarding Infringement 1. The ‘193 Patent was informally known throughout the trial as the “Forward or Drop / Exfiltration Patent.” Tr. 2356: 2-6. 2. The ‘193 Patent was issued on June 20, 2017. JTX-4. The ‘193 Patent was filed on February 18, 2015 as a continuation of application No.13/795,882, giving the ‘193 Patent a priority date of March 12, 2013. JTX-4. 3. The asserted claims of the ‘193 Patent are Claims 18 and 19. Doc. 411. Claims 18 and 19 are, respectively, a packet filtering system and computer readable media claim. 4. Claim 18 is laid out below: A system comprising: at least one processor; and a memory storing instructions that when executed by the at least one processor cause the system to: receive, from a computing device located in a first network, a plurality of packets wherein the plurality of packets comprises a first portion of packets and a second portion of packets; responsive to a determination that the first portion of packets comprises data corresponding to criteria specified by one or more packet-filtering rules configured to prevent a particular type of data transfer from the first network to a second network, wherein the data indicates that the first portion of packets is destined for the second network: apply, to each packet in the first portion of packets, a first operator, specified by the one or more packet-filtering rules, configured to drop packets associated with the particular type of data transfer; and drop each packet in the first portion of packets; and responsive to a determination that the second portion of packets comprises data that does not correspond to the criteria, wherein the data indicates that the second portion of packets is destined for a third network: 84 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 85 of 178 PageID# 23971 apply, to each packet in the second portion of packets, and without applying the one or more packet-filtering rules configured to prevent the particular type of data transfer from the first network to the second network, a second operator configured to forward packets not associated with the particular type of data transfer toward the third network; and forward each packet in the second portion of packets toward the third network. JTX-4. 5. Claim 19 is identical to Claim 18 in every respect except it is a computer readable media claim. Claim 19 substitutes the introductory language of Claim 18, “A system comprising: at least one processor; and a memory storing instructions that when executed by the at least one processor cause the system to . . .”, with “[o]ne or more non-transitory computer-readable media comprising instructions that when executed by one or more computing devices cause the one or more computing devices to: . . . .” JTX-4; see Tr. 472:21. For purposes of infringement, the parties treated Claims 18 and 19 the same. 6. Dr. Sean Moore, one of the inventors of the ‘193 Patent, testified that the technology claimed in the patent centered around preventing the exfiltration of confidential data by cyber criminals. Tr. 343:14-16. 7. Centripetal’s expert, Dr. Mitzenmacher, defined the asserted claims of the ‘193 Patent as being related to the process of forwarding and dropping packets related to preventing exfiltrations. Tr. 465:18-21. Additionally, Dr. Mitzenmacher opined that the ‘193 Patent applies to the prevention of many different types of data exfiltration. Tr. 467:14-468:17. 8. As previously noted, exfiltration can occur in the context of cyber criminals hacking into the network and stealing data, but it also can occur within networks internally. For example, within one large corporate network there are many different departments or subnetworks, such as finance and human resources. See Tr. 490:17-25. It is common within these multi-departmental 85 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 86 of 178 PageID# 23972 companies that certain departments have access to confidential materials, while for others that access is restricted. 9. Accordingly, the network must restrict the ability of packets with this sensitive information to travel to unauthorized internal departments and external networks, while also allowing packets with no sensitive information to be freely transmitted to other employees within the network. Tr. 467:14-468:17. Therefore, the ‘193 Patent specifically identifies a process by which rules can be enabled to filter packets of data depending on the type of data transfer that is being transmitted throughout the network. Tr. 468:21-469:9. 10. Centripetal accuses Cisco’s Catalyst 9000 series switches, the Aggregation Services Router 1000 series routers and Integration Services Router 1000 and 4000 series routers of infringing Claims 18 and 19 of the ‘193 Patent. Tr. 433:20-434:1. 11. The accused Cisco’s switches and routers share the same operating system known as IOS XE. Tr. 448:11-24; 449:19-450:4; PTX-242 at 816, 817. 12. Cisco compiles the source code that operates the accused switches and routers in the United States. Tr. 462:5-463:18, 464:4-14; PTX-1409 at 5-6. 13. The accused switches and routers contain processors and memory that stores software instructions. Tr. 477:12-478:14, 484:13-485:3; PTX-1303 at 056. One of the processers within the accused Cisco devices are programmable Applied Specific Interred Circuits (“ASIC”), known as Unified Access Data Planes (“UADP”). Tr. 477:24-478:5; PTX-1262 at 994. This type of processer is commonly referred to as a UADP ASIC. Tr. 477:24-478:5; PTX-1262 at 994; PTX1390 at 029. 14. In their operation, the processors work within the accused Cisco switches and routers to receive and transmit packets across a network. 86 PTX-1276 at 216 (2011 Cisco Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 87 of 178 PageID# 23973 document); Tr. 488:1-489:3. During the transmission of packets, the operating system (“IOS XE”), working in conjunction with UADP ASICs, apply a variety of different rules to packets to determine if the packet should be permitted or dropped. PTX-1276 at 215-16. 5 15. Access Control Lists (“ACL”) are often applied to packets on ingress into the device and egress out of the device. PTX-1276 at 215-16. To simplify the process of applying rules, Cisco’s IOS XE utilizes a specific method where labels are applied to packets based on their source or destination. These labels are known as Secure Group Tag / Scalable Group Tag (“SGT”). 6 Tr. 494:12-24; see PTX-1276 at 211. 16. SGTs are attached to categorize packets into different numerical groupings based on information such as the packet’s source IP, destination IP and/or both. PTX-1280 at 021. SGT can also be based on other information that is included in the 5-tuple, such as source port, destination port and protocol. Tr. 2400:24-25 (Dr. Crovella, Cisco’s expert witness, highlighting that a quarantine rule has the ability to look at all information in the 5-tuple), 2404:4 (“[t]he quarantine rule only looks at the 5-tuple…”). 17. As packets enter the switch and router, they perform an initial check to see if there is a specific source SGT attached to each packet that is entering through the switch or router. Tr. 2421:2-8. 18. After the initial check, the switch and/or router applies an initial collection of rules known as a Group Access Control List (“GACL”). A Security Group ACL (“SGACL”) is an 5 The technical document for the switch and router operating system shows that the switches and routers support the application of multiple different ACL rule sets including: Port ACL (“PACL”); Vlan ACL (“VACL”); Router ACL (“RACL”); Client Group ACL (“CGACL”); Security Group ACL or Role Based ACL (“SGACL or RBACL”). PTX1276 at 215. 6 Cisco’s non-infringement expert, Dr. Crovella, confirmed that Secure Group Tag and Scalable Group Tag are in fact the same. Different names are being used at different times because of a marketing change. Tr. 2420:17. 87 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 88 of 178 PageID# 23974 example of a GACL that blocks or permits packets specifically based on SGTs. Tr. 2389:1-3. PTX1276 at 215-16; see Tr. 2423:9-15. 19. On a packet’s ingress into the device, the switch and/or router applies an input SGACL based upon the SGT associated with the source of where the packet was transmitted from. Tr. 2389:1-8; see PTX-1288 at 012 (showing input GACL applied based on ingress client); see also PTX-1276 at 216; PTX-1390 at 86 (2019 document). 20. On a packet’s egress out of a device, the switch and/or router applies an output SGACL based upon the SGT associated with the source, and drops or transmits packets based upon the destination of the packets. Tr. 2389:15-19; see PTX-1288 at 012 (showing output GACL applied based on egress client); see also PTX-1276 at 216; PTX-1390 at 86 (2019 document). 21. Cisco’s expert, Dr. Crovella, confirms that SGACLs are applied on a packet ingress into the switch and/or router and applied on a packet’s egress out of the router and/or switch. Tr. 2389:15-19, 2399:22; PTX-1288 at 012. 22. This SGACL rule-based packet blocking by comparing SGTs is more commonly referred to by Cisco as the quarantine rule. Tr. 2383:12-19, 2423:9-15 (Dr. Crovella noting that other ACLs besides the SGACL are not accused). 23. The quarantine rule operates to block or allow packets that are being transmitted throughout the network. Tr. 494:3-495:14, 496:17-497:13, 536: 24-25, 2419:3-15; see PTX-1262 at 999. 24. The switch and/or router determines whether the packet should be permitted or blocked based on the SGT assigned to that particular source. Tr. 535:10-17; PTX-1280 at 21; see PTX-1262 at 999. This process is completed by the switch and/or router by applying operators, 88 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 89 of 178 PageID# 23975 such as permit or deny, to incoming and exiting packets based upon their assigned SGT. Tr. 531:18-21; PTX-1280 at 021. 22. 25. If a packet’s SGT is not correlated to a SGACL rule on either ingress or egress, then a permit operator is applied to the packet, and it is permitted to be transmitted through the router or switch on to its destination. Tr. 542:17-24; PTX-1288 at 012. But if an SGT matches one of the SGACL rules because of an unpermitted source or destination, a deny operator is applied, and subsequently the packet will be blocked. Tr. 545:8-546:12, 548:11-19; PTX-1288 at 012. 26. In their presentation of evidence, Cisco has failed to cite any technical document produced post June 20, 2017. Cisco relies on ex post facto animations which were designed for litigation, and do not accurately portray the current functionality of the accused products. 27. Cisco has not called any witness who authored any of the Cisco technical documents relied upon by Centripetal in their infringement case. ii. Conclusions of Law Regarding Infringement Based on the Court’s factual findings, Centripetal has proven by a preponderance of the evidence that the Cisco’s Catalyst 9000 series switches, the Aggregation Services Router 1000 series routers and Integration Services Router 1000 and 4000 series routers literally INFRINGE Claims 18 and 19 of the ‘193 Patent. Cisco’s expert on the ‘193 Patent, Dr. Mark Crovella testified: I was asked to consider whether the ‘193 patent was infringed by the accused Cisco technology, I was asked whether it should be considered valid in light of the prior art, and I was also asked about potential damages if we were to assume that it were valid and infringed, whether there were significant benefits over the prior art. Tr. 2349:18-24. Dr. Crovella advanced two theories in his non-infringement opinion. First, that the function which is referred to as a “quarantine” blocks all traffic from a source computer and does not block a “particular data transfer,” as required by the language in the claim. Second, he 89 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 90 of 178 PageID# 23976 averred that Stealthwatch, using NetFlow, cannot identify exfiltrations until it is too late to drop the packet. As to the first theory, Dr. Crovella admits on cross examination to the “two stage” process. This testimony, coupled with Cisco’s technical information from PTX-1284 and PTX-1326, prove that the accused switches and routers have been aided with Cisco’s Identity Services Engine to measure the vulnerability level of individual network risk and assign roles to certain devices based on this analysis. Walking through the operation of the accused products illustrates that the Cisco system operates in a two-stage process that meets the functionality required by the asserted claims. The Cisco packet-filtering system operates by using the Identity Services Engine to assign certain endpoint devices “roles” that determine what type of packets may be sent and/or received by that specific endpoint computer. PTX-1326. Therefore, the Identity Services Engine has the ability to monitor levels of vulnerabilities based on the packets that are being transmitted by switches and routers in the network, and to adjust the permissions based on real-time network operations. As a general example, the Cisco system operates by limiting a computer located in a first network from accessing sensitive data in a protected network, while simultaneously allowing unsensitive data to be accessed. In this manner, packets from the computer in the first network may be allowed to access unprotected resources on the larger internet, but would be restricted from transmitting packets containing secure information. This is shown by Cisco’s technical demonstration, PTX-563: 90 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 91 of 178 PageID# 23977 PTX-563 Cisco Technical Presentation on Rapid Threat Containment from 2018 The accused switches and routers are the specific network devices used to institute this packet filtering system. In their operation, the accused products receive different portions of packets from a first computing network. PTX-1276 at 216. Upon entry into an accused device, each packet is assigned a Scalable/Security Group Tag (“SGT”). The SGT that is attached to each packet is based on the role and/or privileges that is assigned to that specific endpoint computer. Therefore, SGTs, at their most basic level, are assigned to packets based on where the packet is being transmitted from and/or the destination of the transmitted packet. In this manner, the 5-tuple information in the header of the packet, such as the source of the packet’s origin and/or the destination to which it is being transmitted, is the operative data being used to determine the packet’s SGT. This assignment of SGT to packets as they enter the switch or router is the first step in the operation of the quarantine process. 91 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 92 of 178 PageID# 23978 After SGT attachment, the switches and routers execute the second stage. The accused devices utilize specialized rules, known as SGACLs, that deal specifically with forwarding and dropping packets based on what type of SGT is attached to the packet. SGACLs are applied to packets on both ingress in and egress out of switch and/or router. See PTX-1390 at 86. On ingress, the device looks at the SGT that is associated with the source of the packets. This application of SGACLs by the device determines whether packets are allowed to be transmitted by this specific SGT. If packets are allowed to be transmitted by the specific SGT, the packets are permitted into the device where the packets would be subject to another set of SGACLs on egress. On egress, different SGACLs are applied based on the packet’s destination. Egress SGACLs determine if packets associated with this SGT can be sent to the specific destination. Centripetal’s expert, Dr. Mitzenmacher, used PTX-1326 to confirm that Cisco’s quarantine rule operates with this rule-based blocking functionality. Moreover, technical documents, such as Cisco’s Rapid Threat Containment Guide, confirm that switches and routers are programmed to “manually or automatically change your user’s access privileges when there’s suspicious activity, a threat or vulnerabilities discovered.” Tr. 527:4-17; PTX-1326 at 011. Accordingly, the accused Cisco system attaches SGT to packets, and then uses the SGACL quarantine functionality within the switches and/or routers to contain malware infected computers by blocking “access to critical data while their users can keep working on less critical applications.” PTX-1326 at 011. Thus, the Cisco system operates by blocking packets affiliated with a particular type of data transfer to a protected resource, while allowing packets unaffiliated with a protected type of data transfer to be transmitted to their final destination. In this manner, the technical documents confirm that the accused products utilize “packet filtering-rules” that operate to prevent “a particular type of data 92 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 93 of 178 PageID# 23979 transfer” from a first to second network. This functionality is shown by text and diagram included in Cisco’s technical document that outlines the operation of the quarantine feature: PTX-1326 Cisco Identity Services Engine Technical Ordering Guide from August 2019 See PTX-1326 (showing infected endpoints can be denied access to certain types of data while being allowed access to other types of data). This functionality confirms the accused devices operate in the “two-stage” process outlined by both the claims and the specification of the ‘193 Patent. The accused products perform a twostage process by first assigning SGT to packets, based upon the source and/or destination of the packets, and then applies different “operators” or functions, such as permit/deny, to those packets based on the associated packet SGT. Cisco’s infringement expert, Dr. Crovella, on cross 93 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 94 of 178 PageID# 23980 examination confirmed that the accused products perform all the functionality required to infringe the claims: Q. . . .So we have multiple steps. First, the SGT tag is checked to see if it’s present, right? A. That’s right. Q. Then, if the SGT tag is present and it says, “quarantine,” then a quarantine policy is applied, correct? A. That’s right. Q. If the quarantine policy is applied, you check the destination, and if the destination is a protected resource in which it says, do not allow this packet to go there, it will prevent the data transfer from going to that destination, correct? A. That is, in fact, the quarantine policy. In other words, there’s not two steps there. A quarantine policy is, in fact, checking the destination. Q. Okay. And if it says, block the packet, it will be prevented from the data transfer going there, right? A. That’s right. Q. If it’s not in there, and if there is a – it’s able to go through to a permitted network or permitted resource, then the packet would be allowed to go through by the switch or the router. Isn’t that right? A. That’s right. Tr. 2423:19-2424:15; see PTX-563; PTX-1326. Dr. Crovella even concedes that the ‘193 Patent requires a device to “block some communication between the two networks but allow other communication to flow.” Tr. 2400:8-10. This is the exact functionality outlined by the asserted claims. This described system, without the use of Stealthwatch, can identify exfiltrations and drop packets as a result. Therefore, the Court FINDS that Cisco’s second theory of non-infringement is irrelevant to the Court’s determination because the accused system operates to block packets based 94 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 95 of 178 PageID# 23981 on the particular type of data transfer as required by the claims. Cisco’s technical documents, such as PTX-1294 and PTX-1326, demonstrate that Stealthwatch is not involved in the two stages of the infringing functionality. Accordingly, any evidence regarding Stealthwatch has no bearing on infringement for the ‘193 Patent. Based on its analysis, the Court FINDS that the packet filtering system instituted by the accused products infringes Claim 18 and 19 of the ‘193 Patent. iii. Findings of Fact Regarding Validity 28. The priority date of the ‘193 Patent is March 12, 2013. JTX-4. 29. Sometime in 2012 or 2013, Cisco released and marketed a system known as the Cyber Threat Defense Solution. This system was a collection of Cisco switches and routers, the Identity Services Engine and Lancope’s Stealthwatch. Compare Tr. 2430:1-3; DTX-311 with Tr. 2485:5-10; DTX-664 at 004. 30. Cisco asserts the Cyber Threat Defense Solution as the prior art that renders the ‘193 Patent invalid. DTX-311. 31. Switches and routers within Cisco’s Cyber Threat Defense Solution both received packets and created records of packet flows using Cisco’s proprietary logging system known as NetFlow. DTX-311 at 004. 32. The Cyber Threat Defense Solution operates by analyzing NetFlow data and inspecting that data for exfiltrations in the network. DTX-588 at 002. 33. The Cyber Threat Defense Solution contained a quarantine function. At that time, the quarantine function operated by completely isolating a source computer by blocking all packets sent from the computer into the network. Tr. 3011:1-9; DTX-711 at 002. Within this quarantine functionality, there is no mention of allowing access to certain resources while denying access to others. Tr. 3012:1-2. 95 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 96 of 178 PageID# 23982 34. The prior art does not contain any mention of Secure Group Tags or Identity Service Engine’s role-based quarantine functionality. See DTX-588; PTX-1193. 35. The prior art does not contain any mention of the application of operators to filter packets based on the attachment of Secure Group Tags. Tr. 3015:11-18, 3016:10-21, 3017:4-10; see DTX-588. 36. The prior art does not contain any information showing the application of SGACL to filter packets in the same manner shown by Cisco’s technical documents produced after March 12, 2013. Compare PTX-1276 at 211, 216 (showing the application of Secure Group Tags and SGACLs by the IOS-XE operating system) with PTX-1193 at 007 (showing the same diagram, but failing to make mention of any rules attached and filters based on the application of Secure Group Tags). iv. Conclusions of Law Regarding Validity For the ‘193 Patent, Cisco contends it is invalid based on anticipation by the prior art under 35 U.S.C. § 102, and based on obviousness in view of the prior art under 35 U.S.C § 103. First, Cisco has presented no compelling evidence that the alleged prior art system, the Cisco Cyber Threat Defense Solution, operates in a two-stage filtering process, as illustrated by the claims of the ‘193 Patent. See DTX-311. The most complete version of prior art, the Cisco Cyber Threat Defense Solution 1.0 Design and Implementation Guide, makes no mention of the attachment of Secure Group Tags or the application of operators to filter portions of packets based on that packet information. Throughout Dr. Crovella’s testimony, there is clear reliance on multiple prior art references to prove the invalidity case. For those reasons, it is apparent that a single prior art fails to contain all elements of the claimed invention, and Cisco has failed to show anticipation by clear and convincing evidence. 96 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 97 of 178 PageID# 23983 Turning to obviousness, the prior art references advanced by Cisco do not show that a skilled artisan would have been able to combine the teachings in these technical documents and produce the patented invention. Cisco argues that the ‘193 Patent must be invalid because the previous system, that includes older versions of similar switches, routers, ISE and Stealthwatch, has had some method of quarantining and blocking functionality. However, the Court rejects Cisco’s contention that these products have operated in the same manner and functionality just because the system had preexisting baseline functionality and consistent nomenclature. The prior art makes no mention of the infringing packet filtering process. Dr. Crovella relies on PTX-588, DTX-711, DTX-311, and PTX-1193 to contend that a person skilled in the art would have combined these references in order to teach the functionality outlined in the claims of the ‘193 Patent. A review of the asserted prior art shows no mention of the Identity Services Engine packet filtering system that utilizes switches and routers to attach Secure Group Tags, apply operators and then allow certain packets to be transmitted while other packets are subsequently blocked. 7 It is that system which contains the functionality taught by the claims of the ‘193 Patent. Cisco’s own technical documents that were used to show infringing functionality are all from post-2013. See PTX-1288 at 012; PTX-1276 at 216; PTX-1280 at 21; PTX-1294; PTX-1326. Not one selection of asserted prior art shows the infringing switch and router functionality was embedded in any of the Cisco products before the ‘193 Patent’s priority date. These conclusions allow the Court to infer that the infringing functionality was added as a result of newly designed versions of the accused products that occurred after March of 2013. 7 The Patent and Trademark Office denied Inter Partes Review on the ‘193 Patent citing similar concerns regarding the operator limitation. Tr. 3013:20-3014:9; DTX-370. 97 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 98 of 178 PageID# 23984 Accordingly, the Court FINDS that Cisco has failed to present clear and convincing evidence that the prior art would allow a person skilled in the art to combine the prior art to produce a packet filtering system with the functionality taught by Claims 18 and 19 of the ‘193 Patent. D. THE ‘806 PATENT i. Findings of Fact Regarding Infringement 1. The ‘806 Patent was informally known throughout the trial as the “Rule Swap Patent.” 2. The ‘806 Patent was issued on December 1, 2015. JTX-2. The application for the ‘806 Patent was filed on January 11, 2013. 3. The asserted claims of the ‘806 Patent are Claim 9 and Claim 17. Doc. 411. Claim 9 and Claim 17 are, respectively, a system and computer readable media claim. 4. Claim 9 is laid out below: A system comprising: a plurality of processors; and a memory comprising instructions that when executed by at least one processor of the plurality of processors cause the system to: receive a first rule set and a second rule set; preprocess the first rule set and the second rule set to optimize performance of the system for processing packets in accordance with at least one of the first rule set or the second rule set; configure at least two processors of the plurality of processors to process packets in accordance with the first rule set; after preprocessing the first rule set and the second rule set and configuring the at least two processors to process packets in accordance with the first rule set, receive a plurality of packets; process, in accordance with the first rule set, a portion of the plurality of packets; signal, each processor of the at least two processors, to process packets in accordance with the second rule set; and 98 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 99 of 178 PageID# 23985 configure, each processor of the at least two processors to, responsive to being signaled to process packets in accordance with the second rule set: cease processing of one or more packets; cache the one or more packets; reconfigure to process packets in accordance with the second rule set; signal completion of reconfiguration to process packets in accordance with the second rule set; and responsive to receiving signaling that each other processor of the at least two processors has completed reconfiguration to process packets in accordance with the second rule set, process, in accordance with the second rule set, the one or more packets. JTX-2. 5. Claim 9 is identical to Claim 17 in every respect except that Claim 17 is a computer readable media claim. JTX-2. Claim 17 substitutes the introductory language of Claim 9, replacing “[a] system comprising: a plurality of processors; and a memory comprising instructions that when executed by at least one processor of the plurality of processors cause the system to:” with “[o]ne or more non-transitory computer-readable media comprising instructions that when executed by a computing system cause the computing system to:” JTX-2. For purposes of infringement, the parties treated Claims 9 and 17 the same. 6. Dr. Moore, one of the inventors of the ‘806 Patent, defined the technology in the ‘806 Patent as a process by which a network device could perform a live swap of rules without sacrificing any security concerns or dropping packets. Tr. 338:22-339-2. 7. Cyber threat intelligence is often changing, so the rules that are embedded in switches and routers need to be continually updated. Tr. 339:5-10. Therefore, the rules that are being applied need to be continually swapped out from old rules to new rules. Tr. 339:13-25. The most efficient way to do this is by swapping rules while live traffic is going through the device and without any packets being dropped. Tr. 339:13-25. 99 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 100 of 178 PageID# 23986 8. Centripetal accuses Cisco’s Catalyst 9000 series switches, the Aggregation Services Router 1000 series routers and Integration Services Router 1000 and 4000 series routers in combination with Cisco’s Digital Network Architecture of infringing Claims 9 and 17 of the ‘806 Patent. See PTX-1263 at 180 (highlighting Cisco networks are intent-based networks which provide “[p]erimeter-based, reactive security that has been supplanted by network-embedded, content-based security that reaches from the cloud to the enterprise edge”) (2019 document). 9. Additionally, Centripetal accuses Cisco’s Adaptive Security Appliance 5500 series with Firepower services and Cisco’s Firepower Appliance 1000, 2100, 4100, and 9330 series that run Firepower Threat Defense (“Cisco’s Firewalls”) with Firepower Management Center infringe Claims 9 and 17 of the ‘806 Patent. See PTX-1291 at 668 (noting the rule swapping procedures of the Cisco firewall products) (September 2017 document). 10. Cisco compiles source code for the accused switches, routers, and firewalls in the United States. Tr. 462:5-463:18, 464:4-14; PTX-1409 at 5-6. The accused products have a plurality of processors and computer memory which stores software instructions. Tr. 573:8-575:6, 642:4647:11. 11. Cisco’s Digital Network Architecture (“DNA Center”) is the management structure that allows the system to take in or utilize threat intelligence, operationalize it, and turn it into rules and policies that Cisco’s switches and routers use for security purposes. Tr. 451:3-24. 12. The DNA Center receives rule sets from various sources and preprocesses the rule sets to create optimized policies which are distributed to Cisco’s switches and routers. Tr. 575:15577:8, 579:18-580:24, 584:14-585:4, 586:15-587:18, 588:12-589:18, 2571:12-2573:8; PTX-992 at 2; PTX-1294 at 3 (2019 document). 100 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 101 of 178 PageID# 23987 13. Similar to the DNA Center, Firepower Management Center’s Threat Intelligence Director receives rule sets from various sources and preprocesses the rule sets to create optimized policies which are distributed to firewalls. Tr. 655:10-656:20, 673:21-675:5, 680:11-681:10; see Tr. 2537:3-7, 2539:11-17. 14. When new rules are available and sent to Cisco’s switches and routers by the DNA Center, the switches and routers will perform a rule swap without dropping any packets. Tr. 597:10-601:8, 606:15-608:14, 633:24-634:14; see also Tr. 2571:12-2573:8; PTX-1915; PTX-1195 at 001, 003-04. 15. Similarly, when new rules are available and sent to Cisco’s firewalls from the Firepower Management Center, Cisco’s firewalls will perform a rule swap without dropping any packets. PTX-1196 at 001, 007; Tr. 694:22-696:12, 698:8-22, 705:15-707:1. 16. Mr. Peter Jones 8, a distinguished Cisco engineer responsible for building the switching, routing and enterprise network, explained in detail how the accused products process packets and swap rules. Tr. 2543:9-11, 2561:25-2562:1. 17. Mr. Jones explained that the architecture that enables packet processing functionality within the switch and/or router is the Uniform Access Data Plane (“UADP”) processor. Tr. 2562:10-18; DTX-562 at 043. The figure below shows the core architecture in detail: 8 Mr. Jones was one of the architects for the design of the UADP processer used by Cisco’s accused switches and routers. Tr. 2549:10. He also provided multiple technical presentations regarding the operation of the UADP at many Cisco events. See DTX-562 at 006. 101 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 102 of 178 PageID# 23988 DTX-562 Cisco Technical Presentation on UADP Core Architecture in 2019 18. Mr. Jones noted that as packets arrive into a router and/or switch, they enter through the front panel ports and head into the Media Access Control Security (“MACSec”). Tr. 2567:1825. The MACSec serves as an encryption block. Tr. 2567:23. 19. The packet then moves into the Ingress FIFO. The FIFO, or First In First Out, is a small buffer that serves to order packets as they enter the device. Tr.2567:23-2568:3. 20. After the FIFO, the payload of the packet is then sent to the Packet Buffer Complex (“PBC”) for storage. Tr. 2568:4. Simultaneously, the header and address of the packet is sent to the Ingress Forwarding Controller. 21. The Ingress Forwarding Controller processes the packet by matching the header information to a variety of Access Control Lists (“ACL”) that are stored in the look-up tables. Tr. 2568:10-16. Based on those ACLs, the Ingress Forwarding Controller then decides to either drop the packet or transmit it forward. Tr. 2568:10-16. 102 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 103 of 178 PageID# 23989 22. Mr. Jones explicitly noted that if the packet is to be forwarded, it is sent to the Egress Forwarding Controller. Tr. 2568:21-24. He highlighted that the Egress Forwarding Controller operates identically to the Ingress Forwarding Controller. Tr. 2568:21-24. Therefore, for a second time on exit, the payload of the packet is sent to an egress Packet Buffer Complex while the header is sent to the Egress Forwarding Controller. Tr. 2568:21-24; PTX-1390 at 86. 23. It is in the Egress Forwarding Controller that the packet headers are again compared to ACLs that are located in the look-up tables. Tr. 2568:21-24. On egress, the packet can be dropped or further transmitted. Tr. 2568:21-24; PTX-1390 at 86. 24. If the packet is transmitted, it goes through an Egress FIFO, an Egress MACSec, and then out a port on the device. Tr. 2569:1-4. 25. Mr. Jones noted that the UADP operates on its own fixed time pipeline, meaning there will be a packet processed every two or four internal clock periods. The internal clock periods are not set to a normal time scale, but operate in milliseconds. Tr. 2554:22-24. 26. The accused products contain a new FED 2.0 Hitless ACL update. Tr. 3550:18-25. Mr. Jones testified that before the 2.0 Atomic Hitless feature was added to the accused products, performing rule swaps often resulted in a discard of a number of packets. Tr. 2552:20-23. Therefore, the new 2.0 Hitless version updated the products so that new ACLs can be placed into the device and be activated without displacing packet processing. Tr. 2551:2-5; PTX-1303 at 073. Compare the older ACL Process: 103 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 104 of 178 PageID# 23990 PTX-1195 at 003 Cisco FED 2.0 Hitless ACL Update Software Functional Specification 9 from July 2017 PTX-1195 at 003. 9 The 2.1 in front of Current ACL Change Flow within Exhibit PTX-1195 does not refer to a version number, but this is a numerical heading within the document. 104 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 105 of 178 PageID# 23991 With the new 2.0 Hitless ACL Update: PTX-1195 at 003 Cisco FED 2.0 Hitless ACL Update Software Functional Specification from July 2017 10 10 The 2.2 in front of Hitless (Atomic) ACL Change Flow within Exhibit PTX-1195 does not refer to a version number, but this is a numerical heading within the document. 105 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 106 of 178 PageID# 23992 In the same Cisco software technical specification, the requirements of the software dictate that “there will be a short period where both sets of VMR (“Virtual Media Recorder”) rule entries will be installed before the old entries are deleted.” See PTX-1195 at 003. Here is a copy of those Software Requirements: PTX-1195 at 003 Cisco FED 2.0 Hitless ACL Update Software Functional Specification from July 2017 27. ACLs are sent to switches and/or routers from a variety of sources - including Cisco’s Digital Network Architecture. Tr. 2571:12-17. In order to use the rules, the switches and routers must compile them. Tr. 2571:18-21. Accordingly, the DNA Center begins the process by signaling the switches and routers to perform a swap from old to new ACLs. Tr. 2572:14-17. 28. While the ACLs are being compiled within the device, the device uses the old rule set to process packets. Tr. 2571:22-2572:1. The device, after compilation is finished, then signals the processor to begin processing packets with the new updated ACL rule set. Tr. 2572:2-6. 29. This swap of ACL rules within the device occurs in the middle of the two to four clock cycles, when the device is operating in idle and there is no processing of packets. Tr. 2572:10-13. Accordingly, there is a short period where the VMR contains both sets of new and old rules will be installed before the old rules are cleared. See PTX-1195 at 003-04. 106 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 107 of 178 PageID# 23993 30. After the swap is complete, the device performs a memory write and shows a return success function to the end user. Tr. 2573:5-8. 31. After the return is complete, packets are then processed with the newly updated second rule set. Tr. 2572:14-17. 32. Cisco’s expert has failed to cite any technical document produced post June 20, 2017. Cisco’s expert witness relies on animations, produced ex post facto, which were designed for litigation and do not accurately portray the current functionality of the accused products. Exhibit DTX-562, which was altered from its original form as cited by Cisco’s employee Mr. Jones, had emphasis added to it to exclude egress from the presentation of Cisco’s expert Dr. Reddy. See supra sec. IV. Overview of the Evidence (discussing Dr. Reddy’s animations). 33. Cisco has not called any witness who authored any of the Cisco technical documents relied upon by Centripetal in their infringement case. ii. Conclusions of Law Regarding Infringement Based on the Court’s factual findings, Centripetal has proven by a preponderance of the evidence that the Cisco’s Catalyst 9000 series switches, the Aggregation Services Router 1000 series routers and Integration Services Router 1000 and 4000 series routers in combination with Cisco’s Digital Network Architecture literally INFRINGE Claims 9 and 17 of the ‘806 Patent. Additionally, the Court FINDS Cisco’s Adaptive Security Appliance 5500 series with Firepower services and Cisco’s Firepower Appliance 1000, 2100, 4100, and 9330 series that run Firepower Threat Defense (“Cisco’s Firewalls”) with Firepower Management Center literally INFRINGE Claims 9 and 17 of the ‘806 Patent. For Cisco, Dr. Narasimha Reddy testified regarding the ‘806 Patent as to infringement, validity and damages. Dr. Reddy opined that: 107 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 108 of 178 PageID# 23994 The accused product combinations do not infringe the ‘806 [P]atent. Secondly, if the Court were to find that the accused product combinations infringe, the asserted claims are invalid on existing prior art of Cisco before the patents were filed. And for damages, assuming that the products are found to be infringing and that the claims are valid, the contribution of the patent claims are minimal. Tr. 2580:15-23. Dr. Reddy advances three theories of non-infringement for the ‘806 Patent. He avers that the accused products: (1) do not cease processing of packets responsive to a signal; (2) do not cache the packets responsive to a signal; and (3) do not reprocess packets according to a second rule set. To prove that the products do not perform this functionality as required by the claims, Dr. Reddy relied on an animation produced for litigation that directly contradicts Cisco’s own employee testimony and Cisco’s own technical documents. Using this animation, Dr. Reddy opined that the Cisco products never cache or cease processing packets during a rule swap. Tr. 2610-2-8. Turning to the first theory, Cisco employee, Peter Jones, testified that in the operation of packet processing, Cisco’s switches and routers will store packets in a part of the UADP ASIC processor known as the Packet Buffer Complex (“PBC”). The PBC operates as a holding spot for the data in the payload of the packet while the header information is forwarded to another part of the processor for the application of rules. This operation in the Cisco switches and routers is designed to maximize the speed and efficiency of packet processing through software. Tr. 622:1618. Dr. Mitzenmacher highlights that computer scientists use the term buffer and cache interchangeably as a word denoting the use of memory to hold packets for a short period of time. Tr. 628:7-25. Dr. Mitzenmacher referenced that a buffer is a “memory that holds something . . . [o]ften for future use.” In reference to the Court’s question about defining a cache, Dr. Mitzenmacher gave a similar definition of cache in the following exchange: Q. What’s a cache? 108 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 109 of 178 PageID# 23995 A. A cache is also often used, is used in the same way as a memory for holding things. They’re very similar. And with a cache you don’t typically or necessarily have an ordering associated with it. I mean, it can have an ordering, but it doesn’t have to. But a cache is typically used as a memory that holds information that you expect to be using in the near future. Tr. 836:17-23. Martin Hughes, a Cisco Engineer, confirmed Dr. Mitzenmacher’s opinion that a packet buffer is a cache. Mr. Hughes was asked: Q. When the router products receive a packet, do router products store the packet in the cache? A. All products have packet buffers where packets are stored before processing. DTX-1650; see Tr. 628:3-25, 866:8-22. Based on this testimony, it is apparent that the Packet Buffer Complex within the accused switches and routers clearly acts as a memory storage to hold packet information for further use, and therefore performs the same function of a cache, however, Cisco uses a different nomenclature, calling it a packet buffer. Tr. 836:17-23. Accordingly, in the course of packet processing, the accused devices store packets in a cache as required by the claims. As their second theory of non-infringement, Cisco advances that the accused products do not cease processing of packets in response to a rule swap. Mr. Jones, a Cisco Engineer, testified contrary to this assertion. He explained that the newly compiled rules are swapped for the old rules in-between the two to four clock periods that occur within the switches and routers. This swap occurs directly during an idle period where the accused switches and routers are not processing any packets. Tr. 2572:10-20. Therefore, it is apparent that the switches and routers do cease packet processing, at least momentarily, to implement the newly compiled rule set. With regard to both of these theories, Cisco argues that because this process is the normal processing functionality of the accused products, Cisco cannot in theory infringe the claims of the ‘806 Patent. The Court disagrees with Cisco’s argument. It is true that the Cisco products do cache and cease processing packets during their normal packet processing operation. However, Cisco 109 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 110 of 178 PageID# 23996 has implemented the rule swap functionality outlined in the ‘806 Patent to greatly improve the security functionality of its products without dropping packets. The devices, in response to an initial signal, operate to stop processing packets during an idle period, and during the idle period, unprocessed packets are cached within the Packet Buffer Complex. This process is the exact functionality as described by the cease and cache elements of the ‘806 Patent. Lastly, Cisco argues that packets are not reprocessed by a second rule set as required by the claims. First, Cisco is incorrect when it states the claims require a reprocess of packets. The claims clearly state that all that is required is a process through a second rule set. JTX-2. In other words, packets must just be processed by the second rule set – not processed a first time then reprocessed as Cisco suggests. Second, Cisco’s non-infringement expert, Dr. Reddy, does not opine upon or even discuss the egress portion of a packet’s transmission through a switch, router or firewall. Mr. Jones and Cisco’s technical documents confirm that the accused devices apply rules on both ingress into the device and on egress out of the device. Therefore, in their operation, the devices are configured to apply one set of rules on ingress while the very same packet would be subject to a second set of rules on egress within the same device. This process would meet the claim language of the ‘806 Patent to process packets with a first rule set and then in accordance with a second rule set. Accordingly, the accused products practice every claim limitation in Claims 9 and 17 of the ‘806 Patent. Therefore, the Court FINDS the rule swap system instituted by the accused Cisco products literally infringe Claims 9 and 17 of the ‘806 Patent. 110 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 111 of 178 PageID# 23997 iii. Findings of Fact Regarding Validity 34. The priority date of the ‘806 Patent is January 11, 2013. 35. Cisco asserts the functionality from a previous Cisco switch, the Catalyst 6500, and the Cisco Prime Network Control System as prior art for the ‘806 Patent. Tr. 3023:23-25. 36. The prior art functionality asserted within the Catalyst 6500 contains the older version of the Atomic ACL Hitless Update. 37. The Atomic ACL Hitless Update, within the Catalyst 6500 switch, operates by adding a new Access Control List (“ACL”) in the Ternary Content-Addressable Memory (“TCAM”) alongside the old ACL, and merging the two lists together. DTX-686 at 001. This process often overwhelms the TCAM and causes packets to be unintentionally dropped. See DTX-686 at 037038. 38. The Atomic ACL Hitless Update was updated to the FED 2.0 version in 2017. PTX- 1195 at 001; Tr. 3036:12-3037:4. The FED 2.0 Hitless Atomic ACL Update Software Functional Specification shows the differences between the older version of Hitless and the new 2.0 version. PTX-1195 at 002-03; Tr. 3040:2-3042:20. The newer version is accused of infringement by Dr. Mitzenmacher within the Catalyst 9000 switches and accused routers. Tr. 3035:15-25. 39. The older version of Hitless operated by completely stopping the system, eliminating ACLs, merging and replacing those ACLs, then reactivating the processing system. Tr. 3034:23-3035:2. This system resulted in overlap between the old rules and the new rules within the TCAM. This caused packets to be dropped because old ACLs were being applied alongside the new ACLs, causing conflict and disruption. Tr. 3035:3-15, 3040:2-12; see PTX-1195 at 003. 111 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 112 of 178 PageID# 23998 40. The 2.0 Atomic ACL Hitless Update modified the process by eliminating the overlap and implementing rapid swap and replacement of the old ACLs with updated ACLs. Tr. 3041:7-18; see PTX-1195 (technical document from July 2017). 41. Cisco Prime Network Control System’s Release Notes show that Prime operated by monitoring and troubleshooting support for a maximum of packets through the 5000 series Cisco Catalyst switches, allowing viability into critical performance metrics for interfaces, ports endpoints, users and basic switch inventory. DTX-525 at 002. The Release Notes for Prime and Dr. Reddy’s testimony contains no mention of the preprocessing of rules or allowing switches to receive rules sent by Prime. Tr. 3043:10-24; see DTX-525 at 002. There is no evidence that the predecessor 6500 series switch, aided with Cisco Prime, could swap new rules for the old, as opposed to merging old and new rules together. iv. Conclusions of Law Regarding Validity Cisco asserts that the asserted claims of the ‘806 Patent are anticipated and/or are obvious based on the Atomic ACL Hitless Update in the Cisco Catalyst 6500 Supervisor Engine 2T and the Cisco Prime Network Control System. Tr. 2656:5-2657:22. Cisco’s invalidity expert, Dr. Reddy, presented various documents opining that the functionality of Claims 9 and 17 of the ‘806 Patent was included within the prior art. This Court disagrees with the conclusions of Dr. Reddy and FINDS the ‘806 Patent valid. First, the Atomic ACL Hitless Update embedded within the Catalyst 6500 was an older and different functioning process than that which was embedded within the accused switches and routers. The accused devices contain a FED 2.0 version of the Atomic ACL Hitless Update. As evidenced by Centripetal’s expert, Dr. Orso, and PTX-1195, this 2.0 version provided a meaningful update to the system by which old ACLs were swapped for new ACLs. See PTX-1195, 112 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 113 of 178 PageID# 23999 Tr. 3040:2-3042:20. The older version of the Hitless Update, embedded in the 6500, involved merger and application of old and new ACLs that resulted in disruption of packet processing and the unintentional dropping of packets. This rule swapping technique outlined by the ‘806 Patent solved the problem that the old Hitless Update was having. See JTX-2 col. 1 (noting that the ‘806 Patent was addressing the problems faced by network devices “processing packets in accordance with an outdated rule set”). Therefore, it is axiomatic that the claimed invention would have not been obvious in the prior art because the ‘806 invention of rule swapping was the solution to the exact problem outlined by the original Hitless Update. Second, the Cisco Prime technical documents do not contain any functionality of the asserted claims for the ‘806 Patent. The only document presented by Dr. Reddy identifies that Prime provided monitoring and troubleshooting support for Cisco’s switches. There is no clear and convincing evidence from Dr. Reddy’s testimony, or this one document offered by Cisco, that Prime served a similar function as Cisco’s Digital Network Architecture. Accordingly, there is not clear and convincing evidence for the Court to find that Prime caused the Cisco devices to receive first and second rule sets as required by the claims. Therefore, both asserted prior art references fail to teach the invention as described by Claims 9 and 17 of the ‘806 Patent. Accordingly, the Court FINDS that Cisco has not proven by clear and convincing evidence that the ‘806 Patent was anticipated or obvious. E. THE ‘205 PATENT i. Findings of Fact Regarding Infringement 1. The ‘205 Patent has been commonly known as the “dynamic security policy” Patent. Tr. 432:17-20. 113 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 114 of 178 PageID# 24000 2. The ‘205 Patent was issued on September 15, 2015. JTX-1. The application for the ‘205 Patent was filed on October 22, 2012. JTX-1. 3. The asserted claims of the ‘205 Patent are Claims 63 and 77 of the ‘205 Patent. Claims 63 and Claim 77 are, respectively, a system and computer readable media claim. 4. Claim 63 is laid out below: A system, comprising: a security policy management server; and one or more packet security gateways associated with the security policy management server, wherein each packet security gateway of the one or more packet security gateways comprises computer hardware and logic configure to cause the packet security gateway to: receive, from the security policy management server, a dynamic security policy comprising at least one rule specifying a set of network addresses and a Session Initiation Protocol (SIP) Uniform Resource Identifier (URI); receive packets associated with a network protected by the packet security gateway; perform, on the packets, on a packet by packet basis, at least one packet transformation function of multiple packet transformation functions specified by the dynamic security policy; encapsulate at least one packet of the packets that falls within the set of network addresses and matches the SIP URI with a header containing a network address that is different from a destination network address specified by the at least one packet and that corresponds to a network device configured to copy information contained in the at least one packet and to forward the at least one packet to the destination network address; and route, based on the header, the at least one packet to the network address that is different from the destination network address. JTX-1. 114 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 115 of 178 PageID# 24001 5. Claim 63 is identical to Claim 77 in every respect, except that Claim 77 is a computer readable media claim. Claim 77 substitutes the introductory language of Claim 63, replacing “[a] system, comprising: a security policy management server; and one or more packet security gateways associated with the security policy management server, wherein each packet security gateway of the one or more packet security gateways comprises computer hardware and logic configured to cause the packet security gateway to” with “[o]ne or more non-transitory computer-readable media having instructions stored thereon, that when executed, cause each packet security gateway of one or more packet security gateways associated with a security policy management server to:.” JTX-1. For purposes of infringement, the parties have treated the two claims as identical. 6. Dr. Moore, the inventor of the ‘205 Patent, characterizes the technology in the ‘205 Patent as Centripetal’s network protection system that enforces threat intelligence policies on network traffic. 7. Dr. Moore identified that there is a thriving ecosystem of companies that observe behavior on the internet and collect information on who are the cyber criminals, what computers are being controlled, and what types of attacks are being implemented. This information is collected and turned into threat intelligence. 8. Dr. Moore specifically credits the technology in the ‘205 Patent as a system for operationalizing threat intelligence into policies of rules that are uploaded into network devices to block dynamic threats. Tr. 321:5-9, 320:16-25. 9. Cisco’s expert on the ‘205 Patent, Dr. Kevin Jeffay, challenges Dr. Moore’s characterization by noting that the specific claims at issue have no relation to the blocking of malicious traffic. Instead, Dr. Jeffay characterizes the claims at issue as dealing with the 115 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 116 of 178 PageID# 24002 encapsulation, copying and forwarding of voice traffic over the internet. Tr. 2727:11-19, 2732:219. More generally, Dr. Jeffay describes the claims at issue as enabling law enforcement to potentially wiretap internet calls. Tr. 2732:13-16. 10. Centripetal accuses Cisco’s Catalyst 9000 series switches, the Aggregation Services Router 1000 series routers and Integration Services Router 1000 and 4000 series routers, in combination with Cisco’s Digital Network Architecture, of infringing Claims 63 and 77 of the ‘205 Patent. Additionally, Centripetal accuses Cisco’s Adaptive Security Appliance 5500 series with Firepower services and Cisco’s Firepower Appliance 1000, 2100, 4100, and 9330 series that run Firepower Threat Defense (“Cisco’s Firewalls”) with Firepower Management Center of infringing Claims 63 and 77 of the ‘205 Patent. Tr. 7235:16-20. 11. The accused switches, routers and firewalls have the ability to act as packet security gateways. Tr. 732:24-734:22, 735:15-20, 737:24-738:5. 12. Cisco’s Digital Network Architecture Center serves as the “foundational controller . . . at the heart of Cisco’s intent-based network . . . [and] provides a single dashboard for every fundamental management task.” PTX-1294. Accordingly, both the DNA Center and Cisco’s Firepower Management Center manage and update security policies that are employed by the accused devices. Tr. 728:21-730:9; 736:3-13; PTX-1294 at 15. 13. The accused devices process a certain type of network traffic sent by Session Initiation Protocol (“SIP”). Tr. 739:13-18, 2782:12-17; PTX-1408 at 19. SIP is one of the many protocols that is used to transmit information over the internet. Tr. 739:5-9. SIP is primarily used for the sending of voice data, but can be used for video and instant messaging. Tr. 739:5-9, 741:1524, 2729:13-19. 116 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 117 of 178 PageID# 24003 14. Each device, when making a call using SIP, has a unique identifier know as a SIP Uniform Resource Identifier (“SIP URI”) that functions similarly to a telephone number. Tr. 2729:16-23. SIP URI is embedded within SIP traffic to identify the party to the call. Tr. 2729:1623. 15. Cisco’s expert, Dr. Kevin Jeffay, opined that a SIP URI consists of SIP and then a unique identifier of the individual device that is being called. Tr. 2739:1-7. He provided an example of a SIP URI as sip:jeffay@unc.edu. Tr. 2739:8-10. 16. Dr. Jeffay’s opinion is confirmed by the Internet Engineering Task Force’s Request for Comment (“RFC”) 3261 that outlines the procedures for the SIP protocol. RFC 3261 confirms that a SIP URI contains the word SIP, and the document provides a specific example as “sip:user:password@host:port;uri-parameters?headers.” DTX-1296 at 148. RFC 3261 contains many examples of SIP URIs that all contain the word sip. DTX-1296 (listing examples of SIP URIs such as “sip:alice@atlanta.com.”). 17. Centripetal’s expert, Dr. Michael Mitzenmacher, presented that the Firepower Management Center enables the network firewalls to monitor traffic sent by SIP for network exploits. Tr. 748:6-13; PTX-1289 at 912. The technical documents confirm that if any SIP traffic is found to be a threat to the network, rules may be created to prevent any dangers to the network. Tr. 748:19-24; PTX-1289 at 912. 18. The accused products have the capability to handle SIP traffic and can block that traffic that is determined to be malicious. Tr. 750:11-17. 19. However, Dr. Mitzenmacher presented no technical documents that confirm that the accused firewalls have specific rules that contain both a network address and a SIP URI. Tr. 117 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 118 of 178 PageID# 24004 2756:18-2757:2. Furthermore, no Cisco technical document confirms that the accused switches and routers have any rules that contain both a network address and a SIP URI. Tr. 2756:18-2757:2. 20. Dr. Mitzenmacher and Cisco’s technical documents do confirm that the accused switches, routers and firewalls can forward and block packets. Tr. 754:11-756:7; PTX-1276 at 216; PTX-1493 at 009. 21. The accused devices can encapsulate and route packets. Tr. 756:8-758:21, 760:5- 764:16; PTX-1262 at 994; PTX-524 at 309; PTX-1229 at 69; PTX-1293 at 062. However, Dr. Mitzenmacher presented no evidence that the accused devices perform a “copying” of information contained in the packets. Tr. 2749:24-2750:4 (Dr. Jeffay confirming no testimony or evidence on copying). ii. Conclusions of Law Regarding Infringement Cisco expert, Dr. Jeffay, opined that the ‘205 Patent was not infringed for two distinct reasons. First, he opined that Centripetal’s infringement theory relies on the “blocking” of packets, but the asserted claims of the ‘205 Patent require encapsulation and forwarding. Second, he averred that Centripetal has not asserted any proof that the accused products have “at least one rule specifying a set of network addresses and a Session Initiation Protocol (SIP) Uniform Resource Identifier (URI),” as required by the claims. The Court agrees with Dr. Jeffay on both of his noninfringement theories. The Court affirms Dr. Jeffay’s characterization that the ‘205 Patent teaches a method of tapping internet-based phone communications and potentially video via the internet. It may be characterized as a method of spying upon or “hacking” internet communications, which is the converse of the four previous patents that are found as valid and infringed, the function of which is to provide network security. 118 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 119 of 178 PageID# 24005 On his first theory, Dr. Jeffay outlined the main focus of the invention in the ‘205 Patent is on Voice over IP traffic and the encapsulation and forwarding of data. He opined: Q. And turning to slide 5, how many disputes -- on the infringement issue, how many major disputes do you intend to focus on today? A. Well, in my report I documented several disputes, but in the interest of time, we’re going to focus on two here, and these are the two that I think are the easiest to see. And the first one is really sort of a black/white issue; that Centripetal’s theory of infringement focuses on the blocking of packets. And blocking has really been the key to most of this case; that the accused products block packets. But the ‘205 [P]atent is not about blocking packets, it’s about precisely the opposite. It’s about doing things that we’ll come to see are called encapsulation and forwarding, but the point here is that we want the packets to go through to their destination. We’re going to see that the patent is really about enabling law enforcement to potentially wiretap phone calls, so we want the package to go through. And so the ‘205 claims are really about the opposite of what we’ve heard in this case; they’re about letting packets make it to their destination. Tr. 2731:24-2732:19. Dr. Jeffay explained in detail Figure 6 of the ‘205 Patent, walking through the major outline of the invention, as described by the claims: 119 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 120 of 178 PageID# 24006 FIG. 6 from the ‘205 Patent Q. We’ve got figure 6 up now. Dr. Jeffay, could you, using figure 6, walk the Court through the major components of the claimed invention. A. Sure. So this is the world -- this a version of the world in which the claimed invention would operate. So let’s focus first on network A, which is in the upper left-hand corner. And in network A there is a device, UE 600. Now, UE in the patent stands for User Equipment, but what I’d like the Court to think of it -- think of it as a phone. And you can kind of see it’s drawn kind of like an iPhone. So it’s a phone. And what’s going to happen here is that this user in network A is going to make a phone call, a Voice over IP phone call, to a user in network B. So let’s highlight network B, which is on the lower right. And we can see that also there’s a UE 602, User Equipment, just basically another phone, that’s in network B. So a user in network A makes a call to a user in network B, and what the patent is about is using an SPM 120 -- SPM is going to stand for Security Policy Management server; this is the entity that creates security policies. The SPM is going to send a policy that contains a rule to a packet security gateway 112. So the packet security gateway is the thing that actually looks at the packets. Now the rule -- the policy contains a rule, and the rule that’s going to be sent to the packet security gateway is going to contain information to allow the packet security gateway to identify the packets corresponding to this Voice over IP phone call. And when it identifies the right kind of packets, what it’s going to do is a little unusual. It’s going to let the packets go through. It’s not going to block the packets, but it’s not going to send the packets 120 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 121 of 178 PageID# 24007 to their intended destination, which is network B. It’s going to send them to network C, which is shown on the lower left. And in network C you can see that there’s a monitoring device, and what’s going to happen is the packets are going to be routed from the packet security gateway, to network C, to this monitoring device. The monitoring device is then going to copy some information from the packets. It’s going to keep that copied information, because, in theory, that’s what law enforcement wants to see, but then we need the call to go through, so it’s -- the network device 608 is going to unencapsulate the packet, get the original packet, and send it on its way back to network B. Tr. 2735:5-2736:24. In this explanation of the claims, Dr. Jeffay noted explicitly that the claims do not require the blocking of packets because “[i]f the call is blocked, then the packets would be dropped at the packet security gateway 112, and there would be nothing to monitor.” Tr. 2742:1921. Based on an independent reading of the claims, the Court agrees with Dr. Jeffay that the scope of the asserted claims of the ‘205 Patent deal specifically with the functionality to encapsulate, copy and then forward on packets to a different network. To prove infringement, Centripetal’s expert Dr. Mitzenmacher specifically identified the ‘205 Patent as: Q. If we can go to your demonstrative, can you briefly explain what this is showing, in terms of the ‘205 [P]atent, with the dynamic security policy? A. As we’ve seen for all of these systems, they will be given threat intelligence, or gather or absorb threat intelligence, and they can use that to update the rules. In particular, just generally, they have dynamic security policies. They’re constantly getting new information, and over time, they will often update the rule sets in order to deal with new threats accordingly. Tr. 726:21-727:5. Dr. Mitzenmacher, in his infringement opinion, specifically focused on the use of threat intelligence being used to block malicious traffic in the network. In his testimony, Dr. Mitzenmacher confirms that the accused products can perform the encapsulation of packets. Tr. 756:8-758:21, 760:5-764:16. This is confirmed by the Cisco technical documents. PTX-1262 at 994; PTX-524 at 309; PTX-1229 at 69; PTX-1293 at 062. But the encapsulation of packets 121 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 122 of 178 PageID# 24008 described by Dr. Mitzenmacher and the technical documents is not all that is required by the asserted claims. This element of the claim reads: encapsulate at least one packet of the packets that falls within the set of network addresses and matches the SIP URI with a header containing a network address that is different from a destination network address specified by the at least one packet and that corresponds to a network device configured to copy information contained in the at least one packet and to forward the at least one packet to the destination network address . . . JTX-1 (emphasis added). Dr. Mitzenmacher presented no testimony or technical documents that confirmed that the accused products are “configured to” or have the ability to copy information, as outlined by the asserted claims. Tr. 2749:24-2750:4; see PTX-1262 at 994; PTX-524 at 309; PTX-1229 at 69; PTX-1293 at 062. Additionally, there is no evidence in the documents presented by Dr. Mitzenmacher that the encapsulated packets are those that “fall within the set of network addresses and matches the SIP URI with a header containing a network address . . . .” See PTX1262 at 994; PTX-524 at 309; PTX-1229 at 69; PTX-1293 at 062. For these reasons, Centripetal has failed to prove by a preponderance of the evidence that the accused products embody each and every limitation of the patented claim. See V-Formation, Inc. v. Benetton Group SpA, 401 F.3d 1307, 1312 (Fed. Cir. 2005). Turning to the second theory, Dr. Mitzenmacher presented no document that specifies that the accused products contain” at least one rule specifying a set of network addresses and a Session Initiation Protocol (SIP) Uniform Resource Identifier (URI),” as required by the claims. For the accused routers and switches, Dr. Mitzenmacher points to a presentation, PTX-1408, that shows that SIP traffic passes through Cisco’s products. This document’s mere mention of SIP traffic is not compelling evidence that Cisco’s routers and switches have rules that contain SIP URI and network addresses. See Tr. 2756:18-2757:2. PTX-1408. Similarly, for the accused firewalls, Dr. Mitzenmacher turns to PTX-1289 to show that the Cisco firewalls have four SIP keywords that 122 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 123 of 178 PageID# 24009 allow the user to monitor SIP traffic for exploits. PTX-1289 at 808. This document contains no mention of having specific rules that contain SIP URIs in combination with network addresses. Viewing all of the documents and testimony presented by Dr. Mitzenmacher, there is sufficient evidence to conclude that the accused products process SIP traffic. However, there is no compelling evidence to show that the accused products have rules that possess both a SIP URI and a network address, as required by the claims. See Tr. 2756:18-2757:2. Additionally, the Court FINDS that there is no infringement of the ‘205 Patent under the doctrine of equivalents. Dr. Mitzenmacher, in his equivalents testimony, stated: Q. So, go ahead. Can you, please, explain for the Court how the switches, routers, and firewalls perform substantially the same function. A. Certainly. So it provides substantially the same function, which is to block potentially malicious network traffic that’s been determined or related to a Session Initiation Protocol URI. It does this in the same way; by specifying a rule that would block this corresponding traffic. It may do so -- it does so by establishing a rule containing relevant SIP information, such as a domain or an IP address, and it achieves substantially the same result, which is to block that potentially – or create rules which would either block or monitor, or whatever action you want to take, on the corresponding Session Initiation Protocol traffic. Tr. 774:23-775:12. The Court has already determined that the asserted claims cover the encapsulation, copying and forwarding of packets. Blocking packets, as identified by Dr. Mitzenmacher, would not perform substantially the same function in substantially the same way as encapsulation, copying and forwarding. Accordingly, there is no infringement under the doctrine of equivalents. For both of these reasons, the Court FINDS that Centripetal has not met its burden to prove by a preponderance of the evidence that the accused products infringe Claims 63 and 77 of the ‘205 Patent literally or under the doctrine of equivalents. 123 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 124 of 178 PageID# 24010 iii. Validity During trial, Cisco withdrew its claim that the ‘205 Patent was invalid. Tr. 2795:16-24. Therefore, this Court will not address the validity of the ‘205 Patent as it is not required to rule upon the validity of a patent which has not been found infringed. VI. FINDINGS OF FACT AND CONCLUSIONS OF LAW REGARDING DAMAGES A. PAST DAMAGES i. Findings of Fact and Conclusions of Law Regarding Reasonable Royalty Base and Rate “Upon finding for the claimant the court shall award the claimant damages adequate to compensate for the infringement, but in no event less than a reasonable royalty for the use made of the invention by the infringer, together with interest and costs as fixed by the court.” Lucent Techs., Inc. v. Gateway, Inc., 580 F.3d 1301, 1324 (Fed. Cir. 2009) (quoting 35 U.S.C. § 284). In awarding damages under the governing statute, 35 U.S.C. §284, “a reasonable royalty is the minimum permissible measure of damages.” Deere & Co. v. Int’l Harvester Co., 710 F.2d 1551, 1558 n.9 (Fed. Cir. 1983). The Supreme Court has framed reasonable royalty damages achieved through litigation as a court’s duty to assess “the difference between [the patentee’s] pecuniary condition after the infringement, and what his condition would have been if the infringement had not occurred.” Yale Lock Mfg. Co. v. Sargent, 117 U.S. 536, 552 (1886). The burden of proving damages as a result of infringement falls on the patentee. Lucent Techs., Inc., 580 F.3d at 1324. The Federal Circuit has determined two acceptable “alternative categories of infringement compensation.” Id. The first category is based on a patentee’s lost profits. Id. To recover lost profits, “a patent owner must prove a causal relation between the infringement and its loss of profits.” Shockley v. Arcan, Inc., 248 F.3d 1349, 1362 (Fed. Cir. 2001). The patentee is required to “show a reasonable probability that ‘but for’ the infringing activity, the patentee would have 124 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 125 of 178 PageID# 24011 made the infringer’s sales.” Id. The four-factor test for utilizing the lost profit model is laid out in Panduit Corp. v. Stahlin Bros. Fibre Works, Inc., 575 F.2d 1152, 1156 (6th Cir. 1978). 11 The lost profits method is not at issue in this case since Centripetal has not presented any evidence of a causal relationship between suspected lost profits and Cisco’s sales of the infringing technology. The second category, which the Court adopts in this case, is based on the “the reasonable royalty . . . [the patentee] would have received through arms-length bargaining.” Lucent Techs., Inc., 580 F.3d at 1324. In determining this reasonable royalty, patentees have primarily used two distinct methods of calculation. “The first, the analytical method, focuses on the infringer’s projections of profit for the infringing product.” See id. (citing TWM Mfg. Co. v. Dura Corp., 789 F.2d 895, 899 (Fed. Cir. 1986) (describing the analytical method as “subtract[ing] the infringer’s usual or acceptable net profit from its anticipated net profit realized from sales of infringing devices”)). Here, there was insufficient evidence submitted to the Court based on the infringer’s profit projections and thus this method is inappropriate for calculating damages. “The second, more common approach, called the hypothetical negotiation or the ‘willing licensor-willing licensee’ approach, attempts to ascertain the royalty upon which the parties would have agreed had they successfully negotiated an agreement just before infringement began.” Id. The date used for the occurrence of the hypothetical negotiation is the date that infringement began. Wang Labs., Inc. v. Toshiba Corp., 993 F.2d 858, 870 (Fed. Cir. 1993). The evidence at trial supports a first infringement date of June 20, 2017. The Court FINDS the reasonable royalty method to be appropriate based on the evidence presented by both Centripetal and Cisco. 11 “To obtain as damages the profits on sales he would have made absent the infringement, i.e., the sales made by the infringer, a patent owner must prove: (1) demand for the patented product, (2) absence of acceptable non-infringing substitutes, (3) his manufacturing and marketing capability to exploit the demand, and (4) the amount of the profit he would have made.” Panduit Corp. v. Stahlin Bros. Fibre Works, Inc., 575 F.2d 1152, 1156 (6th Cir. 1978). 125 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 126 of 178 PageID# 24012 To determine a reasonable royalty, the Court bases its economic analysis on the factors laid out in Georgia-Pacific Corp. v. U.S. Plywood Corp., 318 F. Supp. 1116, 1120 (S.D.N.Y. 1970). Determining a reasonable royalty involves the Court’s analysis into each of the relevant GeorgiaPacific factors: (1) Any royalties received by the licensor for the licensing of the patent-in-suit, proving or tending to prove an established royalty. (2) The rates paid by licensee to license other patents comparable to the infringed patents. (3) The nature and scope of the license, as exclusive or non-exclusive, or as restricted or non-restricted in terms of its territory or with respect to whom the manufactured product may be sold. (4) The licensor’s established policy and marketing program to maintain its right to exclude others from using the patented invention by not licensing others to use the invention, or by granting licenses under special conditions designed to preserve that exclusivity. (5) The commercial relationship between the licensor and the licensee, such as whether or not they are competitors in the same territory in the same line of business. (6) The effect of selling the patented product in promoting other sales of the licensee; the existing value of the invention to the licensor as a generator of sales of its non-patented items; and the extent of such collateral sales. (7) The duration of the infringed patents and the term of the license. (8) The established profitability of the product made under the infringed patents; its commercial success; and its popularity. 126 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 127 of 178 PageID# 24013 (9) The utility and advantages of the patented invention over the old modes or devices, if any, that had been used for achieving similar results. (10) The nature of the patented invention; the character of the commercial embodiment of it as owned and produced by or for the licensor; and the benefits to those who have used the invention. (11) The extent to which the infringer has made use of the invention; and any evidence that shows the value of that use. (12) The portion of the profit or of the selling price that may be customary in the particular business or in comparable businesses to allow for the use of the invention or analogous inventions. (13) The portion of the profit that arises from the patented invention itself as opposed to profit arising from unpatented features, such as the manufacturing process, business risks, or significant features or improvements added by the accused infringer. (14) The opinion testimony of qualified experts. (15) The amount that a licensor (such as Centripetal) and a licensee (such as Cisco) would have agreed upon (at the time the infringement began) if both sides had been reasonably and voluntarily trying to reach an agreement; that is, the amount which a prudent licensee -- who desired, as a business proposition, to obtain a license to manufacture and sell a particular article embodying the patented invention -- would have been willing to pay as a royalty and yet be able to make a reasonable profit and which amount would have been acceptable by a patentee who was willing to grant a license. See Georgia-Pacific Corp. v. U.S. Plywood Corp., 318 F. Supp. 1116, 1120 (S.D.N.Y. 1970), modified sub nom. Georgia-Pacific Corp. v. U.S. Plywood-Champion Papers, Inc., 446 127 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 128 of 178 PageID# 24014 F.2d 295 (2d Cir. 1971). The Court will examine each of the relevant Georgia-Pacific factors that guide its determination of a proper reasonable royalty rate. 12 Beginning with Georgia-Pacific factors one and two, the only comparable license of the patents-in-suit is the Confidential Binding Term Sheet agreed to in a previous case tried by this Court – Centripetal Networks, Inc., v. Keysight Technologies, Inc. and Ixia, Case No. 2:17-cv-383 (E.D Va.). The Court is limited to this license granted by Centripetal as the only comparable license, as neither party presented any comparable licenses for similar patented inventions or similar infringing products. Tr. 1498:2-10. Although Cisco licensed Stealthwatch for a period of years from Lancope before Cisco acquired the company in 2013, neither Centripetal nor Cisco presented evidence of this or any other license in which Cisco was involved, and the Keysight agreement is the only licensing agreement in which Centripetal has been involved. The Keysight agreement was entered into by Centripetal and Keysight/Ixia during trial to settle the patent claims at issue in that litigation. The patents asserted in the Keysight case are comparable to those in this litigation. Both the ‘205 Patent and the ‘856 Patent were asserted in the Keysight case. The ‘176 Patent, the ‘193 Patent and the ‘806 Patent are in the same patent family and covered similar fields of technology as the patents that were asserted in Keysight. Therefore, the Keysight agreement covers sufficiently similar technology to serve as a comparable technology license in this case. The Keysight agreement granted Keysight/Ixia a three year “worldwide, non-transferable, irrevocable, non-terminable, non-exclusive license” to Centripetal’s worldwide patent portfolio in exchange for a $25 million-dollar lump-sum payment and a 10% royalty of directly competing products and a 5% royalty on non-competing products. See PTX-1125; Tr. 1487:5-1491:2. The 12 Certain factors may be relevant regarding other factors and, therefore, the Court will often address two factors at a time. Additionally, the Court may incorporate relevant information from one factor into its analysis of another factor. For example, the Court often uses factor fourteen (i.e., the opinion testimony of qualified experts) to support its analysis of other factors. 128 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 129 of 178 PageID# 24015 Court agrees with Centripetal’s damages expert, Lance Gunderson, that the 10% running royalty instituted in the Keysight agreement is sufficiently comparable to provide a starting point for determining a reasonable royalty based on a hypothetical negotiation. See Tr. 1486:1-24. This 10% royalty in Keysight was instituted for products that directly compete with Centripetal’s RuleGate gateway product. Cisco’s damages expert, Dr. Becker, contends that the Keysight license is not directly comparable because Keysight was a direct competitor in the threat intelligence gateway market, and Cisco is not. Although Centripetal does not market and sell switches and routers, Cisco has embedded the patented software functionality from the Centripetal patents into the infringing switches and routers that provides the same functionality as the RuleGate product. Centripetal does market and sell firewalls. Accordingly, the Court FINDS that Centripetal and Cisco are direct competitors with respect to the infringing software, as well as firewalls. This incorporation of infringing functionality persuades the Court that the infringing Cisco products are more comparable to the 10% royalty on competing products than the 5% royalty for non-competing products in Keysight. Accordingly, the 10% royalty on directly competing products in the Keysight case provides a comparable baseline license from which the Court can determine a reasonable royalty in this case. The Court recognizes that the Keysight license was obtained in the coercive environment of litigation and not the result of open negotiation. See LaserDynamics, Inc. v. Quanta Computer, Inc., 694 F.3d 51, 77 (Fed. Cir. 2012) (highlighting that “[t]he notion that license fees that are tainted by the coercive environment of patent litigation are unsuitable to prove a reasonable royalty is a logical extension of Georgia–Pacific . . .”). Generally, these types of settlement agreements “should not be considered evidence of an established royalty.” Id. (citing Hanson v. Alpine Valley Ski Area, Inc., 718 F.2d 1075, 1078-79 (Fed. Cir.1983). However, the Federal Circuit has recently 129 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 130 of 178 PageID# 24016 permitted reliance on such agreements “under certain limited circumstances.” Id. In the case of ResQNet.com, Inc. v. Lansa, Inc., the Federal Circuit “permitted consideration of the settlement license on remand” because the “settlement license to the patents-in-suit in a running royalty form was ‘the most reliable license in [the] record.’” Id. (discussing and quoting language from ResQNet); see ResQNet.com, Inc. v. Lansa, Inc., 594 F.3d 860, 872 (Fed. Cir. 2010). Similarly, here, the Court, has only one comparable license in the form of a settlement agreement from the Keysight case. The Court, in its use of this license to determine a reasonable royalty, heeds the guidance of the Federal Circuit to “consider the license in its proper context within the hypothetical negotiation framework to ensure that the reasonable royalty rate reflects “the economic demand for the claimed technology.” Id. Therefore, the Court will analyze the Keysight rate in the context of the other Georgia-Pacific factors to account for the similarities and differences in the Keysight license and the facts present in this case. See AstraZeneca AB v. Apotex Corp., 782 F.3d 1324, 1335 (Fed. Cir. 2015) (finding no error when the district court accounted for similarities and differences between past negotiations and the hypothetical negotiations); see also Elbit Sys. Land & C4I Ltd. v. Hughes Network Sys., LLC, 927 F.3d 1292, 1300 (Fed. Cir. 2019) (collecting cases that show it is appropriate to rely on prior licenses, even in a settlement context, when they are sufficiently compared to the facts and circumstances of the case at issue). Turning to Georgia-Pacific factor three, the scope and nature of the Keysight license weighs in favor of reducing the baseline royalty percentage, because the license presented to Cisco would be limited to the infringing patents instead of a full patent portfolio that was granted in Keysight. Consequently, the Court agrees with Dr. Becker that this factor promotes in favor of a royalty rate reduction. Tr. 2869:2-12. 130 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 131 of 178 PageID# 24017 Georgia-Pacific factor four has some influence on the royalty figure. The Court can infer that Centripetal was at least willing to license its patent portfolio to Keysight, for the terms outlined in the agreement, in order to settle ongoing litigation. This comparable license shows that Centripetal may have been willing to license the asserted patents to Cisco. It is a consideration that would sway the Court to adjust the royalty somewhat in a downward direction. The license is a major consideration in Centripetal’s request for injunctive relief. Georgia-Pacific factor five has minimal impact on the royalty figure. This factor asks the Court to inquire into the commercial relationship of the parties at the hypothetical negotiation. The Court notes that Centripetal has presented evidence that Cisco’s incorporation of the patented functionality into its products would result in substantial lost profits from the competing RuleGate product. Generally, this fact would weigh in favor of increasing the royalty as Centripetal, in the hypothetical negotiation, would consider the substantial loss that may be attributed to licensing the patented technology. 13 From Cisco’s perspective, it would gain substantially from licensing the asserted patents as it could incorporate advanced security functionality into its products, thus improving the profitability of its networking products. See Carnegie Mellon Univ. v. Marvell Tech. Group, Ltd., 807 F.3d 1283, 1304 (Fed. Cir. 2015) (noting “a basic premise of the hypothetical negotiation is the opportunity for making substantial profits if the two sides [are] willing to join forces by arriving at a license of the technology”). 13 “It is a step further, and we think a necessary one, to say that, when the patentee’s business scheme involves a reasonable expectation of making future profits by the continuing sale to the purchaser of the patented machine, of supplies to be furnished by the patentee, which future business he will lose by licensing a competitor to make the machine, this expectant loss is an element to be considered in retroactively determining a reasonable royalty.” Panduit Corp. v. Stahlin Bros. Fibre Works, Inc., 575 F.2d 1152, 1163 (6th Cir. 1978) (quoting Egry Register Co. v. Standard Register Co., 23 F.2d 438, 443 (C.C.A. 6th Cir. 1928)). 131 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 132 of 178 PageID# 24018 However, the Court must consider that Cisco has incorporated the infringing technology into hardware products, such as switches and routers, that Centripetal does not produce or sell. Additionally, even if Centripetal sold versions of the infringing products, it would be difficult to meet the customer demand of these products that Cisco, as the largest provider of network infrastructure and services in the world, would be able to accomplish. See Tr. 1449:17-1451:2. Therefore, Centripetal’s bargaining position in the hypothetical negotiation would be limited by the incentive of Centripetal to license the patented software technology to Cisco in order to take advantage of Cisco’s substantial market share. See Tr. 1449:17-1451:2. The Court FINDS that all these considerations generally neutralize each other and warrant no variance to the royalty number. Georgia-Pacific factor six does call for some upward influence. Cisco has incorporated the patented software functionality into a variety of its routers, switches and firewalls in its network security system. Therefore, the effect of the sales and the profits therefrom are promoted by Centripetal’s software. The upward influence is somewhat offset by the apportionment analysis of Centripetal’s experts. There was no evidence presented that the infringing products contributed to increased sales of any of Cisco’s other non-infringing products. Georgia-Pacific factor seven inquires as to the duration of the patent and terms of the license. The Court’s inquiry into the length of the license is more appropriately construed in terms of an ongoing royalty, and will be addressed in that portion of the Court’s findings. Georgia-Pacific factor eight deals with the profitability of products made under the patent and the commercial success of those products. One of Centripetal’s damages experts, Mr. Gunderson, presented detailed evidence of Cisco’s profitability of the infringing products. The Federal Circuit has expressly noted that “anticipated incremental profits under the hypothesized conditions are conceptually central to constraining the royalty negotiation . . . [and] . . . [e]vidence 132 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 133 of 178 PageID# 24019 of the infringer’s actual profits generally is admissible as probative of his anticipated profits.” Aqua Shield v. Inter Pool Cover Team, 774 F.3d 766, 772 (Fed. Cir. 2014); see Sinclair Refining Co. v. Jenkins Petroleum Process Co., 289 U.S. 689, 698 (1933) (noting “[e]xperience is then available to correct uncertain prophecy”). In the context of the hypothetical negotiation, “the core economic question is what the infringer, in a hypothetical pre-infringement negotiation under hypothetical conditions, would have anticipated the profit-making potential of use of the patented technology to be, compared to using non-infringing alternatives.” Aqua Shield, 774 F.3d at 77071 (emphasis in original) (noting that “[i]f a potential user of the patented technology would expect to earn X profits in the future without using the patented technology, and X + Y profits by using the patented technology, it would seem, as a prima facie matter, economically irrational to pay more than Y as a royalty—paying more would produce a loss compared to forgoing use of the patented technology”). As probative evidence of anticipated profits, Mr. Gunderson provided percentages of Cisco’s actual gross profit in the infringed products from June 20, 2017 to December 31, 2019: Product Gross Profit % Catalyst Switches 67.8% Aggregation Services Router 79.2% Integration Services Router 82.0% Adaptive Security Appliance 56.6% Firepower Appliance 71.1% Firepower Management Center 76.5% 133 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 134 of 178 PageID# 24020 Stealthwatch 81.4% Identity Service Engine 91.5% Digital Network Architecture -1.9% An examination of this data establishes that Cisco was reaping considerable profit margins on products that incorporate the infringing functionality. See Tr. 1495:16-1496:19. Moreover, a Cisco article, published on November 7, 2019, expresses the very high profitability of the new Catalyst 9000 series switches as compared to older models: PTX-515 Cisco Article Published on Website from November 7, 2019 134 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 135 of 178 PageID# 24021 135 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 136 of 178 PageID# 24022 PTX-515. Additionally, Cisco presented no evidence to contest these profit margins or the cost of any non-infringing alternative that would achieve the same functionality as incorporated in the patented technology. See Tr. 1602:8-16 (Mr. Malackowski noting that “Cisco did not suggest or offer any alternatives or even what it would cost to come up with alternatives”). Therefore, at a hypothetical negotiation, Centripetal would hold a considerable advantage due to the lack of noninfringing alternatives and the ability for Cisco to make large profits from the use of the technology. This evidence of high profits and lack of alternatives supports a higher reasonable royalty rate. See Lucent Techs., Inc., 580 F.3d at 1335 (noting that approximately 70–80% profit margin of the products at issue supports a higher versus a lower reasonable royalty). Additionally, Mr. Malackowski, Centripetal’s expert on patent evaluation, testified to his understanding that the Keysight license was structured in the manner it was due partly to the fact that Keysight had no available alternative to infringing the patent technology. See Tr. 1602:8-23. Accordingly, the 10% rate on competing products in the Keysight license had incorporated Keysight’s necessity of using the infringing technology. Here, similar circumstances would be prevalent at the hypothetical negotiation, such as Cisco’s “anticipated” profit margins in using the patented functionality and also the fact that there are no suitable alternatives available. Consequently, this factor supports the Court’s imposition of a higher royalty rate. Georgia-Pacific factor nine asks the Court to look at the utility and advantages of the patented property over the old modes or device. When developing its cybersecurity software system, Cisco repeatedly spent considerable monies to acquire smaller companies that produced software security technology. From 2013 to 2015, Cisco acquired Sourcefire for $2.7 billion, Lancope for $435 million and ThreatGRID for an undisclosed amount. See Tr. 1605:6-15. 136 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 137 of 178 PageID# 24023 Combinations of technology acquired from these companies form the basic elements of the older Cisco technology which preceded the infringing systems. See Tr. 1605:6-23. Cisco took the acquired technology and came up with what it described as the first cybersecurity solution of its type in the industry by adding Centripetal’s patented functionality. Accordingly, these dollar amounts that Cisco paid to acquire two of the three companies is compelling evidence that the underlying older components of the infringing system needed enhancement by adding the infringing functionality from Centripetal to become the industry leader in this new technology as it claims to be. During trial, each of Cisco’s experts on infringement, validity, and damages testified that the patented inventions add minimal value to the products. Their testimony is in direct conflict with Cisco’s technical and marketing documents which contribute the addition of the infringing functionality as a “breakthrough” in building “an intelligent platform with unmatched security.” PTX-1135 (Cisco Press Release from June 20, 2017, reproduced below); PTX-963. 137 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 138 of 178 PageID# 24024 138 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 139 of 178 PageID# 24025 Cisco repeatedly described the addition of Encrypted Traffic Analytics (“ETA”) as solving the “network security challenge previously thought to be unsolvable.” PTX-1135 (David Goeckeler, Cisco’s Senior Vice President of Sales, representing Cisco’s new technology). Additionally, these representations made by as dominant a company as Cisco would have a devastating impact upon Centripetal as the original inventor of the technology. Therefore, under factor nine, Cisco’s technical and marketing documents, as well as previous business acquisitions, support a higher royalty rate, as the addition of the infringing technology greatly improved Cisco’s sales and the profitability of its new infringing versions of the products over older models. See Deere & Co. v. Int’l. Harvester Co., 710 F.2d 1551, 1558 (Fed. Cir. 1983) (supporting a higher royalty rate in light of descriptions that the infringing product had a “bright future”). Cisco’s representations are confirmed by the increase in revenues from previous noninfringing versions of the products vs. the new infringing models. Moreover, the increase in revenues can be analyzed under Georgia-Pacific factor eleven to show the great extent which Cisco has made use of the patented invention. The Court, at the end of the trial, requested both parties to supplement their damages reports with revenue data from the predecessor products compared to the infringing products. See Tr. 2967:17-2973:5. This table summarizes Centripetal’s estimates regarding Cisco’s revenue increase for the infringing products, after the date of first infringement, as compared to the predecessor products sales for the fiscal year before June 20, 2017: 139 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 140 of 178 PageID# 24026 Product Increase in Revenues % Increase in Revenues $ (in millions) Switches 40.9% $3,973.4 Routers 13.2% 501.5 Adaptative Security / Firepower 29.5% 550.4 Stealthwatch 36.0% 70.2 Firepower Management Center 3.5% 1.7 Identity Services Engine 52.0% 225.3 Digital Network Architecture 14 100% 252.9 Total Increase 5,575.4 Tr. 3464:8-14 (Mr. Malackowski describing the increases in revenues for the infringing products). This data supports a finding that the addition of the infringing software functionality to older models of the infringing products support the economic reality of the enormous increase in revenues. There is no evidence that these increases in sales revenue were attributed to improvements in the hardware itself. The infringing software significantly improved existing hardware by not only adding security functionality, but speed and scalability as well. See Tr. 14 There is 100% revenue increase for the Digital Network Architecture, as this product was released in mid-2017, and had no defined predecessor. 140 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 141 of 178 PageID# 24027 2621:5-10, 2634:14-18 (showing how ASICs process packets at high speeds and how Centripetal’s rule swap technology aids that process and is disclosed in the ‘806 Patent); see PTX-547. PTX-547 Centripetal Demonstrative Presentation Presented to Cisco About Patented Technology 141 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 142 of 178 PageID# 24028 Viewing both Cisco’s technical documents, marketing representations and the sales data, the Court FINDS that the patented functionality added very significant value to the older technology. Therefore, this factor supports a substantially increased royalty figure. Accordingly, based upon its analysis of the Georgia-Pacific factors, the Court determines that the weight of the factors as a whole strongly favors Centripetal. As a result, the Court FINDS that the Keysight royalty rate of 10% of the apportioned value of its infringed technology is a reasonable royalty rate to compensate Centripetal for Cisco’s past infringement. This figure is supported both by the comparable factors in the Keysight license and the weight of the GeorgiaPacific factors. Now that the Court has determined a reasonable royalty rate, it must determine the proper royalty base to which to apply the rate in order to reach the final lump sum pretrial damages. Georgia-Pacific factor thirteen looks at the portion of the profit that arises from the patented invention itself as opposed to profit arising from unpatented features, such as the manufacturing process, business risks, or significant features or improvements added by the accused infringer. Therefore, instead of having a primary effect on the royalty rate, this factor is often used to determine the royalty base to which the rate is applied. With regard to the proper royalty base, the Federal Circuit has noted that patent damages awarded for infringement “must reflect the value attributable to the infringing features of the product, and no more.” Commonwealth Sci. & Indus. Research Org. v. Cisco Sys., Inc., 809 F.3d 1295, 1301 (Fed. Cir. 2015) (quoting Ericsson, Inc. v. D–Link Sys., Inc., 773 F.3d 1201, 1226 (Fed. Cir. 2014)). When an infringing product is comprised of multiple components, the infringing portions must be apportioned to represent the value contributed by solely the infringing functionality. See id. “The patentee must ‘give evidence tending to separate or apportion the 142 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 143 of 178 PageID# 24029 [infringer]’s profits and the patentee’s damages between the patented feature and the unpatented features, and such evidence must be reliable and tangible, and not conjectural or speculative.’” Finjan, Inc. v. Blue Coat Sys., Inc., 879 F.3d 1299, 1310 (Fed. Cir. 2018). The Federal Circuit has recognized “there may be more than one reliable method” in order to prove proper damages in an apportionment case. Id. at 1302. Therefore, the apportionment can be done by various ways including “by careful selection of the royalty base to reflect the value added by the patented feature, where that differentiation is possible; by adjustment of the royalty rate so as to discount the value of a product’s non-patented features; or by a combination thereof.” Ericsson, Inc. v. D-Link Sys., Inc., 773 F.3d 1201, 1226 (Fed. Cir. 2014). This flexibility in methodology is centered on “the difficulty that patentees may face in assigning value to a feature that may not have ever been individually sold.” Virnetx, Inc. v. Cisco Sys., Inc., 767 F.3d 1308, 1328 (Fed. Cir. 2014). Therefore, the integral inquiry is “whether the data utilized in the methodology is sufficiently tied to the facts of the case.” Finjan, Inc., 879 F.3d at 1301-02 (“[C]ourts must be proactive to ensure that the testimony presented—using whatever methodology—is sufficiently reliable to support a damages award.”). Sufficient reliability has “never required absolute precision in this task; on the contrary, it is well-understood that this process may involve some degree of approximation and uncertainty.” Virnetx, Inc., 767 F.3d at 1328. Here, Centripetal presented extensive apportionment evidence of the infringing products using the analysis of their apportionment expert, Dr. Striegel. Tr. 1337:19-1342:14. Before Dr. Streigel’s testimony, Cisco objected to Dr. Streigel’s apportionment opinion on the basis that his opinions do not satisfy the essential requirement for reliability under Daubert. Additionally, Cisco’s expert, Dr. Becker, contends that “Dr. Striegel didn’t do an incremental value analysis,” 143 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 144 of 178 PageID# 24030 and simply checked off functions as infringing that did not provide “any improvement to that aspect of the products.” The Court disagrees on both grounds. This is exactly the type of apportionment analysis that was performed in Finjan, Inc. v. Blue Coat Sys., Inc., for which the Federal Circuit found the jury was entitled to rely upon as substantial evidence to support damages. Finjan, Inc., 879 F.3d at 1313-14. In Finjan, Finjan’s expert, Dr. Layne–Farrar, used the defendant’s technical documents to separate the functionality of the accused product. Id. She assumed each box in a diagram of the product “represented one top level function and that each function was equally valuable.” Id. Dr. Layne-Farrar relied on deposition testimony from defendant’s employees and discussions with Finjan’s technical expert, who “identified certain components within the diagram that did and did not infringe.” Id. at 1313. Here, Dr. Striegel performed an almost identical type of apportionment analysis to that of Dr. Layne-Farrar in Finjan. Using Cisco’s technical specification of each of the products, Dr. Striegel identified the top-level functions of each of the products. Tr. 1337:21-23; see PTX-409. Dr. Striegel’s process of identifying the top-level functions by using Cisco’s technical documents is shown by slide eight from his demonstratives (using Catalyst Switches Product Overview, PTX409, as an example for the analysis done with each product): 144 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 145 of 178 PageID# 24031 SLIDE 8 FROM DR. STRIEGEL PRESENTATION See PTX-409 (for clear image of technical features). He then identified which of those top-level functions for each product are implicated by the asserted patents and their asserted claims. See PTX-1931. In order to analyze and present this technical apportionment, Dr. Striegel highlighted all of the materials he relied upon in this analysis: I looked at both public documentation as well as confidential documents including various articles, various videos, various tutorials. I also browsed through numerous depositions. I did have the opportunity to go and browse through the source code on-site. And then I also had discussions with our two other infringing technical experts, Dr. Cole and Dr. Mitzenmacher. Tr. 1338:9-15. This is exactly the type of materials relied upon by Dr. Layne-Farrar in the Finjan case, where the Federal Circuit determined that the jury was entitled to rely upon such information as substantial evidence to support a damages award. Accordingly, the Court FINDS that Dr. 145 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 146 of 178 PageID# 24032 Striegel’s analysis is admissible as “reliable and tangible” evidence of apportionment of the infringing products. See Ericsson, Inc., 773 F.3d at 1226 (highlighting that a court or jury must “apportion the defendant’s profits and the patentee’s damages between the patented feature and the unpatented features” using ‘reliable and tangible’ evidence”). Accordingly, the Court FINDS Dr. Striegel’s apportionment evidence and analysis to be a reliable method to determine a royalty base. As shown supra, Dr. Striegel opined on each of the infringing products, and determined how many of the top-level functions were implicated by infringement of the asserted patents. Dr. Striegel then determined an apportionment percentage for each of the infringing products based off this analysis. PTX-1931 is a summary of those findings made by Dr. Striegel (recreation of PTX-1931): Product Total # of Top- # Infringing Top-Level Apportionment Level Functions % 6 [’856 and ’193 Patent] 31% 15 Functions Catalyst Switches 13 5 [‘176 Patent] 4 [‘806 Patent] Integrated Services Routers 9 4 [All Patents] 44% Aggregated Services Routers 8 2 [All Patents] 25% 15 Even though Dr. Striegel found that six of the thirteen functions were infringed by the ‘856 Patent and ‘193 Patent, he relied on the lower apportionment percentage of 31%. Therefore, the Court adopts that number for its determination of the royalty base in lieu of the 46% alternative based on the ‘856 Patent and the ‘193 Patent. 146 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 147 of 178 PageID# 24033 Firepower / ASA 13 7 [‘806 Patent] 16 54% 10 3 [‘806 Patent] 30% Stealthwatch 5 4 [‘806 Patent] 80% Identity Services Engine 13 5 [‘856 Patent] 38% (including Firepower Management Center) Digital Network Architecture After Dr. Striegel’s technical apportionment, Centripetal’s expert on patent evaluation, Mr. Gunderson, applied these apportionment percentages to total sales revenues from the infringing products since the date of first infringement, June 20, 2017, through December 31, 2019. At the final damages hearing, these figures were updated through Cisco’s sales data ending on June 20, 2020 and totaled $21,467,079,878.00 billion. See Doc. 488, Ex. 7 (updated version produced at damages hearing). The Court adopts Centripetal’s exhibits outlining the sales revenues of Cisco. Cisco presented a patent by patent damages breakdown instead of a full picture of the sales of infringing products. The Court rejected the proposed patent by patent calculation of damages by Cisco’s expert Dr. Becker, in favor of the appointment method utilized by Centripetal’s experts approved by the Federal Circuit in Finjan, Inc. v. Blue Coat Sys., Inc., 879 F.3d 1299, 1310 (Fed. Cir. 2018). 16 Since the ‘205 Patent was found to not infringe the higher number of infringing functionalities found for the ‘806 Patent is used for the Firepower / ASA because this would be the most accurate apportionment ratio. The Court has removed the ‘205 Patent from Dr. Striegel’s chart and applied a 54% apportionment for products where the apportionment was based on the ‘205 Patent. See Doc. 488, Ex. 7. 147 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 148 of 178 PageID# 24034 Here is a reproduction of the apportionment percentages applied to Cisco’s gross revenues from June 20, 2017 through June 20, 2020, by using Centripetal’s update to PTX-1629, Doc. 488, Ex. 7: Product Invoice Gross Revenue Apportionment Apportioned Revenue June 20, 2017 – Factor June 20,2017 – June 20, 2020 17 Percentage June 20, 2020 Catalyst Switches $11,839,742,927 31% $3,670,320,307 Integrated Services Routers $2,375,633,299 44% $1,045,278,652 Aggregated Services Routers $3,456,557,172 25% $864,139,293 Firepower Appliance $2,283,221,005 54% $1,232,939,343 $428,380,587 54% $231,325,517 $67,635,757 54% $36,523,309 Digital Network Architecture $252,855,962 30% $75,856,789 Stealthwatch $266,052,460 80% $212,841,968 Identity Services Engine $497,000,709 38% $188,860,269 TOTAL $21,467,079,878 (billion) (plus subscription) Adaptative Security Appliance (plus subscription) Firepower Management Center 17 $7,558,085,447 (billion) As stated, supra, Centripetal’s exhibit outlining the sales revenues of Cisco goes from June 20,2017 to June 20, 2020. See Doc. 488, Ex. 7 (updated version produced at damages hearing). 148 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 149 of 178 PageID# 24035 Accordingly, based on Mr. Gunderson and the Court’s analysis, the Court FINDS that the correct apportioned royalty base is $7,558,085,447 18 for all of the infringing products based upon gross revenue through June 20, 2020. Doc. 488, Ex. 7. Moreover, as determined supra based on the Georgia-Pacific factors and the analysis of a hypothetical negotiation, the Court FINDS a 10% royalty is appropriate in this case. Accordingly, before the Court adjusts for enhanced damages, the total past damages award is $755,808,545 million (10% royalty rate applied to $7,558,085,447 million royalty base). ii. Findings of Fact Regarding Willful Infringement and Enhanced Damages 1. Centripetal’s RuleGate product practices the patents found to be infringing in this case. Centripetal marks its RuleGate product with the patents that it practices. Tr. 1203:12-1204:3; PTX-528; Tr. 1383:18-1385:15; PTX-1215. 2. In 2015, Centripetal CEO Stephen Rogers had a meeting with Pavan Reddy, a Cisco employee, where Mr. Rogers disclosed Centripetal product offerings and the effectiveness of their solutions. Mr. Reddy and Mr. Rogers had a follow-up meeting in 2015, where Centripetal provided a demonstration of their system and explained why it was an effective method of cyber defense. Tr. 256:8-257:12. 3. As a result of these meetings, on January 26, 2016, Centripetal and Cisco entered into a nondisclosure agreement (“NDA”), requiring Cisco to keep Centripetal’s confidential, proprietary or non-public information “strictly confidential” and “not use any Information in any manner . . . other than solely in connection with its consideration of” a possible partnership. Tr. 1213:16-20; PTX-99. 18 The royalty base begins with the gross sales of the infringing products, whereas the chart outlining the increase in sales of the infringing products as compared to pre-June 20, 2017 sales of Cisco’s predecessor products is estimated as $5,575.4 billion. 149 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 150 of 178 PageID# 24036 4. After Cisco executed the NDA, Centripetal, on February 4, 2016, presented in a WebEx meeting detailed, highly sensitive, confidential and proprietary information about its patented technology and products to Cisco, including details of its patented technology for the Asserted Patents. For example, Centripetal detailed how its “patented filter algorithms eliminate the speed and scalability problem,” how its “patented system, live update, and correlation technologies ‘automate workflow’ and how its “patented” “instant host correlation” conveys “real time analytics.” PTX-547 at 389-91; Tr. 258:21-25, 260:2-18; 1220:1-1222:25. 5. After the WebEx meeting, Cisco’s Engineer, TK Keanini, who attended the WebEx meeting, wrote an internal email, stating the team should “look at these algorithms” that Centripetal had and “study their [patent] claims.” Tr. 1128: 8-1129:5; PTX-134 at 3. 6. The next day, on February 5, 2016, Centripetal’s Jonathan Rogers sent an e-mail to Cisco summarizing the WebEx meeting, noting that Cisco “seemed to hone in on our filter technology and algorithms. The algorithms are a significant networking technology with broad application that we’ve productized for security. There were also a few questions on our patents...” Tr. 1226:10-1227:18; PTX-102; PTX-1046 7. There were a number of follow up meetings with Cisco, including a request from Cisco’s security architect, Joseph Muniz, who was very interested in Centripetal’s patented technology. He requested and received a demonstration of Centripetal’s patented RuleGate product, which he described in an online blog that educates Cisco employees entitled “Cool Tool: Centripetal Networks RuleGate – Threat Intelligence Tool,” and where he stated, “I found this tool to be a pretty cool new approach to leveraging threat data.” Tr. 1299:16-1300:7; 1308:5-15; PTX548, PTX-550 at 647-49, 51. 8. In November and December 2016, Cisco had several meetings with Oppenheimer 150 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 151 of 178 PageID# 24037 & Co., Inc. about Centripetal, pursuant to Centripetal’s engagement with Oppenheimer to evaluate companies who were interested in making a strategic investment in Centripetal. In December 2016, Oppenheimer presented to Cisco additional information about Centripetal, including a list of Centripetal’s patents issued at the time, product offerings that practice the patents, and a highly sensitive, detailed technical disclosure which detailed the core RuleGate functionalities covered by the Asserted Patents. Tr. 1235:11-20, 1237:25-1238:9, 1242:17-1243:11; DTX-1270 at 1, 2528, 30. 9. After all of these detailed meetings with Centripetal, Cisco released its “network of the future” products on June 20, 2017, which incorporated Centripetal’s patented technology. See PTX-1135. Below is Centripetal’s demonstrative, Slide 37, presented during opening statements which accurate reflects the evidence presented at trial surrounding the events of Centripetal and Cisco’s relationship 19. 19 This slide does not attempt to reflect the numerous “hits” on Centripetal’s website by Cisco’s employees. 151 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 152 of 178 PageID# 24038 SLIDE 37 FROM CENTRIPETAL’s OPENING STATEMENT iii. Conclusions of Law Regarding Willful Infringement and Enhanced Damages Under the patent damages provisions of 35 U.S.C. § 284, a court “may increase the damages up to three times the amount found or assessed.” Halo Elecs., Inc. v. Pulse Elecs., Inc., 136 S. Ct. 1923, 1931 (2016) (quoting 35 U.S.C. § 284). The use of “may” in the statute indicates that enhancement under § 284 is within the discretion of the district court. Id. The Supreme Court in Halo Elecs., Inc. v. Pulse Elecs., Inc., explicitly noted that a court exercising discretion to award enhanced damages merits an analysis of “the particular circumstances of each case” unencumbered by the “inelastic constraints” of a rigid framework. Id. at 1932. Although the statute does not include a “precise rule or formula” for an enhanced damages award, the “court’s discretion should be exercised in light of the considerations underlying the grant of that discretion.” Id. Halo, 152 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 153 of 178 PageID# 24039 additionally, mandated that the award of enhanced damages is governed by a preponderance of the evidence standard. Id. at 1934. Historically, enhanced damages have been reserved for infringement behavior that was found to be “egregious.” Id. (explaining “through nearly two centuries of discretionary awards and review by appellate tribunals, “the channel of discretion ha[s] narrowed . . . so that such damages are generally reserved for egregious cases of culpable behavior”). The Halo decision highlights that enhanced damages are warranted as a “punitive” or “vindictive” sanction for egregious conduct described as “willful, wanton, malicious, bad-faith, deliberate, consciously wrongful, flagrant or – indeed – characteristic of a pirate.” Id. at 1932. Additionally, the Supreme Court noted that even if these types of conduct traditionally underlie enhanced damages, there is no requirement that the court find egregious conduct to award enhanced damages. Id. at 1933. Accordingly, in deciding to award enhanced damages, a court, in its discretion, “should take into account the particular circumstances of each case,” while remembering the historical underpinnings that enhanced damages should generally “be reserved for egregious cases typified by willful misconduct.” Id. at 1933-34. The factors laid out in Read Corp. v. Portec, Inc., 970 F.2d 816, 826-827 (Fed. Cir. 1992), overruled on other grounds by Markman v. Westview Inst. Inc., 52 F.3d 967 (Fed. Cir. 1995), have been used post-Halo to aid a district court’s determination of whether a case’s circumstances warrant enhanced damages. See Mich. Motor Techs. LLC v. Volkswagen Aktiengesellschaft, No. 19-10485, 2020 U.S. Dist. LEXIS 122276, at *11 (E.D. Mich. July 13, 2020) (noting that the Read factors are a useful guide, but stating that Halo has eliminated “any rigid formula or set of factors”). These factors are not an exhaustive list, but provide a meaningful guide to determine if the infringer’s conduct was “willful, wanton, malicious, bad-faith, deliberate, 153 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 154 of 178 PageID# 24040 consciously wrongful, or flagrant.” See id.; Finjan, Inc. v. Blue Coat Sys., Inc., 13-CV-03999BLF, 2016 WL 3880774, at *16 (N.D. Cal. July 18, 2016) (applying the Read factors to determine if the infringing conduct warrants enhanced damages). The Read factors are: (1) deliberate copying; (2) defendant’s investigation and good faith-belief of invalidity or noninfringement; (3) litigation behavior; (4) defendant’s size and financial condition; (5) closeness of the case; (6) duration of the misconduct; (7) remedial action by the defendant; (8) defendant’s motivation for harm; and (9) attempted concealment of the misconduct. Green Mt. Glass LLC v. Saint-Gobain Containers, Inc., 300 F. Supp. 3d 610, 628 (D. Del. 2018) (citing Read Corp., 970 F.2d at 816, 826–27). The Federal Circuit in WBIP, LLC v. Kohler Co., distinctly declined to interpret Halo as changing the requirement that willfulness should be decided by the finder of fact before the court determines whether enhanced damages are warranted as a matter of law. See WBIP, LLC v. Kohler Co., 829 F.3d 1317, 1341 (Fed. Cir. 2016). Therefore, the Court, as fact-finder, will address the issue of willful infringement and enhanced damages in tandem, as the Read factors adequately address both issues. Moreover, the Federal Circuit has outlined that “[k]nowledge of the patent alleged to be willfully infringed continues to be a prerequisite” to the court finding that enhanced damages are warranted. Id. Therefore, prior knowledge of the patents at issue appears to be “a necessary but 154 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 155 of 178 PageID# 24041 not sufficient condition for an award of enhanced damages.” Mich. Motor Techs. LLC, 2020 U.S. Dist. LEXIS 122276, at *11-13 (collecting cases noting pre-suit knowledge of the patent is not alone sufficient to uphold a finding of willfulness and requires more factual allegations to meet Halo’s egregious conduct standard). Accordingly, in light of this guidance, the Court will first determine if Cisco has pre-suit knowledge of the patents at issue. Second, the Court will use the Read factors to aid its analysis of whether infringement of the patents was willful, and to what degree enhanced damages should be assessed under the circumstances. The Court FINDS that Cisco willfully infringed the ‘856 Patent, the ‘176 Patent, the ‘193 Patent, and the ‘806 Patent, therefore enhanced damages are warranted under the evidence. The facts illustrate that Cisco had pre-suit knowledge of Centripetal’s asserted patents. First, after signing an NDA, Centripetal presented a detailed PowerPoint presentation to Cisco employees that laid out their patented technology. PTX-547 at 389-91; Tr. 258:21-25, 260:2-18; 1220:1-1222:25. This meeting was presented by Jonathan Rogers, who testified that, at this meeting, he: highlighted the technologies that were patented. We had a number of questions there, and I was offering to have additional discussion on that, as well, if it would be helpful. Tr. 1227:15-18. Contemporaneous emails sent by Jonathan Rogers to the Cisco team state that he was willing to share more information on the patented technology, as the group asked, “a few questions on our patents.” PTX-102. This knowledge of the patents is confirmed by internal emails of Cisco’s engineer, TK Keanini, which detailed the type of functionality covered by Centripetal’s intellectual property and expressing interest in “study[ing] their claims.” PTX-134 at 3; see Tr. 1128:8-1129:5. Moreover, a third-party firm, Oppenheimer, met with Cisco to discuss Centripetal’s product offerings that practice the patents, and presented a highly sensitive, detailed 155 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 156 of 178 PageID# 24042 technical disclosure, which detailed the core RuleGate functionalities covered by the Asserted Patents. Tr. 1235:11-20, 1237:25-1238:9; 1242:17-1243:11; DTX-1270 at 1, 25-28, 30. Second, Centripetal has marked its RuleGate product with a notice indicating the patents practiced by the device. PTX-528 (showing a photograph of the RuleGate device clearly marked with the asserted patents). The evidence presented at trial indicates that the RuleGate device was presented and demonstrated to Cisco employees, indicating that they had direct contact with the label showing the practiced patents. See WBIP, LLC, 829 F.3d at 1342 (noting the marking of a device with the asserted patents is supporting evidence that the infringer knew of the patents). Accordingly, the pre-infringement events indicate that Cisco had direct knowledge of the asserted patents and the functionality of the claims. The Court broadly considers all the circumstances of the case, but several of the Read factors are particularly instructive in the Court’s analysis of enhanced damages. Turning to the Read factors, factor one inquires whether there was deliberate copying of the “ideas and design” of the elements of the claim or the commercial embodiment of the patent. See Read, 970 F.2d at 827 n.7; Arctic Cat Inc. v. Bombardier Recreational Prods., Inc., 198 F. Supp. 3d 1343, 1350 (S.D. Fla. 2016), aff’d, 876 F.3d 1350 (Fed. Cir. 2017). The case of Arctic Cat Inc. v. Bombardier Recreational Products, Inc has similar factual relation to the case here. There, defendant BRP had multiple meetings with Arctic Cat, including testing and demonstrations of its patented embodiment. Id. After meetings and testing, BRP stated that they were not interested in the technology and stopped negotiations with Arctic Cat. Id. Then, four years later, BRP began infringing Arctic Cat’s patents after abandoning its own process. Id. The district court found that BRP’s development of “a very similar system under these circumstances [was] strong evidence of copying and favor[ed] enhancing damages.” Id. Similarly, here, Cisco had multiple meetings with 156 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 157 of 178 PageID# 24043 Centripetal employees and provided detailed presentations of the patents and their functionality. See Georgetown Rail Equip. Co. v. Holland L.P., 6:13-CV-366, 2016 WL 3346084, at *17 (E.D. Tex. June 16, 2016), aff’d, 867 F.3d 1229 (Fed. Cir. 2017) (showing disclosure of patented systems under a non-disclosure as evidence of copying). As detailed in the Court’s factual findings, Cisco was provided with demonstrations of the product and confidential information regarding Centripetal’s proprietary algorithms. Within a year of these meetings, Cisco released the “network of the future,” involving the release of older products embedded with new software functionality that was outlined and detailed to them by disclosure of the patents and multiple technical discussions and demonstrations. The fact that Cisco released products with Centripetal’s functionality within a year of these meetings goes beyond mere coincidence. Therefore, the fact that Cisco’s system mirrors the functionality of the Centripetal patents is compelling evidence that damages should be enhanced for copying. See Crane Sec. Techs., Inc. v. Rolling Optics AB, 337 F. Supp. 3d 48, 57 (D. Mass. 2018) (“The Court observes that the similarities of RO’s technology to Crane’s patented invention, coupled with RO’s extensive knowledge of Crane’s intellectual property rights and products, support the inference of copying that favors enhancement.”) The second Read factor is “whether the infringer, when he knew of the other’s patent protection, investigated the scope of the patent and formed a good-faith belief that it was invalid or that it was not infringed.” Read, 970 F.2d at 827. Cisco presented no evidence of any such investigation and its own technical and marketing documents suggest it would have been difficult to form such a belief. With respect to Read factor three, Cisco’s trial attorneys’ hands were tied by Centripetal’s use of Cisco’s own technical documents, coupled with the adverse testimony of Cisco engineers. 157 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 158 of 178 PageID# 24044 Cisco had to shield the engineers who authored its current technical documents and the executives who praised its new security functionality for “solving problems previously thought unsolvable” from answering to their own writings and statements. On the other hand, while Cisco objected to trying the case on a video/audio platform, and specifically the platform upon which the Court’s staff was trained, its counsel teamed with Centripetal’s counsel to formulate protocols which expanded and improved upon the Court’s standard protocols to promote a more reliable and efficient trial by remote means. Counsel for both parties faithfully followed all of the protocols, were both very well prepared, were mostly courteous to one another and joined in congratulating the Court’s staff on its efficient handling of the trial. Accordingly, while this factor favors enhanced damages, it is mitigated by the professional performance of its trial counsel. The fourth Read factor looks at the infringer’s size and financial condition. Cisco represents itself as the largest provider of network infrastructure and services in the world. PTX570 at 991. As discussed supra, Cisco saw an increase of approximately $5.575 billion dollars over three years by adding the infringing functionality to the predecessor non-infringing product lines. Additionally, Cisco had substantial profit margins during the infringing period from 52% to 92% on the infringing products. 20 See Creative Internet Advert. Corp. v. Yahoo! Inc., 689 F. Supp. 2d 858, 866 (E.D. Tex. 2010) (showing high profit margins as evidence that favors enhanced damages). Accordingly, for a company as large as Cisco with these levels of revenues and profits, an enhanced damages award would not “unduly prejudice [Cisco’s] non infringing business.” Georgetown Rail Equip. Co., 2016 WL 3346084, at *19 (quoting Creative Internet Advert. Corp., 20 The Court leaves out the Digital Network Architecture from this range, as it represents a statistical outlier and it was stated that DNA was a new product with no defined predecessor. 158 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 159 of 178 PageID# 24045 689 F. Supp. 2d at 866). Therefore, based on Cisco’s immense size and commercial success with the infringing products, this factor weighs strongly in favor of enhanced damages. Read factor five deals with the closeness of the case. The Court FINDS that the rulings on the four patents that were found infringed and valid were clear and not a close call. In the presentation of its defense, Cisco repeatedly relied upon animations prepared ex post facto for trial, while ignoring their own technical documents. The great majority of the Cisco technical documents were introduced by Centripetal. Not only did the animations conflict with Cisco’s own technical documents, but in several instances contradicted Cisco’s employee witnesses. Cisco avoided calling the authors of its technical documents as well. There was no testimony that Centripetal attempted to broaden the reach of the four infringed patents, thus opening the door to additional prior art. See 01 Communique Lab., Inc. v. Citrix Sys., 889 F.3d 735, 742 (Fed. Cir. 2018). Nonetheless, Cisco, in its invalidity case, cited its old technology as prior art, while claiming its new technology did not infringe. This led to many inconsistencies in its evidence, on both issues. Of course, Cisco could not rely upon its own documents, as they proved Centripetal’s case. 21 Therefore, this factor weighs heavily in favor of enhanced damages. Read factor six addresses the duration of the misconduct and Read factor seven weighs the remedial action taken by the infringer. While Read factor nine looks at whether the infringer attempted to conceal any misconduct. 22 The infringing conduct has been continuous and unabated without any form of remedial action from June 20, 2017 to the present time. See Acantha LLC v. Depuy Synthes Sales, Inc., 406 F. Supp. 3d 742, 761 (E.D. Wis. 2019) (citing Broadcom Corp. v. Qualcomm Inc., No. SACV 05-467-JVS, 2007 U.S. Dist. LEXIS 62764, 2007 WL 2326838, at *3 21 The ruling on the ‘205 Patent was equally clear in favor of Cisco, yet this was the sole patent found not to clearly infringe. 22 Read factor eight addresses the infringer’s motivation for harm. There was no evidence presented on this factor. 159 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 160 of 178 PageID# 24046 (C.D. Cal. Aug. 10, 2007) (“The length of [defendant’s] infringement (approximately two years), coupled with the fact that infringement continued after [plaintiff] filed suit, supports an increase in damages.”)); see also Crane Sec. Techs., Inc. v. Rolling Optics AB, 337 F. Supp. 3d 48, 59 (D. Mass. 2018) (no remedial action supporting treble damages). Moreover, Cisco, through its course of conduct, continually gathered information from Centripetal as if it intended to buy the technology from Centripetal. Cisco, then, appropriated the information gained in these meetings to learn about Centripetal’s patented functionality and embedded it into its own products. See Liqwd, Inc. v. L’Oréal USA, Inc., No. 17-14-JFB-SRF, 2019 U.S. Dist. LEXIS 215668, at *21 (D. Del. Dec. 16, 2019) (noting how the defendants “concealed their misconduct in gathering information from the plaintiffs so as to create the infringing products” and weighing this factor in favor of enhanced damages). Therefore, all three of these factors weigh in favor of enhanced damages. The Court FINDS that Cisco did not advance any objectively reasonable defenses at trial as to the four infringed and valid patents including the ‘856 Patent, the ‘176 Patent, the ‘193 Patent, and the ‘806 Patent. Its non-infringement case was grounded upon their old technology. The infringing functionality was added to their accused products post June 20, 2017, and resulted in a dramatic increase in sales which Cisco touted in both technical and marketing documents. Cisco’s invalidity evidence often contradicted its non-infringement evidence and failed to recognize the new functionality which it copied from Centripetal during and after the Nondisclosure Agreement. PTX-99. It embedded the copied software functionality from the patents in its post June 20, 2017 switches, routers and firewalls and then ignored the accused products while claiming its pre-June 20, 2017 technology as prior art. Moreover, its damages evidence was deeply flawed in attempting to base its calculations on each patent separately instead 160 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 161 of 178 PageID# 24047 of considering its own sales of the infringing products. Again, the increase in its sales of the accused products illustrates how completely unrealistic its damages evidence was compared to the reality of the marketplace. Accordingly, in the exercise of its discretion, the Court considers the sound legal principles underlying the history of enhanced damages and FINDS this is an egregious case of willful misconduct beyond typical infringement. Halo Elecs., Inc., 136 S. Ct. at 1935. However, there are other considerations. Cisco did prevail as to one of the patents. In considering the cases awarding enhanced damages, and comparing these cases to this case, the Court FINDS that enhancing the damages by a factor of 2.5 is appropriate. Accordingly, the Court’s past damages award of $755,808,545 is properly enhanced by a multiple of 2.5 times to award lump sum past damages of $1,889,521,362.50. iv. Pre-judgment Interest 35 U.S.C. § 284 grants the Court discretionary authority to award interest and costs. 35 U.S.C. § 284; see General Motors Corp. v. Devex Corp., 461 U.S. 648, 653 (1983). The Supreme Court has interpreted the interest provision of section 284 and has instructed courts that prejudgment interest should ordinarily be awarded, “absent some justification for withholding such an award.” Id. at 657. The Supreme Court determined that the “fixed by the court” language in section 284 leaves the court’s some discretion in awarding pre-judgment interest. Id. at 656-57. In determining the rate of pre-judgment interest, “the district court has the discretion to determine whether to use the prime rate, the prime rate plus a percentage, the U.S. Treasury rate, state statutory rate, corporate bond rate, or whatever rate the court deems appropriate under the circumstances.” Century Wrecker Corp. v. E.R. Buske Mfg. Co., 913 F. Supp. 1256, 1280 (N.D. Iowa 1996) (citing Allen Archery, Inc. v. Browning Manuf. Co., 898 F.2d 787, 789 (Fed. Cir. 1990)). 161 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 162 of 178 PageID# 24048 Here, the Court will use the statutory post-judgment rate from the date of first infringement June 20, 2017, of 1.21%. See 28 U.S.C. § 1961. The Court calculates simple interest at the 1.21% rate over the infringement period of three years from June 20, 2017 to June 20, 2020 using the award of damages (excluding enhanced damages) of $755,808,545. This calculation makes an interest determination of $27,243,850. 23 The Court divides this number by two to account for the fact that infringement occurred over this three-year period. Accordingly, the total interest number awarded by the Court is $13,717,925. This interest is added to the final damages award, including the damages enhancement, to reach a final past damages award of $1,903,239,287.50. B. FUTURE DAMAGES “There are several types of relief for ongoing infringement that a court can consider: (1) it can grant an injunction; (2) it can order the parties to attempt to negotiate terms for future use of the invention; (3) it can grant an ongoing royalty; or (4) it can exercise its discretion to conclude that no forward-looking relief is appropriate in the circumstances.” Whitserve, LLC v. Comput Packages, Inc., 694 F.3d 10, 35 (Fed. Cir. 2012). As described herein, the Court has considered the evidence presented at trial and the arguments and proposed findings of fact and conclusions of law advanced by all parties, and FINDS that a permanent injunction is not appropriate relief for the infringement of the ‘856 Patent, the ‘176 Patent, the ‘193 Patent, or the ‘806 Patent, and that an ongoing, future royalty should be imposed for all four Patents. i. Injunctive Relief Centripetal requests injunctive relief with regard to Cisco’s firewall products. In order to merit injunctive relief, Centripetal must prove: “(1) that [they have] suffered an irreparable injury; (2) that remedies available at law, such as monetary damages, are inadequate to compensate for 23 This was calculated using a simple interest formula - I = P x R x T (27,243,850 = 755,808,545 x .0121 x 3). 162 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 163 of 178 PageID# 24049 that injury; (3) that, considering the balance of hardships between the [Proponents and Opponents], a remedy in equity is warranted; and (4) that the public interest would not be disserved by a permanent injunction.” eBay, Inc. v. MercExchange, LLC, 547 U.S. 388, 391 (2006). “[A]n injunction is a drastic and extraordinary remedy, which should not be granted as a matter of course.” Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139, 165 (2010) (citing Weinberger v. Romero–Barcelo, 456 U.S. 305, 311-12 (1982)). “If a less drastic remedy . . . [is] sufficient to redress [Proponents’] injury, no recourse to the additional and extraordinary relief of an injunction [is] warranted.” Id. at 165-66. If the Court were to grant an injunction, it would do so on every infringing product and not solely on Cisco’s firewalls, as Centripetal originally requested. 24 Moreover, the test for injunctive relief is not met in this case. Cisco’s switches, routers, and firewalls make up large portions of the global internet infrastructure. These products are components of both civilian and military networks. Therefore, granting an injunction on the infringing products will likely cause massive adverse effects on the functional capabilities of Cisco’s customers and have an adverse ripple effect on national defense and the protection of the global internet. Therefore, as to factor two, monetary damages are more appropriate to compensate Centripetal for patent infringement. The Keysight license shows that Centripetal is willing to patent its technology to direct competitors. Courts have stated that an injunction is improper where a patent owner has shown that they are willing to accept monetary damages. See EcoServices, LLC v. Certified Aviation Servs., LLC, 340 F. Supp. 3d 1004, 1023 (C.D. Cal. 2018); Cave Consulting Grp., LLC v. Optuminsight, Inc., No. 5:11-CV-00469-EJD, 2016 WL 4658979, at *21 (N.D. Cal. Sept. 7, 2016) (finding that where a patent holder is willing to “forego its patent rights for 24 Centripetal later expanded its request for injunctive relief to additional products. While EBay factor one has been clearly proven, factor two has clearly not. 163 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 164 of 178 PageID# 24050 compensation,” “monetary damages are rarely inadequate”); see also Advanced Cardiovascular Sys., Inc. v. Medtronic Vascular, Inc., 579 F. Supp. 2d 554, 560 (D. Del. 2008) (“The fact that [plaintiff] was selective regarding its licensing compensation—exchanging its technology only for other licenses to competing technology—does not rectify the fact that [plaintiff] was willing, ultimately, to forego its exclusive rights for some manner of compensation. Money damages are rarely inadequate in these circumstances.”). As to factor three, the greater hardship would clearly impact Cisco. Factor four, the public interest, does not support injunctive relief for the same reasons outlined as to factor two. Accordingly, for these reasons, the Court FINDS that an injunction is not an appropriate legal remedy for Cisco’s infringement. ii. Ongoing Royalty Rather, the Court FINDS that an ongoing royalty is proper in this case. An ongoing royalty is essentially a compulsory license for future use of the patented technology during the life of the patents. Indeed, pre-verdict and post-verdict royalties are “fundamental[ly] differen[t].” XY, LLC v. Trans Ova Genetics, 890 F.3d 1282, 1397 (Fed. Cir. 2018). When setting an ongoing royalty for future use, the district court should consider “the change in the parties’ bargaining positions, and the resulting change in economic circumstances.” See id., (“When patent claims are held to be not invalid and infringed, this amounts to a ‘substantial shift in the bargaining position of the parties.”’) (quoting ActiveVideo Networks, Inc. v. Verizon Commc’ns, Inc., 694 F.3d 1312, 1342 (Fed. Cir. 2012)). Such differences include a Court’s determination that certain of the patents at issue are valid, enforceable, and would be infringed by the accused products. See id. The Court should analyze future royalties in the context of the Georgia-Pacific factors. Indeed, this is the approach adopted by other district courts, after modifying the Georgia-Pacific analysis to resolve any uncertainty as to whether the accused product will infringe the patent 164 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 165 of 178 PageID# 24051 claims, whether the asserted patents are enforceable, and whether the asserted patent claims are valid. See Creative Internet Advert. Corp. v. Yahoo! Inc., 674 F. Supp. 2d 847, 860 (E.D. Tex. 2009); Paice LLC v. Toyota Motor Corp., 609 F. Supp. 2d 620, 623-24 (E.D. Tex. 2009); Boston Sci. Corp. v. Johnson & Johnson, No. C 02-00790 SI, 2009 WL 975424 (N.D. Cal. Apr. 9, 2009). As discussed supra, this Court has analyzed the Georgia-Pacific factors in the context of past damages. The Court, here, incorporates its analysis of the previous Keysight license but takes into consideration the distinct differences in determining a past damages award as opposed to an ongoing royalty. Therefore, as it did before, the Court FINDS the Keysight license as a comparable license for use in determining ongoing royalties. In light of that, the Court FINDS an appropriate future royalty is 10% on the APPORTIONED REVENUES OF THE INFRINGING PRODUCTS FOR THREE (3) YEARS, beginning June 21, 2020 and payable annually beginning June 20, 2021, without interest. The revenues shall be apportioned in the same manner as the pre-judgment damages, and shall apply to the infringing technology as described in the Court’s Findings of Fact and Conclusions of Law. Successor products to the infringing product shall pay the same percentage royalty on sales revenue as applied to the current infringing products, so long as the successor products contain any technology found to infringe in this Opinion and Order. As to the four patents infringed, assigning different nomenclature to infringing products, or to Cisco’s software technology found to infringe, shall not relieve Cisco of its obligation to pay its royalty. After this three-year term, the Court FINDS the royalty should be decreased to 5% FOR ANOTHER THREE (3) YEAR TERM. Due to Cisco’s dominant position in the cyber security software and firewall markets and the resulting damage to Centripetal as the first inventor the Court FINDS a six year term is called for in lieu of the three year term agreed upon in Keysight. Similar to the Keysight license, the Court imposes a minimum and maximum on the imposed 165 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 166 of 178 PageID# 24052 ongoing royalty. For the first three-year term at 10%, such annual royalty shall not be less than $167,711,374.10 and shall not be more than $300,076,834. For the second three-year term at 5%, such annual royalty shall not be less than $83,855,867.00 and shall not be more than $150,038,417. The maximum and minimum of each year is based upon the highest and lowest years of apportioned revenues per a full year of infringement from the 2017-2020 time frame. See Doc. 411 Ex. 7. Similarly, the maximum and minimum is reduced by one-half during the second three year term to reflect the reduced royalty rate. See id. At the conclusion of this second term of three years, there shall be no further monetary payments or other relief for the sale or use of the infringing products or their successors 25. VII. CONCLUSION For the reasons stated within, the Court FINDS the ‘856 Patent, the ‘176 Patent, the ‘193 Patent, and the ‘806 Patent claims valid and literally INFRINGED and the ‘205 Patent NOT INFRINGED. The Court FINDS the actual damages suffered by Centripetal as a result of infringement total $755,808,545; that the infringement was willful and egregious and shall be enhanced by a factor of 2.5x to equal $1,889,521,362.50. The Court awards pre-judgment interest of $13,717,925 applied to the actual damages before enhancement plus its costs. This, accordingly, equals a total award of $1,903,239,287.50 payable in a lump sum due on the judgment date. The Court, additionally, imposes a running royalty of 10% on the apportioned sales of the accused products and their successors for a period of three years followed by a second three year term with a running royalty of 5% on said sales upon the terms described supra. It DENIES any further relief to Centripetal at the termination of the second three year term. 25 The minimums and maximums are based upon the minimum apportioned annual revenue of $167,711,374.10 for the period of June 20, 2017 to June 20, 2018 and the maximum apportioned annual revenue of $300,076,834.00 for the period of June 20, 2018 to June 20, 2019. 166 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 167 of 178 PageID# 24053 The Clerk is REQUESTED to electronically deliver a copy of this Opinion and Order to all counsel of record. It is SO ORDERED. /s/ HENRY COKE MORGAN, JR. SENIOR UNITED STATES DISTRICT JUDGE October 5, 2020 Norfolk, Virginia 167 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 168 of 178 PageID# 24054 APPENDIX A EXPLANATION OF ABBREVIATIONS Computer engineers use abbreviations to describe basic functionality as well as to describe the specific functionality of individual patented technology. To assist with interpreting their testimony and documents, the Court has compiled a list of the abbreviations used in the testimony and documents cited in this opinion. ACL Access Control List ACE Access Control Entry ANC Adaptive Network Control ASA Adaptive Security Appliance ASDM Adaptive Security Device Manager ASR Aggregation Services Router ASIC Application-Specific Integrated Circuit CLI Command Line Interface CPU Central Processing Unit CRM Computer-Readable Media CSIRT Computer Security Incident Response Team CTA Cognitive Threat Analytics CTI Cyber Threat Intelligence DNA Digital Network Architecture Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 169 of 178 PageID# 24055 DNS Domain Name Server DOE doctrine of equivalents ETA Encrypted Traffic Analytics FC Flow Collector FMC Firepower Management Center GACL Group Access Control List HTTP/HTTPS HyperText Transfer Protocol (Secure) ISE Identity Services Engine IDP Initial Data Packet IDS Intrusion Detection System IOS-XE Internetwork Operating System – XE IT Manager Information Technology Manager ISR Integrated Services Router IP Internet Protocol IPR inter partes review IPS intrusion prevention system IDS intrusion detection system 2 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 170 of 178 PageID# 24056 ML Machine Learning NAT network address translation NSEL NetFlow Secure Event Logging PBC Packet Buffer Complex PTAB Patent Trial and Appeals Board SD-Access Software Defined Access SGACL Security Group Access Control List SGT Security Group Tag SPLT Sequence of Packet Lengths and Times SIO Security Intelligence Operations SIP Session Initiation Protocol Stealthwatch Stealthwatch Enterprise SLIC Stealthwatch Labs Intelligence Center SMC Stealthwatch Management Console SMTP Simple Mail Transfer Protocol SNI Server Name Indication SSL Secure Sockets Layer 3 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 171 of 178 PageID# 24057 TID Threat Intelligence Director TCAM Ternary Content-Addressable Memory TCP Transmission Control Protocol TCP/IP Transmission Control Protocol/Internet Protocol TLS Transport Layer Security UADP Unified Access Data Plane URI Uniform Resource Identifier URL Uniform Resource Locator VoIP Voice over Internet Protocol VMR Virtual Media Recorder VPN Virtual Private Network 4 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 172 of 178 PageID# 24058 APPENDIX B OUTLINE OF COURT’S PROTOCOLS FOR TRIAL B. Exhibits 1. Exhibit Lists The parties have segregated the documents, summaries and other exhibits that may be offered into evidence at trial into exhibit lists. A joint Exhibit List, including documents identified by both parties and not objected to, is attached as Exhibit A; Centripetal's Exhibit List and Defendants' objections thereto are attached as Exhibit B; Defendants' Exhibit List and Centripetal's objections thereto are attached as Exhibit C. The parties reserve the right to object to any additional documents sought to be added to the Exhibit Lists and further reserve the right to object to any additional documents added to the Exhibit Lists under the Federal Rules of Evidence, the Federal Rules of Civil Procedure, or any other appropriate basis. 2. Efforts to Resolve Objections The parties have been working diligently to resolve or narrow all objections lodged as to their respective exhibits. The parties have successfully resolved many objections and will continue their effo1is to resolve the objections to each other's proposed exhibits. 3. Exhibits to Which No Objections Have Been Made The parties agree that the documents, summaries and other exhibits listed on their Exhibit Lists to which no objection has been specified may be introduced into evidence, without the necessity of further proof of admissibility through a witness, subject to foundational requirements, provided that a witness offers testimony about the exhibit at trial, either live or by deposition. This is without prejudice to motions in Limine and Daubert motions concerning certain of these documents and related testimony. Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 173 of 178 PageID# 24059 4. Cross Examination and Impeachment Exhibits The Exhibit Lists set forth the parties' exhibits for their respective cases-in-chief; the lists do not include potential cross examination or impeachment exhibits that may or may not be introduced into evidence. The Exhibits Lists also include documents relied upon by experts in rendering opinions which may or may not be introduced into evidence. The parties reserve the right to offer exhibits for purposes of impeachment that are not included in the Exhibit Lists. 5. Authenticity Stipulations For Exhibits The Parties stipulate to the authenticity of each document that on its face appears to be generated by a party (plaintiff or defendant), including documents generated by its employees during the course of their employment for a party, and produced in this case by that party. Notwithstanding this stipulation, each party preserves its right to object to the document on any ground other than authenticity. C. Procedures Regarding Witnesses and Exhibits The parties are required to disclose the expected order in which the witnesses will be called, and use good faith in identifying non-demonstrative exhibits that are intended to be used in the direct testimony of each witness or as part of opening statements. Each party must identify to opposing counsel the identity of any live witnesses to be called at trial (and the order in which they will be called) by no later than 6:30 p.m.26three (3) calendar days before the trial day on which that witness is expected to testify (e.g., witnesses to be called on Tuesday must be disclosed by 6:30 p.m. the preceding Saturday). Except for when a fact witness is testifying during trial, fact witnesses are not permitted to witness or have access to the trial proceedings in any manner until after that fact witness has 26 All times identified herein are Eastern Time. 2 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 174 of 178 PageID# 24060 completed all testimony that witness will provide at trial. The only exception is the parties' client representative, who will be allowed to witness and have access to the trial proceedings, even if testifying in the case. Expert witnesses may have access to the trial proceedings while other witnesses are testifying. Any exhibits to be used on direct examination with any live witness must be identified by no later than 7 p.m. two (2) calendar days before the start of the trial day on which that exhibit will be offered (e.g., the exhibit(s) for witnesses to be called on Tuesday must be disclosed by 7 p.m. the preceding Sunday). Objections to exhibits disclosed by a party must be provided by 8 p.m. two (2) calendar days before the start of the trial day on which that exhibit will be offered (e.g., objections to exhibits for witnesses to be called on Tuesday must be provided by 8 p.m. the preceding Sunday). The parties will each designate one or more counsel who shall meet and confer regarding any such objections by 8:30 p.m. on the day when the objections are provided. The notice provisions above shall not apply to illustrative exhibits created in the virtual courtroom during testimony or to the enlargement, highlighting, ballooning, or excerpting of trial exhibits, demonstratives, or testimony, so long as the underlying exhibit is pre-admitted or the party has identified the exhibit or deposition testimony according to the agreed schedule. The parties will cooperate in seeking to have the Court resolve any objections they are unable to resolve among themselves prior to the proposed testimony. Each party will deliver exhibits to the Court that it anticipates using on direct examination by 9 a.m. ET the day of the direct examination in the form of a witness binder. Each party will deliver exhibits to the Court 3 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 175 of 178 PageID# 24061 that it anticipates using on cross-examination by 9 a.m. ET the day of the cross-examination, and to opposing counsel by e-mail prior to commencing cross-examination. Any document that on its face appears to have been authored or prepared by an employee, officer, or agent of a party, or was produced from the files of a party, shall be deemed primafacie authentic under F.R.E.901 and 902, subject to the right of the party against whom such a document is offered to introduce evidence to the contrary. The parties reserve the right to add additional deposition designations to establish the foundation and authenticity of an exhibit to the extent the admissibility of a particular document is challenged. Legible or better quality copies may be offered and received in evidence in lieu of originals thereof, subject to all foundational requirements and other objections which might be made to the admissibility of such originals, and subject to the right of the party against whom they are offered to inspect an original upon request. The parties may use electronic, native versions of exhibits that are spreadsheets or slide presentations to the extent such documents were produced during discovery or otherwise agreed to by both parties. D. Procedures Regarding Deposition Testimony and Discovery Response Designations The parties are required to provide opposing counsel the identity of any deposition designations or designations of discovery responses and a list of any exhibits to be introduced along with those designations according to the schedule set forth above for disclosure of witnesses/exhibits. Objections and counter-designations to any such designations disclosed by a party will be provided according to the schedule set forth above for objections to exhibits. For 4 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 176 of 178 PageID# 24062 deposition testimony, the party introducing the deposition testimony shall be responsible for editing the deposition testimony to include the testimony and any counter-designation testimony, and remove any attorney objections, and provide a final version of the deposition testimony excerpts (testimony clip report) to the other party by 6:30 p.m. the day before the testimony is to be submitted, read or played to the Court. The parties will each designate one or more counsel who will meet and confer regarding any objections, including objections to any applicable counterdesignations 27, by 8:30 p.m. the same day that such objections are disclosed. The parties will cooperate in seeking to have the Court resolve any objections they are unable to resolve among themselves prior to the proposed testimony or presentation of a discovery response. Each side is to provide the discovery response or deposition testimony excerpts of the specific portions of the deposition video(s) to be played or read, to opposing counsel and to the Court at the time each such designation is presented to Court. The parties agree that any counter-designations, to which the other party did not object or to which the Court overruled the objection, will be included in the designation of discovery responses or testimony clip report of deposition designations, and that passages of testimony from a deposition will be presented chronologically. The parties further agree to withdraw any objections or attorney colloquy contained with the deposition designations by both sides to the extent possible. For allocating time between the parties for witnesses presented by deposition, witnesses presented by video or read testimony will be divided by the actual time for designations and counter-designations by each party. For witnesses presented by read testimony, the allocation 27 The parties agreed not to serve objections to counter-designations as part of this pretrial order, and to raise necessary objections to such counter designations at the time of trial. 5 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 177 of 178 PageID# 24063 of trial time will be determined by the ratio of deposition testimony lines designated by each party to the total number of lines read by that witness. No time will be allocated to the parties for deposition testimony submitted to the Court as an exhibit only, with no video or read testimony. Deposition summaries will be offered at trial as appropriate pursuant to Local Rule 30(G). All testimony clip reports for deposition testimony provided to the Court will be admitted as a trial exhibit. The parties' current deposition designations, objections, and counter-designations are attached as Exhibit D (Centripetal) and Exhibit E (Defendant). The parties' discovery responses designations, objections, and counter-designations are attached as Exhibit F (Centripetal) and Exhibit G (Defendant). III. Witnesses The parties agree that for current employees of a party, any such witness that such party expects to call in their case-in-chief will appear live by video. For those non-employee witnesses who will be called in a party's case-in-chief via deposition, the parties agree that any counterdesignated testimony will be presented to the Court together with the designated deposition testimony, subject to the resolution of any objections to the designated or counter-designated testimony, as discussed above. The parties also agree that a party who wishes to call an employee of the other party as part of its case-in-chief can do so by deposition, regardless of the availability of that witness to testify live. The parties agree that all fact and expert witnesses will provide any trial testimony from a location remote from their lawyers or staff working on this matter. A remote location means a home, building or office different from any home, building or office where lawyers or staff working on this matter are present. Furthermore, while providing testimony at trial, no witness 6 Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 178 of 178 PageID# 24064 shall access any form of communication other than the Zoom video or audio feed provided by the Court. Once sworn, no witness shall communicate with anyone else regarding the substance of the witness's testimony (absent express permission of the Court) until such time as the witness is excused by the Court from further participation in the trial. The agreement reflected in the foregoing sentence does not apply to fact witnesses or Dr. Medvidovic, Dr. Striegel, and Dr. Almeroth should they be called to testify on more than one occasion during the trial. For such witnesses, the parties agree that they will not communicate or speak with the witness once he begins testimony on the subject matter for which they are in the middle of testimony, as delineated by the Court. Once the witness has completed such testimony and leaves the stand, that witness can speak with counsel before taking the stand to testify at a later time during the trial. 7

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.


Why Is My Information Online?