Free Letter - District Court of Delaware - Delaware

Case 1:04-cv-01199-SLR

Document 548-4

Filed 09/15/2008

Page 1 of 9

C

Case 1:04-cv-01199-SLR

Document 548-4

Filed 09/15/2008

Page 2 of 9

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF DELAWARE

SRI INTERNATIONAL,

INC.,

)
)

Plaintiff, v.

)
)

)
)

Civ. No. 04-1199-SLR

INTERNET SECURITY SYSTEMS, ) INC. (a Delaware corporation) ,) INTERNET SECURITY SYSTEMS, ) INC. (a Georgia corporation) ) and SYMANTEC CORPORATION, )
)

Defendants.

)

MEMORANDUM ORDER

At Wilmington this 17 th day of October, 2006, having heard oral argument and having reviewed the papers submitted in connection with the parties' proposed claim construction; IT IS ORDERED that the disputed claim language in United States Patent Nos. 6,484,203 '212 patent"), 6,321,338 ("the '203 patent"), 6,708,212 ("the ("the

("the '338 patent") and 6,711,615

'615 patent"), as identified by the above referenced parties, shall be construed consistent with the tenets of claim construction set forth by the United States Court of Appeals for the Federal Circuit in Phillips v. AWH Corp., 415 F.3d 1303 Cir. 2005), as follows:
1.

(Fed.

Terms of art applicable to all patents in suit:

Case 1:04-cv-01199-SLR

Document 548-4

Filed 09/15/2008

Page 3 of 9

a.

"Network":

A collection of software and/or

hardware interconnected by communication links for sharing information.
b. "Packet":

A group of data bytes which represents a

specific information unit with a known beginning and end.
c. "Event":

An action or occurrence detected by

software.
2. "Network monitors"::

Software and/or hardware that can

collect, analyze and/or respond to data. The above limitation has been construed broadly, as the words used are words well known in the art and it does not appear from the specification' that the patentees were acting as their own lexicographers. The court recognizes, consistent with

defendants' proposed construction, that the specification does describe the network monitors as using "the same monitor codebase" to provide a "reusable software architecture" that accommodates "[c]ustomizing and dynamically configuring" the
monitors.

('203 patent, col. 10, 11. 29-36)

However, the

disputed claim language does not track the language of the specification and the court declines to read further limitations 'All patents, multiple claims. 'Because this limitation is included in all the patents in suit and in multiple claims, and because the specifications of all the patents in suit are substantially similar, the court will refer to the specification of the '203 patent unless otherwise indicated.
2

Case 1:04-cv-01199-SLR

Document 548-4

Filed 09/15/2008

Page 4 of 9

into the claims.
3.

"Deploying a plurality of network monitors":3

Configuring and/or installing two or more network monitors. Consistent with the above construction of "network monitor," software is configured and hardware is installed.
4.

"Hierarchical event monitoring [and analysisl":'

Network monitors, arranged in two or more levels, interoperate in order to analyze and respond to network activity.
('203 patent, col. 2, 11. 56-65; col.

9, 11. 21-34)

5.

"Hierarchical monitor/hierarchically higher network

monitor":5

A network monitor that receives data from at least

one network monitor that is at a lower level in the analysis hierarchy.
('203 patent, col. 2,

11. 56-65; col. 3, 11. 51-55) A network monitor that provides

6.

"Service monitor":'

local real-time analysis of network packets transmitted by a network entity, such as a gateway, router, firewall or proxy
server.
('203 patent, col.

2, 11. 66 to col. 3, 11. 2)

3'203,

'212 and '615 patents, multiple claims.

"203 and '615 patents, multiple claims. '212 and '615 patents, multiple claims, and '338 patent, claim 13. 5'203, "203, '212 and '615 patents, multiple claims.
3

Case 1:04-cv-01199-SLR

Document 548-4

Filed 09/15/2008

Page 5 of 9

7.

"Domain monitor":'

A network monitor that receives and

analyzes data from service monitors. ('203 patent, col. 3, 11. 23-27) 8.
"Enterprise monitor":'

A network monitor that receives

and analyzes data from domain monitors. ('203 patent, col. 3, 11.43-44) 9.
"Peer-to-peer relationship":'

A relationship between

two or more network monitors at the same level in an analysis hierarchy which allows the monitors to share data. ('203 patent, col. 3, 11. 32-36) 10.
"Automatically receiving and integrating reports of

suspicious activity":10

Without user intervention, receiving

reports of suspicious activity and combining those reports into a different end product; i.e., something more than simply collecting and reiterating data. ('203 patent, col. 7, 11. 37-54 and 11. 64 to col. 8, 11. 3;
D.l. 266, ex. P)

11.

"Correlating/correlates":"

Combining the reports to

7'20],

'212 and '615 patents, multiple claims. '212 and '615 patents, multiple claims. , 212 and '615 patents, multiple claims. ' 212 and '615 patents, multiple claims.

8\203, 9\203,

10'203,
11'203,

, 212 and '615 patents, multiple claims, and ' 338 patent, claim 15. 4

Case 1:04-cv-01199-SLR

Document 548-4

Filed 09/15/2008

Page 6 of 9

reflect underlying commonalities.
('203 patent, claim 2 at col. 14, 11. 36-38) 12.

"Responding

./invoking countermeasures":12

Taking

an action in response, including both passive and active responses.
('203 patent, col. 11, 11. 33-44) 13.

"Building at least one long-term and at least one

short-term statistical profile from at least one measure of the network packets":"

Generating at least two separate data

structures, one a statistical description representative of historical network activity, and one a statistical description of recent network activity, where the statistical descriptions are based on at least one measure of the network packets and are generated through the use of statistical analysis; i.e., something more than simply collecting and retrieving data.
('338 patent, col. 5, 11. 36-52; col. 6,

11. 38-60; col. 12,

11. 47-52; D.l. 268, ex. N) The specification incorporates by reference a specific statistical analysis technique disclosed in "A. Valdes and D. Anderson, 'Statistical Methods for Computer Usage Anomaly

Detection Using NlDES', Proceedings of the Third lnternationa Workshop on Rough Sets and Soft Computing, January 1995."
( '338

12All patents, multiple claims.
1)'338 patent, multiple claims.
5

Case 1:04-cv-01199-SLR

Document 548-4

Filed 09/15/2008

Page 7 of 9

patent, col. 5, 11. 41-49)

Although the court acknowledges that

the specification also indicates that the "profile engine can use a wide range of multivariate statistical measures to profile network activity indicated by an event stream"
('338 patent, col.

5, 11. 37-39), nevertheless, the court concludes that the specification and referenced article require that some manipulation of the data take place; i.e., generating a "statistical" profile means more than collecting and retrieving data. 14.
"Determining whether the difference between the short-

term statistical profile and the long-term statistical profile indicates suspicious network activity":"

Using the result of

the comparison to decide whether the monitored activity is suspicious.
('338 patent, col. 12, 11. 47-65)

15.

"A statistical detection method":15

A method of

detecting suspicious network activity by applying one or more statistical functions in the analysis of network traffic data. This method is not a signature matching detection method. ('212 patent, col. 5, 11. 46-61; claim 3 at col. 15, 11. 1921)

"'338 patent, claims 1, 11, 21,

24 and 25)

15'212 and '615 patents, multiple claims.
6

Case 1:04-cv-01199-SLR

Document 548-4

Filed 09/15/2008

Page 8 of 9

16.

"A signature matching detection method":"

A method of

detecting suspicious network activity by comparing observed network traffic data to known patterns. ('212 patent, col. 7, 11. 33-51) 17.
"A virtual private network":

A network that uses

encryption to securely transmit network packets via a public network. This is an agreed upon construction. 18.
"Firewall":

An interface between two networks that

enforces a security policy. This is an agreed upon construction. 19.
"Proxy server":l7

A server that mediates communication

between a client application, such as a Web browser, and a real
server.

It handles requests to the real server to see if it can

fulfill the requests itself; if not, it forwards the requests to the real server. component. (D.I. 266, ex. M at SYM_P_0498228) 20.
"API":18

The proxy server can serve as a firewall

The interface between the application

software and the application platform, across which all services are provided. 16'212 patent, multiple claims. 17All patents, multiple claims. 18'203, '212 and '615 patents, multiple claims.
7

Case 1:04-cv-01199-SLR

Document 548-4

Filed 09/15/2008

Page 9 of 9

(D.l. 266, exs. R, S)

-u-n-*:it=at~

Judge

8