09:03:11
`
`09:03:16
`
`09:03:19
`
`09:03:21
`
`09:03:24
`
`09:03:28
`
`09:03:31
`
`09:03:35
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`09:03:40
`09:03:46 10
`09:03:48 11
`09:03:52 12
`09:03:55 13
`09:03:56 14
`09:03:59 15
`09:04:02 16
`09:04:03 17
`09:04:05 18
`09:04:26 19
`09:04:33 20
`09:04:35 21
`09:04:37 22
`09:04:43 23
`09:04:45 24
`09:04:47 25
`
`1960
`
` THE COURT: Good morning. Let's get the witness
`
`back on the stand.
`
`Do you have an issue, Mr. Andre?
`
`MR. ANDRE: A housekeeping issue. I want to
`
`make sure we don't waive any kind of Rule 50 motions. When
`
`Symantec finishes its case, they won't be officially
`
`resting. They will all rest this afternoon. We will do the
`
`Rule 50 motions all at one time, so we don't have to
`
`piecemeal it.
`
`They may finish their case today. We didn't
`
`want to waive our Rule 50 motions.
`
`MR. PAK: We are not going to argue it's
`
`untimely.
`
`MS. KOBIALKA: I am sorry, Your Honor. There is
`
`also an issue about the very next witness that they have
`
`slated to testify.
`
`THE COURT: We will talk about it later.
`
`MS. KOBIALKA: All right.
`
`(Jury enters courtroom at 9:04 a.m.)
`
`THE COURT: Good morning, members of the jury.
`
`Please, take your seats.
`
`We will resume.
`
`MR. PAK: May I proceed, Your Honor.
`
`THE COURT: Yes, you may.
`
`BY MR. PAK.
`
`1958
`
`Civil Action
`
`No. 10-593-GMS
`
`
`IN THE UNITED STATES DISTRICT COURT
`IN AND FOR THE DISTRICT OF DELAWARE
`
`
`-
`- -
`FINJAN, INC.,
`)
`
`)
` Plaintiff,
`)
`
`)
` v.
`)
`
`)
`)
`SYMANTEC CORP.,
`WEBROOT SOFTWARE, INC.,
`)
`WEBSENSE INC., and SOPHOS, INC., )
`
`)
` Defendants.
`)
` - - -
`
`Wilmington, Delaware
`Wednesday, December 12, 2012
`
`
`9:00 a.m.
`
`Day 9 of Trial
` - - -
`BEFORE: HONORABLE GREGORY M. SLEET, Chief Judge,
` and a Jury
`APPEARANCES:
`PHILIP A. ROVNER, ESQ.
`
`Potter Anderson & Corroon LLP
`
` -and-
`PAUL J. ANDRE, ESQ.,
`
`
`LISA KOBIALKI, ESQ.,
`
`JAMES HANNAH, ESQ.,
`
`HANNAH LEE, ESQ., and
`
`JONATHAN S. CAPLAN, ESQ.
`
`Kramer Levin
`
`(Redwood Shores, CA)
` Counsel for Plaintiff
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`08:43:56
`
`1959
`
`1961
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`APPEARANCES CONTINUED:
`
` DENISE SEASTONE KRAFT, ESQ.
` DLA Piper LLP (US)
` -and-
` JOHN ALLCOCK, ESQ.,
` KATHRYN RILEY GRASSO, ESQ., and
` SEAN CUNNINGHAM, ESQ.
` DLA Piper LLP (US)
` (San Diego, CA)
`
` Counsel for Defendant
` Sophos, Inc.
`
` MARYELLEN NOREIKA, ESQ.
` Morris Nichols Arsht & Tunnell LLP
` -and-
` JENNIFER A. KASH, ESQ.,
` DAVID NELSON, ESQ., and
` SEAN PAK, ESQ.
` Quinn Emanuel
` (San Francisco, CA)
`
` Counsel for Defendant
` Symantec Group
`
` THOMAS C. GRIMM, ESQ.
` Morris Nichols Arsht & Tunnell LLP
` -and-
` ANTHONY M. STIEGLER, ESQ., and
` JOHN KYLE, ESQ.
` Cooley LLP
` (San Diego, CA)
`
` Counsel for Websense Inc.
`
` - - -
`
`19
`20
`21
`22
`23
`24
`25
`1 of 107 sheets
`
` ... BRUCE M. MAGGS, having been previously
`
`sworn as a witness, was examined and testified further
`
`as follows ...
`
`09:04:48
`
`09:04:48
`
`09:04:50
`
`09:04:50
`
`09:04:54
`
`Good morning, Doctor.
`
`Good morning.
`
`Before we delve into the '194 patent, I want us to do
`
`a quick recap of where we were yesterday before we took our
`
`break for the night. To remind us, were you here, Doctor,
`
`when Dr. Medvidovic demonstrated the Symantec web Gateway
`
`1
`2
`3
`4
` DIRECT EXAMINATION CONTINUED
`5 Q.
`6 A.
`7 Q.
`8
`9
`09:04:57
`09:05:02 10
`09:05:07 11
`product?
`09:05:07 12 A.
`09:05:08 13 Q.
`09:05:10 14
`was trying to demonstrative through that demonstration?
`09:05:14 15 A.
`09:05:19 16
`the Matrix software component of the web Gateway product,
`09:05:27 17
`09:05:32 18
`infringing manner.
`09:05:33 19 Q.
`09:05:36 20
`was in that particular demonstration?
`09:05:38 21 A.
`09:05:40 22 Q.
`09:05:44 23
`he believed that the Matrix component was the component that
`09:05:47 24
`detected and locked the ActiveX file?
`09:05:50 25 A.
`Page 1958 to 1961 of 2217
`
`Yes, I was.
`
`And what was your understanding of what Dr. Medvidovic
`
`It appeared to me that he was trying to demonstrate
`
`preventing a downloadable from reaching the client in an
`
`And do you recall what type of file the downloadable
`
`It was an ActiveX file.
`
`And do you recall that Dr. Medvidovic testified that
`
`Yes. He said that.
`
`12/12/2012 08:41:09 PM
`
`BLUE COAT SYSTEMS - Exhibit 1003 Page 1
`
`

`
`1962
`
`1964
`
`Now, based on the actual source code reviewed and the
`
`that Dr. Medvidovic's demonstration actually showed the
`
`No. Matrix didn't block that ActiveX file.
`
`Is it possible for Matrix to ever block ActiveX files?
`
`Matrix can't scan ActiveX files. I have looked at the
`
`only looks for Visual Basic Script or JavaScript or html.
`
`And furthermore, it doesn't even make sense to perform the
`
`step of tokenization on an ActiveX file because that's not
`
`And have you looked into the issue of which component
`
`09:05:51 1 Q.
`09:05:55 2
`testimony that you heard from Mr. Coleman, is it possible
`09:05:59 3
`09:06:03 4
`operation of the accused Matrix components?
`09:06:06 5 A.
`09:06:03 6 Q.
`09:06:09 7 A.
`09:06:15 8
`code. In fact, Dr. Coleman showed the code where Matrix
`09:06:18 9
`09:06:23 10
`09:06:26 11
`09:06:30 12
`source code. It's machine code.
`09:06:33 13 Q.
`09:06:37 14
`inside of the Symantec product actually blocked the ActiveX
`09:06:40 15
`file that Dr. Medvidovic showed us?
`09:06:42 16 A.
`09:06:43 17 Q.
`09:06:44 18 A.
`09:06:47 19 Q.
`09:06:52 20
`use?
`09:06:52 21 A.
`09:06:55 22 Q.
`09:06:56 23
`09:07:00 24
`09:07:03 25
`
`Yes, I have.
`
`And which component was that again?
`
`It's called the Trojan scanner.
`
`And what type of technology does the Trojan scanner
`
`It's a signature-based technology.
`
`Thank you, Doctor.
`
`Yesterday, we also discussed your views on the
`
`term "behavior" or "behavior-based technology" as a
`
`marketing term. Do you recall that?
`
`claim present? And if it is present, is it in the right
`
`Mr. Shirazi, let's have SYMDX12-2.
`
`Doctor, I'd like to focus your attention on the
`
`second limitation that includes the phrase, "The
`
`downloadable security profile data includes a list of
`
`suspicious computer operations."
`
`Do you recall identifying that as the missing
`
`Well, actually, the whole limitation is missing,
`
`it's missing is because there is never a creation of a list
`
`of suspicious computer operations that's included in a
`
`And based on the source code, is the Matrix component
`
`profile data that includes a list of suspicious computer
`
`It doesn't do that.
`
`And did Dr. Medvidovic, in performing his infringement
`
`09:08:17 1
`09:08:21 2
`place, meaning, is it's in Symantec's software?
`09:08:25 3 Q.
`09:08:32 4
`09:08:35 5
`09:08:38 6
`09:08:41 7
`09:08:45 8
`09:08:47 9
`limitation in the accused Symantec products?
`09:08:49 10 A.
`09:08:53 11
`starting with the word "comparing," but the primary reason
`09:08:56 12
`09:08:59 13
`09:09:04 14
`downloadable security profile data.
`09:09:07 15 Q.
`09:09:11 16
`capable of creating or extracting a downloadable security
`09:09:16 17
`09:09:20 18
`operations?
`09:09:20 19 A.
`09:09:23 20 Q.
`09:09:25 21
`presentation to us, actually cite or analyze any source code
`09:09:28 22
`for this particular notation?
`09:09:31 23 A.
`09:09:34 24
`does this or any source code at all.
`09:09:36 25 Q.
`
`No, he didn't. He didn't show any source code that
`
`And were you here, sir, when Mr. Coleman testified and
`
`Yes.
`
`explained to us and showed us the actual source code that
`
`Yes or no, sir, do you believe that Finjan's patents
`
`corresponded to the actual operation of the Matrix
`
`1963
`
`1965
`
`No.
`
`And why not?
`
`Well, it, with any patent, you actually have to look
`
`of the patent is. And the language there is, it's pretty
`
`specific. It explains exactly what's covered. And it
`
`certainly doesn't encompass all behavior blocking
`
`technology, especially as that term is used, to cover a wide
`
`He did show a portion of that, and I did see that.
`
`And have you had a chance to analyze the source code
`
`Yes. I was well familiar with that source code before
`
`And what does that source code tell us?
`
`What he showed was a portion of the source code where,
`
`09:09:39 1
`1 A.
`09:09:43 2
`09:07:06 2 Q.
`09:09:46 3
`09:07:08 3
`component?
`cover all forms of behavior technology for blocking viruses
`09:09:46 4 A.
`09:07:13 4
`and malware?
`09:09:49 5 Q.
`09:07:14 5 A.
`09:09:51 6
`09:07:15 6 Q.
`independently and verify that Mr. Coleman is correct about
`09:09:54 7
`09:07:16 7 A.
`the operation of the source code?
`09:09:55 8 A.
`09:07:21 8
`at the specific language in the claims to see what the scope
`09:09:57 9
`09:07:24 9
`he presented it.
`09:09:58 10 Q.
`09:07:29 10
`09:10:01 11 A.
`09:07:32 11
`09:10:05 12
`09:07:36 12
`after the signatures have been applied against the tokenized
`09:10:10 13
`09:07:40 13
`variety of things.
`09:10:13 14
`09:07:41 14 Q.
`09:10:16 15
`09:07:47 15
`appear in the patents?
`09:10:19 16
`09:07:48 16 A.
`09:10:23 17
`09:07:52 17 Q.
`09:10:29 18
`09:07:55 18
`I promised you yesterday, what we are going to do is walk
`09:10:32 19
`09:07:59 19
`09:10:34 20
`09:08:02 20
`and have you respond to that evidence. Are you with me?
`09:10:36 21
`09:08:06 21 A.
`signatures, not suspicious operations.
`09:10:39 22 Q.
`09:08:07 22 Q.
`09:10:43 23
`09:08:12 23
`the AV engine?
`limitation, what are the two questions you are asking
`09:10:44 24 A.
`09:08:14 24
`yourself?
`09:10:48 25
`09:08:15 25 A.
`identification number, indicating which signature matched.
`What I would ask myself is: Is this limitation in the
`12/12/2012 08:41:09 PM
`Page 1962 to 1965 of 2217
`2 of 107 sheets
`
`Does the term "behavior" or "behavior blocking" ever
`
`signatures matched.
`
`version of the JavaScript, there is a list of which
`
`No. The term "behavior" isn't in the patents.
`
`where a single one of those signatures is selected, and the
`
`With that recap, let's go back to the '194 patent. As
`
`identification for that signature is referred to the AV
`
`engine, which will then decide what to do about it.
`
`through each piece of evidence that Dr. Medvidovic presented
`
`I note that that wasn't a list of operations.
`
`That was just a list of identification numbers of
`
`And the source code he showed was the point
`
`Yes, I am with you.
`
`Great. Remind us, as we look at each claim
`
`And remind us again, what is actually returned back to
`
`It's a number. It's called a threat I.D., an
`
`BLUE COAT SYSTEMS - Exhibit 1003 Page 2
`
`

`
`1966
`
`1968
`
`Is that a list of anything?
`
`No. It's just one number.
`
`Even if multiple signatures were detected, does it
`
`One number.
`
`Now, let's look at the first document that
`
`09:10:50 1 Q.
`09:10:51 2 A.
`09:10:54 3 Q.
`09:10:56 4
`return a single number or multiple numbers?
`09:11:00 5 A.
`09:11:01 6 Q.
`09:11:04 7
`Dr. Medvidovic presented to us as part of his infringement
`09:11:08 8
`09:11:14 9
`09:11:16 10
`09:11:21 11
`written by Darren Chi. Do you recall that?
`09:11:25 12 A.
`09:11:25 13 Q.
`09:11:28 14
`have seen this figure several times in the trial.
`09:11:32 15
`09:11:34 16
`09:11:38 17
`are discussing now?
`09:11:39 18 A.
`09:11:40 19 Q.
`09:11:44 20
`identified the threat definition execution unit as the
`09:11:47 21
`09:11:51 22
`suspicious operations?
`09:11:52 23 A.
`09:11:56 24
`was involved in infringing the patent, yes.
`09:12:01 25 Q.
`
`analysis. Let's put up PTX-856.
`
`Do you recall, Doctor, this was the Script
`
`Scanning document relating to the project Matrix, and it was
`
`Yes.
`
`And let's turn to Page 5 in this document. I think we
`
`Do you recall that Dr. Medvidovic relied on this
`
`block diagram as evidence with respect to the limitation we
`
`Yes, I do.
`
`And, specifically, do you recall that Dr. Medvidovic
`
`component that would perform this extraction of the list of
`
`I do remember that he indicated that that component
`
`Have you had a chance now to analyze the actual source
`
`No other component does that. It's just not done.
`
`Let's look at one more point of evidence from
`
`This is the Software Design Document. Do you
`
`Yes. I have seen this.
`
`And, again, Dr. Medvidovic cited this document as
`
`09:13:13 1 A.
`09:13:17 2 Q.
`09:13:22 3
`Dr. Medvidovic's presentation. That's PTX-1071. Thank you.
`09:13:30 4
`09:13:33 5
`recall that document?
`09:13:37 6 A.
`09:13:40 7 Q.
`09:13:43 8
`purported evidence that somehow the Matrix component
`09:13:46 9
`09:13:48 10
`09:13:52 11
`09:13:53 12
`09:13:55 13
`BY MR. PAK:
`09:13:55 14 Q.
`09:13:58 15
`document?
`09:13:58 16 A.
`09:13:59 17 Q.
`09:14:01 18
`how it relates to the limitation at issue?
`09:14:04 19 A.
`09:14:08 20
`list of suspicious operations.
`09:14:11 21
`09:14:14 22
`09:14:20 23
`09:14:25 24
`or Visual Basic Script.
`09:14:27 25 Q.
`
`extracts a list of suspicious operations?
`
`THE COURT: I guess you can ask him if he
`
`observed of the doctor.
`
`MR. PAK: Thank you.
`
`Did you observe Dr. Medvidovic testifying about this
`
`Yes, I did.
`
`What is your opinion with respect to this document and
`
`This document never says anything about extracting a
`
`It talks about the signatures, which are also
`
`known as "script definitions," just confirming that what
`
`Matrix does is it applies signatures against the JavaScript
`
`Can you remind us again, how are signature scanning
`
`1967
`
`1969
`
`09:12:05 1
`09:12:08 2
`related to this figure?
`09:12:09 3 A.
`09:12:11 4 Q.
`09:12:13 5
`whether all of the components in this block diagram are
`09:12:16 6
`actually present in the Matrix source code?
`09:12:19 7 A.
`09:12:23 8
`definition unit was never implemented. It never went into
`09:12:25 9
`09:12:28 10
`didn't find it.
`09:12:29 11 Q.
`09:12:31 12
`Mr. Coleman's deposition that's SYMDX12-10. It's a little
`09:12:40 13
`09:12:43 14
`09:12:46 15
`right-hand corner of this block diagram?
`09:12:48 16 A.
`09:12:49 17 Q.
`09:12:53 18
`Mr. Coleman during his deposition?
`09:12:54 19 A.
`09:12:56 20
`pointed out that those blocks were never implemented. They
`09:12:59 21
`didn't make it into the final source code.
`09:13:01 22 Q.
`09:13:05 23
`inside the Matrix component, is there any other component
`09:13:08 24
`09:13:11 25
`suspicious operations?
`3 of 107 sheets
`
`Yes, I do.
`
`And do you recall why those hash marks were made by
`
`Yeah. My understanding is during his deposition, he
`
`So if there is no threat definition execution unit
`
`inside of Matrix that is capable of extracting a list of
`
`technologies different than what's being claimed in the '194
`
`Well, with signature scanning, there is some employee
`
`specifies a pattern that you are looking for within the
`
`downloadable to -- which would indicate if the pattern
`
`matches, that there is something wrong with it, it's bad.
`
`And with signature scanning, you take the entire
`
`downloadable and you run the signature against it and you
`
`see if you get a match. The patent describes something
`
`different, which is, you take the downloadable, you go
`
`through it, and you extract the suspicious operations. That
`
`list of suspicious operations is part of a downloadable
`
`security profile, which you then use to compare against a
`
`If there were no signatures written for the Matrix
`
`No. Because the way it works is it scans the
`
`is a match. If there were no signatures, there couldn't be
`
`Does the term "signature" appear anywhere in the '194
`
`No.
`
`12/12/2012 08:41:09 PM
`
`code and also Mr. Coleman's deposition and trial testimony
`
`Yes, I have.
`
`And what has that analysis revealed to you about
`
`Well, as Mr. Coleman testified yesterday, that threat
`
`the source code. And in my analysis of the source code, I
`
`I will show you something that came up in
`
`bit difficult to see on the screen, but do you see these
`
`hash marks through the blocks labeled toward the lower
`
`09:14:30 1
`09:14:33 2
`patent?
`09:14:33 3 A.
`09:14:38 4
`at Symantec who, in advance, crafts a signature that is --
`09:14:45 5
`09:14:48 6
`09:14:52 7
`09:14:55 8
`09:14:58 9
`09:15:00 10
`09:15:03 11
`09:15:05 12
`09:15:12 13
`09:15:15 14
`09:15:19 15
`policy and determine whether the downloadable is malicious.
`09:15:24 16 Q.
`09:15:26 17
`component, could the Matrix component protect against any
`09:15:31 18
`type of downloadable?
`09:15:36 19 A.
`09:15:39 20
`signatures and it only reports back a threat I.D. if there
`09:15:42 21
`09:15:45 22
`a match and it wouldn't report anything.
`09:15:47 23 Q.
`09:15:52 24
`patent?
`09:15:52 25 A.
`Page 1966 to 1969 of 2217
`
`BLUE COAT SYSTEMS - Exhibit 1003 Page 3
`
`

`
`1970
`
`1972
`
`Let's take a look at one more piece of evidence from
`
`If you could highlight for us this phrase,
`
`"Therefore, this sample."
`
`Do you recall the testimony of Dr. Medvidovic
`
`regarding this particular document and the statement here on
`
`09:15:53 1 Q.
`09:15:56 2
`Dr. Medvidovic's presentation. That's PTX-1224.
`09:16:04 3
`09:16:07 4
`09:16:14 5
`09:16:17 6
`09:16:20 7
`the screen?
`09:16:20 8 A.
`09:16:23 9 Q.
`09:16:29 10
`particular document?
`09:16:29 11 A.
`09:16:35 12
`particular limitation is met.
`09:16:36 13 Q.
`09:16:39 14 A.
`09:16:39 15 Q.
`09:16:41 16 A.
`09:16:43 17 Q.
`09:16:45 18 A.
`09:16:49 19
`highlight that so I can see the whole document in front of
`09:16:52 20
`09:16:53 21
`09:16:58 22
`09:17:00 23
`09:17:02 24
`09:17:06 25
`
`Yes, I do.
`
`And do you recall what he actually said about this
`
`Well, he presented this, again, as evidence that this
`
`Do you agree with that assessment?
`
`No.
`
`And why not?
`
`Well, can I explain what this document is?
`
`Absolutely.
`
`This is a signature. Could you temporarily not
`
`me?
`
`Let me just take a quick look here.
`
`Okay. Yeah. You can -- if you want to
`
`highlight something, that's fine.
`
`But this is -- this is a portion of a file that
`
`contains a number of signatures, and what we are looking at
`
`No. In the '194 patent -- we saw Figure 7, which
`
`Thank you.
`
`Let's look at another piece of evidence that Dr.
`
`Medvidovic presented. That's PTX-1022.
`
`This is taken from the Symantec Web Security
`
`Implementation Guide.
`
`If we could go to Page 279 in this document.
`
`Doctor, do you recall testimony from Finjan's
`
`09:18:29 1 A.
`09:18:36 2
`explains how each command, one after another, is examined,
`09:18:39 3
`and the suspicious ones are taken out and put on a list.
`09:18:44 4 Q.
`09:18:45 5
`09:18:49 6
`09:18:54 7
`09:18:57 8
`09:19:00 9
`09:19:08 10
`09:19:10 11
`expert regarding this particular diagram?
`09:19:14 12 A.
`09:19:16 13 Q.
`09:19:19 14
`here? What is this showing?
`09:19:21 15 A.
`09:19:24 16
`just to refresh my memory? Okay. Now can we zoom back in?
`09:19:34 17
`09:19:37 18
`configuring the product.
`09:19:38 19 Q.
`09:19:42 20
`indicates the Matrix component as a component that somehow
`09:19:46 21
`09:19:48 22
`downloadable?
`09:19:49 23 A.
`09:19:52 24
`and it doesn't say anything about a list of suspicious
`09:19:54 25
`
`Yes, I do.
`
`And before we get your opinion, what are we looking at
`
`Can you go back out so I can see the whole thing again
`
`Well, this is sort of a dialogue box for
`
`Now, is there anything on this page that describes or
`
`generates a list of suspicious operations from the
`
`No. This diagram doesn't say anything about Matrix
`
`operations.
`
`1971
`
`1973
`
`here is an explanation of -- of how a particular signature
`
`is going to work or what it's going to look for.
`
`This actually may be an excerpt that was taken
`
`And why is this statement about "this sample performs
`
`Well, this isn't the downloadable. This is a
`
`09:17:10 1
`09:17:17 2
`09:17:19 3
`09:17:22 4
`out to sort of document the process of writing signatures.
`09:17:26 5 Q.
`09:17:31 6
`the following suspicious computer operations" not evidence
`09:17:34 7
`of this limitation, in your opinion?
`09:17:37 8 A.
`09:17:39 9
`signature that was prepared by a Symantec employee prior to
`09:17:45 10
`09:17:50 11
`09:17:53 12
`09:17:56 13
`09:18:00 14
`09:18:04 15
`09:18:07 16
`09:18:09 17
`09:18:14 18
`from the downloadable.
`09:18:15 19 Q.
`09:18:18 20
`have been the Matrix component or would it have been a
`09:18:20 21
`Symantec employee?
`09:18:20 22 A.
`09:18:23 23
`employee.
`09:18:24 24 Q.
`09:18:27 25
`claimed in the '194 patent?
`12/12/2012 08:41:09 PM
`
`Let's look at one more piece of evidence, and this I
`
`presented. That's JTX-341. This is a Matrix API document.
`
`Yes.
`
`Let's go to Bates No. 908.
`
`Let me know once you had a chance to look
`
`through this page and I want to focus your attention on the
`
`Okay.
`
`So if you blow up the "Detected threat list" section
`
`First of all, have you had a chance to analyze
`
`this particular description and compare it against the
`
`Yes, I have.
`
`And are the statements here accurate or inaccurate?
`
`They are accurate.
`
`Does this statement indicate to you that there is a
`
`No. That's not what it indicates.
`
`What is this indicating to us?
`
`Well, it talks about a function, which is a function
`
`09:19:57 1 Q.
`09:20:05 2
`think is the final piece of evidence that Dr. Medvidovic
`09:20:07 3
`09:20:15 4
`Do you recall this document?
`5 A.
`09:20:16 6 Q.
`09:20:22 7
`09:20:25 8
`09:20:28 9
`bottom portion.
`09:20:29 10 A.
`09:20:30 11 Q.
`09:20:35 12
`at the bottom.
`09:20:38 13
`09:20:40 14
`09:20:42 15
`actual source code?
`09:20:44 16 A.
`09:20:46 17 Q.
`09:20:49 18 A.
`09:20:51 19 Q.
`09:20:55 20
`list of suspicious operations being extracted from the
`09:20:59 21
`downloadable in the Matrix component?
`09:21:01 22 A.
`09:21:03 23 Q.
`09:21:04 24 A.
`09:21:09 25
`internal to the Matrix software, called "Matrix Scan
`Page 1970 to 1973 of 2217
`4 of 107 sheets
`
`any downloadable being received by the gateway. Okay.
`
`This is -- it's true that in the signature,
`
`there may be mention or even a list of suspicious operations
`
`that the signature wants to find, but what the patent talks
`
`about is extracting a list of suspicious operations from the
`
`downloadable. This is not the right place.
`
`The list of operations of the signature is not
`
`the same as extracting the list of suspicious operations
`
`Again, who would have created signatures? Would it
`
`This signature was written by hand by a Symantec
`
`And is that the same or different than the technique
`
`BLUE COAT SYSTEMS - Exhibit 1003 Page 4
`
`

`
`1974
`
`1976
`
`Stream," and it says, "returns that it has detected a
`
`threat, it also returns a list of the detected threats."
`
`First of all, the detected threats, those are
`
`the threat I.D.s, which are numbers indicating which
`
`signatures matched. They are not operations. They are not
`
`suspicious operations.
`
`Second, this is a function that's internal to
`
`Matrix, when Matrix finally goes back to the AV engine and
`
`says, I found something, you decide what to do about it, it
`
`Having gone through the independent claim, I want to
`
`claims of the '194 patent. That's SYMDX12-3.
`
`And Doctor, do you see that we have Claim 32,
`
`Yes, I see that.
`
`And with respect to your opinions about the comparing
`
`09:21:13 1
`09:21:19 2
`09:21:23 3
`09:21:25 4
`09:21:29 5
`09:21:32 6
`09:21:33 7
`09:21:35 8
`09:21:39 9
`09:21:44 10
`sends back only a single threat I.D., not a list.
`09:21:52 11 Q.
`09:21:54 12
`have you take a look at the three other asserted independent
`09:21:59 13
`09:22:07 14
`09:22:09 15
`Claim 65, and Claim 66 on the screen?
`09:22:13 16 A.
`09:22:14 17 Q.
`09:22:21 18
`a downloadable security profile data containing a list of
`09:22:25 19
`09:22:28 20
`to each of these independent claims?
`09:22:30 21 A.
`09:22:35 22
`contains a limitation which has this language that indicates
`09:22:40 23
`09:22:44 24
`09:22:49 25
`
`suspicious operations, what are your opinions with respect
`
`Well, just as for Claim 1, each of these claims
`
`that the downloadable security profile data includes a list
`
`of suspicious security operations.
`
`Perhaps Mr. Shirazi can highlight that in each
`
`In the interest of time, I am only going the focus on
`
`Claim 58. Can I have that on the screen, PTX-1112.
`
`This is the evidence that Dr. Medvidovic
`
`presented regarding the Dependent Claim 58.
`
`THE COURT: Can you confirm that, Doctor?
`
`THE WITNESS: Could I see Dependent Claim 58?
`
`MR. PAK: Sure. Absolutely. If we could have
`
`the patent and Dependent Claim 58.
`
`Doctor, do you see that Claim 58 describes a
`
`09:24:09 1 Q.
`09:24:12 2
`one dependent claim from the '194 patent. That's Dependent
`09:24:18 3
`09:24:29 4
`09:24:32 5
`09:24:37 6
`09:24:40 7
`09:24:43 8
`09:24:45 9
`09:24:55 10
`BY MR. PAK:
`09:24:56 11 Q.
`09:25:00 12
`"comparator for comparing a URL from which the downloadable
`09:25:04 13
`originated from originated against a known URL"?
`09:25:08 14 A.
`09:25:10 15 Q.
`09:25:13 16
`09:25:15 17
`this document as evidence against this particular claim?
`09:25:17 18 A.
`09:25:18 19 Q.
`09:25:20 20
`document?
`09:25:20 21 A.
`09:25:21 22 Q.
`09:25:26 23
`the limitations set forth in Claim 58 with respect to the
`09:25:30 24
`Matrix component?
`09:25:30 25 A.
`
`Yes. Thank you for refreshing my memory.
`
`Let's go back to the document, PTX-1112.
`
`Do you recall whether Dr. Medvidovic presented
`
`Yes, he did.
`
`Have you had a chance to look at this particular
`
`I have.
`
`Does this document provide any indication relating to
`
`Could I see the claim one more time?
`
`1975
`
`1977
`
`of the claims for me.
`
`Matrix software.
`
`So for Claim 32, that's just not present in the
`
`For Claim 65, the same language is there.
`
`That's not present in the Matrix software.
`
`And then for Claim 66, the same language is
`
`there.
`
`Every independent claim in this patent requires
`
`that the downloadable security profile includes a list of
`
`09:25:37 1 Q.
`09:25:45 2 A.
`09:25:51 3
`09:25:54 4
`about the Matrix component.
`09:25:57 5 Q.
`09:26:00 6
`products other than the Matrix component that might be using
`09:26:03 7
`this particular technology?
`09:26:05 8 A.
`09:26:07 9
`implemented by some other component of Symantec's product,
`09:26:10 10
`09:26:15 11
`performed by the Matrix.
`09:26:18 12 Q.
`09:26:20 13
`the '962 patent.
`09:26:22 14
`09:26:25 15
`patent or the client patent?
`09:26:26 16 A.
`09:26:29 17
`describes software that runs on the client, the actual end
`09:26:36 18
`09:26:41 19
`09:26:44 20
`client to see if it might be up to no good.
`09:26:48 21 Q.
`09:26:52 22
`from Symantec for the '962?
`09:26:54 23 A.
`09:26:58 24
`later.
`09:26:59 25 Q.
`Page 1974 to 1977 of 2217
`
`Sure.
`
`Okay. Could we go back, then, to the document?
`
`The document doesn't indicate that it's talking
`
`And are there other components inside of the Symantec
`
`It could be that anything described on this page was
`
`but there is no indication that anything specific here is
`
`Now we are going to turn to the other patent. That's
`
`And if you could remind us, is that the gateway
`
`No. The '962 patent is a little bit different. It
`
`user's computer, and it's essentially looking at a
`
`downloadable after it's already begun execution on the
`
`And remind us again, what is the accused technology
`
`It's a software component called BASH Version 6.0 and
`
`And I will put up on the screen a demonstrative that I
`12/12/2012 08:41:09 PM
`
`09:22:52 1
`09:22:55 2
`09:22:59 3
`09:23:00 4
`09:23:03 5
`09:23:07 6
`09:23:10 7
`09:23:12 8
`09:23:14 9
`09:23:18 10
`suspicious computer operations.
`09:23:20 11 Q.
`09:23:23 12
`claims that have been asserted in this case for the '194
`09:23:26 13
`patent?
`09:23:27 14 A.
`09:23:27 15 Q.
`09:23:29 16
`claims that depend from these independent claims that we
`09:23:32 17
`have discussed?
`09:23:33 18 A.
`09:23:37 19
`a dependent claim must satisfy all of the -- in order for it
`09:23:43 20
`09:23:47 21
`09:23:51 22
`09:23:55 23
`09:24:00 24
`09:24:03 25
`the dependent claims are infringed either.
`5 of 107 sheets
`
`You also understand, sir, that there is some dependent
`
`Yes, I do.
`
`What are your opinions with respect to the dependent
`
`My understanding of dependent claims in patent is that
`
`to be infringed, all the limitations in the independent
`
`claim from which it derives must be met, in addition to
`
`whatever is specified in the dependent claims.
`
`Since all of the dependent claims depend on
`
`these four independent claims, it's my opinion that none of
`
`BLUE COAT SYSTEMS - Exhibit 1003 Page 5
`
`

`
`1978
`
`1980
`
`actually used with Dr. Medvidovic during the
`
`cross-examination. That's SYMDX12-13.
`
`And Doctor, were you here for the
`
`Yes, I was.
`
`And have you had a chance to consider this
`
`09:27:03 1
`09:27:05 2
`09:27:11 3
`09:27:12 4
`cross-examination of Dr. Medvidovic?
`09:27:13 5 A.
`09:27:15 6 Q.
`09:27:17 7
`demonstrative and the testimony that Dr. Medvidovic
`09:27:20 8
`provided?
`9 A.
`09:27:25 10 Q.
`09:27:27 11
`seeing here on this particular graph?
`09:27:30 12 A.
`09:27:33 13
`Symantec products prior to September, 2009, there was a
`09:27:40 14
`09:27:45 15
`09:27:50 16
`09:27:56 17
`09:28:00 18
`09:28:04 19
`09:28:06 20
`09:28:11 21
`09:28:14 22
`09:28:18 23
`09:28:26 24
`09:28:28 25
`
`Yes.
`
`And, briefly, can you summarize for us what we are
`
`Yeah. What this graph is showing is that in the
`
`technology called BASH 5, so that was Version 5.0, or other
`
`versions that started with 5, and this included a technology
`
`called "COH," which stands for "Confidence Online Heavy."
`
`COH was a snapshot technology. What a snapshot
`
`technology does is it wakes up every now and then, takes a
`
`snapshot of the current status of the computer, and then it
`
`analyzes that snapshot to see if anything looks strange.
`
`The diagram is showing that starting in
`
`September, 2009, that BASH 5 software had been replaced with
`
`BASH 6, okay? September of 2009 I think is when it started
`
`going into the consumer products, and a little later than
`
`that, into the enterprise products.
`
`analysis for BASH 5 generation of technology. True?
`
`Answer: That's correct, I did not present any
`
`source code for 5.0.
`
`Final testimony, 991, 7 through 13:
`
`Now, sir, isn't it true that after you looked at
`
`everything in this case, you have not offered any
`
`infringement opinions as to any version of BASH, including
`
`BASH 5, that functioned through the use of time snapshots.
`
`True?
`
`Answer: I did not offer any opinions about time
`
`snapshots-based technology.
`
`Do you recall hearing all this testimony in the
`
`Yes, I was here. I heard him say those things.
`
`So as a rebuttal expert, somebody who has been asked
`
`does this testimony tell you about the scope of his
`
`Well, this testimony, as well as the evidence he
`
`09:29:58 1
`09:30:03 2
`09:30:04 3
`09:30:07 4
`09:30:10 5
`09:30:14 6
`09:30:16 7
`09:30:19 8
`09:30:23 9
`09:30:24 10
`09:30:27 11
`09:30:30 12
`09:30:31 13
`courtroom?
`09:30:32 14 A.
`09:30:35 15 Q.
`09:30:38 16
`to analyze Dr. Medvidovic's infringement allegations, what
`09:30:42 17
`09:30:44 18
`infringement allegations?
`09:30:45 19 A.
`09:30:48 20
`presented, tells me that he was focused on BASH 6 and not
`09:30:52 21
`earlier versions.
`09:30:54 22 Q.
`09:31:00 23
`component. Let's put up Claim 1 of the '962 patent as an
`09:31:06 24
`09:31:12 25
`
`So let's focus on BASH 6, which is the accused
`
`exemplary claim. This is SYMDX12-5. We talked about this
`
`yesterday during the roadmap discussion.
`
`Doctor, very briefly, how does the snapshot technology
`
`Can you remind us which of these limitations on
`
`1979
`
`1981
`
`Well, snapshotting is not about interrupting requests
`
`Well, as I said, my job was to look at all the
`
`are two places where I disagrees with him. What I found was
`
`if there is a problem. It's a different technique, which
`
`that the second limitation of interrupting processing of the
`
`just periodically takes a snapshot of the system and then
`
`request, that's not performed by the Symantec software.
`
`Doctor, at this point we have a demonstrative that
`
`I also found that this final limitation,
`
`It's performed by Microsoft's operating system software.
`
`09:31:15 1
`09:28:31 1 Q.
`09:31:17 2
`09:28:34 2
`this claim you feel are missing from the Symantec products?
`used in COH/BASH 5 versions compare to the techniques that
`09:31:21 3 A.
`09:28:39 3
`are actually claimed for the '962 patent?
`09:31:24 4
`09:28:45 4 A.
`evidence, analysis and conclusions of Dr. Medvidovic. There
`09:31:30 5
`09:28:51 5
`made by a downloadable and looking at those requests to see
`09:31:33 6
`09:28:55 6
`09:31:38 7
`09:28:59 7
`09:31:41 8
`09:29:02 8
`analyzes what it sees.
`09:31:46 9
`09:29:07 9 Q.
`09:31:50 10
`09:29:10 10
`summarizes some of Dr. Medvidovic's testimony. I would like
`09:31:53 11
`09:29:13 11
`09:32:00 12
`09: