`
`
`
`PALO ALTO’S INVALIDITY CONTENTIONS
`Exhibit A5: U.S. Patent No. 6,412,000 (“Riddle”)
`
`As demonstrated in the claim charts below, the Asserted Claims are invalid (a) under one or more sections of 35 U.S.C. § 102 as
`anticipated by Riddle and (b) under 35 U.S.C. § 103(a) as obvious over Riddle standing alone and as set forth herein, and/or combined
`with the knowledge of a person of ordinary skill in the art, admitted prior art, and/or the additional prior art references discussed in
`Exhibits A1-A16, and B, the contents of which are hereby incorporated by reference into this chart. Although the following charts
`illustrate where Riddle discloses the preambles of the Asserted Claims, Palo Alto does not imply by these contentions that the
`preambles are claim limitations.
`
`
`’099
`Claim
`
`[1.pre]
`
`Claim Element
`
`U.S. Patent No. 6,412,000 (“Riddle”)
`
`A packet monitor for examining
`packets passing through a
`connection point on a computer
`network in real-time, the
`packets provided to the packet
`monitor via a packet acquisition
`device connected to the
`connection point, the packet
`monitor comprising:
`
`Riddle discloses a packet monitor for examining packets passing through a
`connection point on a computer network in real-time, the packets provided to the
`packet monitor via a packet acquisition device connected to the connection point.
`
`For example, Riddle discloses:
`
`1:54-61 (“This invention relates to digital packet telecommunications, and
`particularly to management of network bandwidth based on information
`ascertainable from multiple layers of OSI network model. It is particularly useful in
`conjunction with bandwidth allocation mechanisms employing traffic classification
`in a digitally-switched packet telecommunications environment, as well as in
`monitoring [sic], security and routing.”);
`
`4:6-17 (“According to the invention, in a packet communication environment, a
`method is provided for automatically classifying packet flows for use in allocating
`bandwidth resources and the like by a rule of assignment of a service level. The
`method comprises applying individual instances of traffic classification paradigms
`to packet network flows based on selectable information obtained from a plurality of
`layers of a multi-layered communication protocol in order to define a characteristic
`class, then mapping the flow to the defined traffic class. It is useful to note that the
`
`1
`
`Packet Intelligence Ex. 2008 Page 1 of 187
`
`

`

`
`PALO ALTO’S INVALIDITY CONTENTIONS
`Exhibit A5: U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`’099
`Claim
`
`Claim Element
`
`U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`
`
`automatic classification is sufficiently robust to classify a complete enumeration of
`the possible traffic.”);
`
`5:54-61 (“The method for automatically classifying heterogeneous packets in a
`packet telecommunications environment of the present invention is implemented in
`the C programming language and is operational on a computer system such as
`shown in FIG. 1A. This invention may be implemented in a client-server
`environment, but a client-server environment is not essential. This figure shows a
`conventional client-server computer system which includes a server 20 and
`numerous clients, one of which is shown as client 25. The use of the term “server” is
`used in the context of the invention, wherein the server receives queries from
`(typically remote) clients, does substantially all the processing necessary to
`formulate responses to the queries, and provides these responses to the clients.
`However, server 20 may itself act in the capacity of a client when it accesses remote
`databases located at another node acting as a database server.”);
`
`6:1-16 (“The hardware configurations are in general standard and will be described
`only briefly. In accordance with known practice, server 20 includes one or more
`processors 30 which communicate with a number of peripheral devices via a bus
`subsystem 32. These peripheral devices typically include a storage subsystem 35,
`comprised of a memory subsystem 35a and a file storage subsystem 35b holding
`computer programs (e.g., code or instructions) and data, a set of user interface input
`and output devices 37, and an interface to outside networks, which may employ
`Ethernet, Token Ring, ATM, IEEE 802.3, ITU X.25, Serial Link Internet Protocol
`(SLIP) or the public Switched telephone network. This interface is shown
`schematically as a “Network Interface” block 40. It is coupled to corresponding
`interface devices in client computers via a network connection 45.”)
`
`2
`
`Packet Intelligence Ex. 2008 Page 2 of 187
`
`

`

`
`PALO ALTO’S INVALIDITY CONTENTIONS
`Exhibit A5: U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`’099
`Claim
`
`Claim Element
`
`U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`
`
`7:10-34 (“FIG. 1C is illustrative of the internetworking of a plurality of clients such
`as client 25 of FIGS. 1A and 1B and a plurality of servers such as server 20 of
`FIGS. 1A and 1B as described herein above. In FIG. 1C, network 60 is an example
`of a Token Ring or frame oriented network. Network 60 links host 61, such as an
`IBM RS6000 RISC workstation, which may be running the AIX operating system,
`to host 62, which is a personal computer, which may be running Windows 95, IBM
`0S/2 or a DOS operating system, and host 63, which may be an IBM AS/400
`computer, which may be running the OS/400 operating system. Network 60 is
`internetworked to network 70 via a system gateway which is depicted here as router
`75, but which may also be a gateway having a firewall or a network bridge.
`Network 70 is an example of an Ethernet network that interconnects host 71, which
`is a SPARC workstation, which may be running SUNOS operating system with host
`72, which may be a Digital Equipment VAX6000 computer which may be running
`the VMS operating system.
`
`Router 75 is a network access point (NAP) of network 70 and network 60. Router
`75 employs a Token Ring adapter and Ethernet adapter. This enables router 75 to
`interface with the two heterogeneous networks. Router 75 is also aware of the Inter-
`network Protocols, such as ICMP and RIP, which are described herein below.”);
`
`12:3-12 (“A traffic class may be inferred from determining the identity of the
`creator of a resource used by the traffic class. For example, the identity of traffic
`using a certain connection can be determined by finding the identity of the creator of
`the connection. This method is used to detect Real Time Protocol (RTP) for point-
`to-point telephony, RTP for broadcast streaming, CCITT/ITU H320-telephony over
`ISDN, H323-internet telephony over the internet (bidirectional) and RTSP real time
`streaming protocol for movies (unidirectional).”);
`
`3
`
`Packet Intelligence Ex. 2008 Page 3 of 187
`
`

`

`
`PALO ALTO’S INVALIDITY CONTENTIONS
`Exhibit A5: U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`’099
`Claim
`
`Claim Element
`
`U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`
`
`12:27-28 (“FIG. 3 depicts components of a system for automatically classifying
`traffic according to the invention.”);
`
`12:42-43 (“FIG. 4A depicts a flowchart 401 of processing steps for automatically
`classifying traffic.”);
`
`Fig. 1A:
`
`Fig. 1C:
`
`
`
`4
`
`Packet Intelligence Ex. 2008 Page 4 of 187
`
`

`

`
`PALO ALTO’S INVALIDITY CONTENTIONS
`Exhibit A5: U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`’099
`Claim
`
`Claim Element
`
`U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`
`
`[1.a]
`
`(a) a packet-buffer memory
`configured to accept a packet
`from the packet acquisition
`device;
`
`
`
`3:67-4:2 (“What is really needed is a method for analyzing real traffic in a
`customer's network and automatically producing a list of the ‘found traffic.’”); see
`also 10:57-59, 3:32-39;
`
`2:8-2 (“Early indication of the rate of data flow which can or must be supported is
`imperative”).
`
`Riddle discloses a packet-buffer memory configured to accept a packet from the
`packet acquisition device.
`
`For example, Riddle discloses:
`
`6:1-15 (“The hardware configurations are in general standard and will be described
`only briefly. In accordance with known practice, server 20 includes one or more
`processors 30 which communicate with a number of peripheral devices via a bus
`subsystem 32. These peripheral devices typically include a storage subsystem 35,
`comprised of a memory subsystem 35 a and a file storage subsystem 35 b holding
`computer programs (e.g., code or instructions) and data, a set of user interface input
`
`5
`
`Packet Intelligence Ex. 2008 Page 5 of 187
`
`

`

`
`PALO ALTO’S INVALIDITY CONTENTIONS
`Exhibit A5: U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`’099
`Claim
`
`Claim Element
`
`U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`
`
`and output devices 37, and an interface to outside networks, which may employ
`Ethernet, Token Ring, ATM, IEEE 802.3, ITU X.25, Serial Link Internet Protocol
`(SLIP) or the public switched telephone network. This interface is shown
`schematically as a “Network Interface” block 40. It is coupled to corresponding
`interface devices in client computers via a network connection 45.”);
`
`6:43-62 (“FIG. 1B is a functional diagram of a computer system such as that of FIG.
`1A. FIG. 1B depicts a server 20, and a representative client 25 of a plurality of
`clients which may interact with the server 20 via the Internet 45 or any other
`communications method. Blocks to the right of the server are indicative of the
`processing steps and functions which occur in the server's program and data storage
`indicated by blocks 35 a and 35 b in FIG. 1A. A TCP/IP “stack” 44 works in
`conjunction with Operating System 42 to communicate with processes over a
`network or serial connection attaching Server 20 to Internet 45. Web server software
`46 executes concurrently and cooperatively with other processes in server 20 to
`make data objects 50 and 51 available to requesting clients. A Common Gateway
`Interface (CGI) script 55 enables information from user clients to be acted upon by
`web server 46, or other processes within server 20. Responses to client queries may
`be returned to the clients in the form of a Hypertext Markup Language (HTML)
`document outputs which are then communicated via Internet 45 back to the user.”);
`
`7:10-34 (“FIG. 1C is illustrative of the internetworking of a plurality of clients such
`as client 25 of FIGS. 1A and 1B and a plurality of servers such as server 20 of
`FIGS. 1A and 1B as described herein above. In FIG. 1C, network 60 is an example
`of a Token Ring or frame oriented network. Network 60 links host 61, such as an
`IBM RS6000 RISC workstation, which may be running the AIX operating system,
`to host 62, which is a personal computer, which may be running Windows 95, IBM
`0S/2 or a DOS operating system, and host 63, which may be an IBM AS/400
`
`6
`
`Packet Intelligence Ex. 2008 Page 6 of 187
`
`

`

`
`PALO ALTO’S INVALIDITY CONTENTIONS
`Exhibit A5: U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`’099
`Claim
`
`Claim Element
`
`U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`
`
`computer, which may be running the OS/400 operating system. Network 60 is
`internetworked to network 70 via a system gateway which is depicted here as router
`75, but which may also be a gateway having a firewall or a network bridge.
`Network 70 is an example of an Ethernet network that interconnects host 71, which
`is a SPARC workstation, which may be running SUNOS operating system with host
`72, which may be a Digital Equipment VAX6000 computer which may be running
`the VMS operating system.
`
`Router 75 is a network access point (NAP) of network 70 and network 60. Router
`75 employs a Token Ring adapter and Ethernet adapter. This enables router 75 to
`interface with the two heterogeneous networks. Router 75 is also aware of the Inter-
`network Protocols, such as ICMP and RIP, which are described herein below.”);
`
`Fig. 1A:
`
`
`
`7
`
`Packet Intelligence Ex. 2008 Page 7 of 187
`
`

`

`
`PALO ALTO’S INVALIDITY CONTENTIONS
`Exhibit A5: U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`’099
`Claim
`
`Claim Element
`
`U.S. Patent No. 6,412,000 (“Riddle”)
`
`Fig. 1B:
`
`
`
`
`Fig. 1C:
`
`
`
`8
`
`Packet Intelligence Ex. 2008 Page 8 of 187
`
`

`

`
`PALO ALTO’S INVALIDITY CONTENTIONS
`Exhibit A5: U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`’099
`Claim
`
`Claim Element
`
`U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`
`
`[1.b]
`
`(b) a parsing/extraction
`operations memory configured
`to store a database of
`parsing/extraction operations
`that includes information
`describing how to determine at
`least one of the protocols used
`in a packet from data in the
`packet;
`
`
`
`To the extent Packet Intelligence alleges that Riddle does not explicitly disclose this
`claim limitation, this limitation is inherent and/or it would have been obvious in
`view of the knowledge of one of ordinary skill in the art, in view of the references
`identified in Exhibit B, and/or it would have been obvious to one of ordinary skill in
`the art to combine the teaching of Riddle with the prior art identified in §C of Palo
`Alto’s Invalidity Contentions.
`
`Riddle discloses a parsing/extraction operations memory configured to store a
`database of parsing/extraction operations that includes information describing how
`to determine at least one of the protocols used in a packet from data in the packet.
`
`For example, Riddle discloses:
`
`6:1-15 (“The hardware configurations are in general standard and will be described
`only briefly. In accordance with known practice, server 20 includes one or more
`processors 30 which communicate with a number of peripheral devices via a bus
`subsystem 32. These peripheral devices typically include a storage subsystem 35,
`
`9
`
`Packet Intelligence Ex. 2008 Page 9 of 187
`
`

`

`
`PALO ALTO’S INVALIDITY CONTENTIONS
`Exhibit A5: U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`’099
`Claim
`
`Claim Element
`
`U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`
`
`comprised of a memory subsystem 35 a and a file storage subsystem 35 b holding
`computer programs (e.g., code or instructions) and data, a set of user interface input
`and output devices 37, and an interface to outside networks, which may employ
`Ethernet, Token Ring, ATM, IEEE 802.3, ITU X.25, Serial Link Internet Protocol
`(SLIP) or the public switched telephone network. This interface is shown
`schematically as a “Network Interface” block 40. It is coupled to corresponding
`interface devices in client computers via a network connection 45.”);
`
`9:14-67 (“The present invention provides a method for classifying traffic according
`to a definable set of classification attributes selectable by the manager, including
`selecting a subset of traffic of interest to be classified. The invention provides the
`ability to classify and search traffic based upon multiple orthogonal classification
`attributes.
`
`Traffic class membership may be hierarchical. Thus, a flow may be classified by a
`series of steps through a traffic class tree, with the last step (i.e., at the leaves on the
`classification tree) mapping the flow to a policy. The policy is a rule of assignment
`for flows. Web traffic may also be classified by HTTP header types such as
`Content-Type (MIME type) or User-Agent.
`
`A classification tree is a data structure representing the hierarchical aspect of traffic
`class relationships. Each node of the classification tree represents a class, and has a
`traffic specification, i.e., a set of attributes or characteristics describing the traffic
`associated with it. Leaf nodes of the classification tree may contain policies.
`According to a particular embodiment, the classification process checks at each
`level if the flow being classified matches the attributes of a given traffic class. If it
`does, processing continues down to the links associated with that node in the tree. If
`it does not, the class at the level that matches determines the policy for the flow
`
`10
`
`Packet Intelligence Ex. 2008 Page 10 of 187
`
`

`

`
`PALO ALTO’S INVALIDITY CONTENTIONS
`Exhibit A5: U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`’099
`Claim
`
`Claim Element
`
`U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`
`
`being classified. If no policy specific match is found, the flow is assigned the default
`policy.
`
`In a preferred embodiment, the classification tree is an N-ary tree with its nodes
`ordered by specificity. For example, in classifying a particular flow in a
`classification tree ordered first by organizational departments, the attributes of the
`flow are compared with the traffic specification in each successive department node
`and if no match is found, then processing proceeds to the next subsequent
`department node. If no match is found, then the final compare is a default “match
`all” category. If, however, a match is found, then classification moves to the
`children of this department node. The child nodes may be ordered by an orthogonal
`paradigm such as, for example, “service type.” Matching proceeds according to the
`order of specificity in the child nodes. Processing proceeds in this manner,
`traversing downward and from left to right in FIGS. 2A and 2B, which describe a
`classification tree, searching the plurality of orthogonal paradigms. Key to
`implementing this a hierarchy is that the nodes are arranged in decreasing order of
`specificity. This permits search to find the most specific class for the traffic before
`more general.
`
`Table 2 depicts components from which Traffic classes may be built. Note that the
`orientation of the server (inside or outside) is specified. And as noted above, any
`traffic class component may be unspecified, i.e. set to match any value.”);
`
`10:59-11:9 (“Network traffic is automatically classified under existing classes,
`beginning with the broadest classes, an inbound traffic class and an outbound traffic
`class, in protocol layer independent categories. For example, a particular instance of
`traffic may be classified according to its transport layer characteristics, e.g., Internet
`Protocol port number, as well as its application layer information, e.g., SMTP.
`
`11
`
`Packet Intelligence Ex. 2008 Page 11 of 187
`
`

`

`
`PALO ALTO’S INVALIDITY CONTENTIONS
`Exhibit A5: U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`’099
`Claim
`
`Claim Element
`
`U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`
`
`Characteristics such as MIME types may also be automatically identified. Standard
`protocols, such as, IPX, SNA, and services, such as, SMTP and FTP are recognized
`for automatic classification. Classification is performed to the most specific level
`determinable. For example, in select embodiments, non-IP traffic, such as SNA,
`may be classified only by protocol, whereas Internet Protocol traffic may be
`classified to the /etc/services level. Classification beyond a terminal classification
`level is detected and prevented. For example, in a select embodiment, a class
`matching “ipx” or “nntp” will not be further automatically classified.”);
`
`12:27-41 (“FIG. 3 depicts components of a system for automatically classifying
`traffic according to the invention. A traffic tree 302 in which new traffic will be
`classified under a particular member class node. A traffic classifier 304 detects
`services for incoming traffic. Alternatively, the classifier may start with a service
`and determine the hosts using it. A knowledge base 306 contains heuristics for
`determining traffic classes. The knowledge base may be embodied in a file or a
`relational database. In a particular embodiment, the knowledge is contained within a
`data structure resident in memory. A plurality of saved lists 308 stores classified
`traffic pending incorporation into traffic tree 302. In select embodiments, entries for
`each instance of traffic may be kept. In alternate embodiments, a copy of an entry
`and a count of duplicate copies for the entry is maintained.”);
`
`12:48-53 (“In a decisional step 406, a determination is made if traffic matches one
`of the classes being classified. If this is so, then in a step 408, an entry is made in a
`list of identifying characteristics, such as protocol type (SAP), IP protocol number,
`server port, traffic type if known, MIME type, a time of occurrence of the traffic.”)
`
`Table 2:
`
`12
`
`Packet Intelligence Ex. 2008 Page 12 of 187
`
`

`

`
`PALO ALTO’S INVALIDITY CONTENTIONS
`Exhibit A5: U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`’099
`Claim
`
`Claim Element
`
`U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`
`
`
`
`
`
`Fig. 1A:
`
`Fig. 2B:
`
`13
`
`Packet Intelligence Ex. 2008 Page 13 of 187
`
`

`

`
`PALO ALTO’S INVALIDITY CONTENTIONS
`Exhibit A5: U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`’099
`Claim
`
`Claim Element
`
`U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`
`
`
`
`
`
`Fig. 3:
`
`14
`
`Packet Intelligence Ex. 2008 Page 14 of 187
`
`

`

`
`PALO ALTO’S INVALIDITY CONTENTIONS
`Exhibit A5: U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`’099
`Claim
`
`Claim Element
`
`U.S. Patent No. 6,412,000 (“Riddle”)
`
`Fig. 4A:
`
`
`
`
`
`
`To the extent Packet Intelligence alleges that Riddle does not explicitly disclose this
`claim limitation, this limitation is inherent and/or it would have been obvious in
`view of the knowledge of one of ordinary skill in the art, in view of the references
`identified in Exhibit B, and/or it would have been obvious to one of ordinary skill in
`the art to combine the teaching of Riddle with the prior art identified in §C of Palo
`Alto’s Invalidity Contentions.
`
`[1.c]
`
`(c) a parser subsystem coupled
`to the packet buffer and to the
`pattern/extraction operations
`
`Riddle discloses a parser subsystem coupled to the packet buffer and to the
`pattern/extraction operations memory, the parser subsystem configured to examine
`the packet accepted by the buffer, extract selected portions of the accepted packet,
`
`15
`
`Packet Intelligence Ex. 2008 Page 15 of 187
`
`

`

`
`PALO ALTO’S INVALIDITY CONTENTIONS
`Exhibit A5: U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`’099
`Claim
`
`Claim Element
`
`U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`
`
`memory, the parser subsystem
`configured to examine the
`packet accepted by the buffer,
`extract selected portions of the
`accepted packet, and form a
`function of the selected portions
`sufficient to identify that the
`accepted packet is part of a
`conversational flow-sequence;
`
`and form a function of the selected portions sufficient to identify that the accepted
`packet is part of a conversational flow-sequence.
`
`For example, Riddle discloses:
`
`6:1-16 (“The hardware configurations are in general standard and will be described
`only briefly. In accordance with known practice, server 20 includes one or more
`processors 30 which communicate with a number of peripheral devices via a bus
`subsystem 32. These peripheral devices typically include a storage subsystem 35,
`comprised of a memory subsystem 35a and a file storage subsystem 35b holding
`computer programs (e.g., code or instructions) and data, a set of user interface input
`and output devices 37, and an interface to outside networks, which may employ
`Ethernet, Token Ring, ATM, IEEE 802.3, ITU X.25, Serial Link Internet Protocol
`(SLIP) or the public Switched telephone network. This interface is shown
`schematically as a “Network Interface” block 40. It is coupled to corresponding
`interface devices in client computers via a network connection 45.”);
`
`Cl.8 (“a processor means operative to: parse a packet into a first flow specification,
`wherein said first flow specification contains at least one instance of any one of the
`following: a protocol family designation, a direction of packet flow designation, a
`protocol type designation, a pair of hosts, a pair of ports, in HTTP protocol packets,
`a pointer to a MIME type”);
`
`8:58-9:11 (“Traffic classes may be defined at any level of the IP protocol as well as
`for other non-IP protocols. For example, at the IP level, traffic may be defined as
`only those flows between a specified set of inside and outside IP addresses or
`domain names. An example of such a low level traffic class definition would be all
`traffic between my network and other corporate offices throughout the Internet. At
`the application level, traffic classes may be defined for specific URIs within a web
`
`16
`
`Packet Intelligence Ex. 2008 Page 16 of 187
`
`

`

`
`PALO ALTO’S INVALIDITY CONTENTIONS
`Exhibit A5: U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`’099
`Claim
`
`Claim Element
`
`U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`
`
`server. Traffic classes may be defined having “Web aware” class attributes. For
`example, a traffic class could be created such as all URIs matching “*.html” for all
`servers, or all URI patterns matching “*.gif” for server X, or for access to server Y
`with URI pattern “/sales/*” from client Z, wherein ‘*’ is a wildcard character, i.e., a
`character which matches all other character combinations. Traffic class attributes
`left unspecified will simply match any value for that attribute. For example, a traffic
`class that accesses data objects within a certain directory path of a web server is
`specified by a URI pattern of the directory path to be managed, e.g. “/sales/*” .”);
`
`11:10-23 (“A service aggregate is provided for certain applications that use more
`than one connection in a particular conversation between a client and a server. For
`example, an FTP client in conversation with an FTP server employs a command
`channel and a transfer channel, which are distinct TCP sessions on two different
`ports. In cases where two or three TCP or UDP sessions exist for each conversation
`between one client and one server, it is useful to provide a common traffic class i.e.,
`the service aggregate, containing the separate conversations. In practice, these types
`of conversations are between the same two hosts, but use different ports. According
`to the invention, a class is created with a plurality of traffic specifications, each
`matching various component conversations.”);
`
`11:48-67 (“In a preferable embodiment, classification can extend to examination of
`the data contained in a flow's packets. Certain traffic may be distinguished by a
`signature even if it originates with a server run on a non-standard port, for example,
`an HTTP conversation on port 8080 would not be otherwise determinable as HTTP
`from the port number. Further analysis of the data is conducted in order to
`determine classification in instances where: 1) FTP commands are used to define
`server ports, 2) HTTP protocol is used for non-web purposes. The data is examined
`for indication of push traffic, such as pointcast, which uses HTTP as a transport
`
`17
`
`Packet Intelligence Ex. 2008 Page 17 of 187
`
`

`

`
`PALO ALTO’S INVALIDITY CONTENTIONS
`Exhibit A5: U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`’099
`Claim
`
`Claim Element
`
`U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`
`
`mechanism. These uses may be isolated and classified into a separate class.
`Marimba and pointcast can be distinguished by looking into the data for a signature
`content header in the get request. Pointcast has URLs that begin with “/FIDO-1/.”
`Other applications in which protocol can be inferred from data include Telnet
`traffic. Both tn3270 and tn3270E (emulation) may be detected by looking into data
`and given a different class. Telnet traffic has option negotiations which may indicate
`an appropriate class.”);
`
`12:3-12 (“A traffic class may be inferred from determining the identity of the
`creator of a resource used by the traffic class. For example, the identity of traffic
`using a certain connection can be determined by finding the identity of the creator of
`the connection. This method is used to detect Real Time Protocol (RTP) for point-
`to-point telephony, RTP for broadcast streaming, CCITT/ITU H320-telephony over
`ISDN, H323-internet telephony over the internet (bidirectional) and RTSP real time
`streaming protocol for movies (unidirectional).”);
`
`12:27-60 (“FIG. 3 depicts components of a system for automatically classifying
`traffic according to the invention. A traffic tree 302 in which new traffic will be
`classified under a particular member class node. A traffic classifier 304 detects
`services for incoming traffic. Alternatively, the classifier may start with a service
`and determine the hosts using it. A knowledge base 306 contains heuristics for
`determining traffic classes. The knowledge base may be embodied in a file or a
`relational database. In a particular embodiment, the knowledge is contained within a
`data structure resident in memory. A plurality of saved lists 308 stores classified
`traffic pending incorporation into traffic tree 302. In select embodiments, entries for
`each instance of traffic may be kept. In alternate embodiments, a copy of an entry
`and a count of duplicate copies for the entry is maintained.
`
`18
`
`Packet Intelligence Ex. 2008 Page 18 of 187
`
`

`

`
`PALO ALTO’S INVALIDITY CONTENTIONS
`Exhibit A5: U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`’099
`Claim
`
`Claim Element
`
`U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`
`
`FIG. 4A depicts a flowchart 401 of processing steps for automatically classifying
`traffic. In a step 402, a flow specification is parsed from the flow being classified.
`Then in a step 404, the flow specification parsed from the flow in step 402 is
`compared with the traffic specifications in each node of the classification tree. Rules
`are checked starting from most specific to least specific. In a decisional step 406, a
`determination is made if traffic matches one of the classes being classified. If this is
`so, then in a step 408, an entry is made in a list of identifying characteristics, such as
`protocol type (SAP), IP protocol number, server port, traffic type if known, MIME
`type, a time of occurrence of the traffic. In an optional step 410, duplicate instances
`having the same identifying characteristics are suppressed, in favor of keeping a
`count of the duplicates and a most recent time traffic with these identifying
`characteristics was encountered. In an optional step 412, a byte count of traffic of
`this type has been detected is included. Otherwise, the automatic classification has
`failed to determine a class and processing returns.”);
`
`Fig. 3:
`
`19
`
`Packet Intelligence Ex. 2008 Page 19 of 187
`
`

`

`
`PALO ALTO’S INVALIDITY CONTENTIONS
`Exhibit A5: U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`’099
`Claim
`
`Claim Element
`
`U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`
`
`[1.d]
`
`(d) a memory storing a flow-
`entry database including a
`plurality of flow-entries for
`conversational flows
`encountered by the monitor;
`
`
`
`To the extent Packet Intelligence alleges that Riddle does not explicitly disclose this
`claim limitation, this limitation is inherent and/or it would have been obvious in
`view of the knowledge of one of ordinary skill in the art, in view of the references
`identified in Exhibit B, and/or it would have been obvious to one of ordinary skill in
`the art to combine the teaching of Riddle with the prior art identified in §C of Palo
`Alto’s Invalidity Contentions.
`
`Riddle discloses a memory storing a flow-entry database including a plurality of
`flow-entries for conversational flows encountered by the monitor.
`
`For example, Riddle discloses:
`
`6:1-15 (“The hardware configurations are in general standard and will be described
`only briefly. In accordance with known practice, server 20 includes one or more
`processors 30 which communicate with a number of peripheral devices via a bus
`subsystem 32. These peripheral devices typically include a storage subsystem 35,
`
`20
`
`Packet Intelligence Ex. 2008 Page 20 of 187
`
`

`

`
`PALO ALTO’S INVALIDITY CONTENTIONS
`Exhibit A5: U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`’099
`Claim
`
`Claim Element
`
`U.S. Patent No. 6,412,000 (“Riddle”)
`
`
`
`
`comprised of a memory subsystem 35 a and a file storage subsystem 35 b holding
`computer programs (e.g., code or instructions) and data, a set of user interface input
`and output devices 37, and an interface to outside networks, which may employ
`Ethernet, Token Ring, ATM, IEEE 802.3, ITU X.25, Serial Link Internet Protocol
`(SLIP) or the public switched telephone network. This interface is shown
`schematically as a “Network Interface” block 40. It is coupled to corresponding
`interface devices in client computers via a network connection 45.”);
`
`8:48-57 (“A traffic class is broadly defined as traffic between one or more clients
`and one or more servers. A single instance of a traffic class is called a flow. Traffic
`classes have the property, or class attribute, of being directional, i.e. all traffic
`flowing inbound will belong to different traffic classes and be managed separately
`from traffic flowing outbound. The directional property enables asymmetric
`classification and control of traffic, i.e., inbound and outbound flows belong to
`different classes which may be managed independent