EXHIBIT A9
`
`Summary of Invalidity Analysis of U.S. Patent No. 6,651,099 (“’099 Patent”) in view of
`U.S. Patent No. 6,412,000 (“Riddle”), further in view of WO 92/19054 (“Ferdinand”), further in view of
`WO 97/23076 (“Baker”), and further in view of U.S. Patent No. 6,625,150 (“Yu”)
`
`U.S. Patent No. 6,412,000 (“Riddle”), issued on June 25, 2002, qualifies as prior art to the ’099 Patent under at least Pre-AIA
`35 U.S.C. § 102(e) because it was filed on November 23, 1998, before the June 30, 1999 filing date of the provisional application to
`which the ’099 Patent claims priority. Riddle further qualifies as prior art to the ’099 Patent under at least Pre-AIA 35 U.S.C. § 102(e)
`since a U.S. patent has an effective prior art date under pre-AIA 35 U.S.C. §102(e) based on the filing date of an earlier-filed patent
`application if the patent’s relevant subject matter is described in the earlier-filed application, and at least one of the patent’s claims is
`supported by the earlier-filed application’s written description in compliance with pre-AIA 35 U.S.C. §112, first paragraph. The
`application that issued as Riddle was filed on November 23, 1998. Riddle claims priority to U.S. Provisional Patent Application No.
`60/066,864 (“’864 Provisional”), which was filed on November 25, 1997.
`Riddle and the related ’864 Provisional incorporate-by-reference the following patent applications in their entirety:
`•
`U.S. Patent Application No. 09/198,051 (“’051 Application”);
`•
`U.S. Patent Application No. 08/762,828, issued as U.S. Patent No. 5,802,106;
`•
`U.S. Patent Application No. 08/977,642 (“Packer Application”), having attorney docket number 17814-5.10, and issued
`as U.S. Patent No. 6,046,980 (“Packer”); and
`U.S. Patent Application No. 08/742,994, issued as U.S. Patent No. 6,038,216.
`
`•
`
`WO 92/19054 (“Ferdinand”), published on October 29, 1992, qualifies as prior art to the ’099 Patent under at least Pre-AIA 35
`U.S.C. § 102(b) because it was published more than one year before the June 30, 1999 filing date of the provisional application to
`which the ’099 Patent claims priority.
`
`WO 97/23076 (“Baker”), published on June 26, 1997, qualifies as prior art to the ’099 Patent under at least Pre-AIA 35 U.S.C.
`§ 102(b) because it was published more than one year before the June 30, 1999 filing date of the provisional application to which the
`’099 Patent claims priority.
`
`U.S. Patent No. 6,625,150 (“Yu”), issued on September 23, 2003, qualifies as prior art to the ’099 Patent under at least Pre-
`AIA 35 U.S.C. § 102(e) since a U.S. patent has an effective prior art date under pre-AIA 35 U.S.C. §102(e) based on the filing date of
`an earlier-filed patent application if the patent’s relevant subject matter is described in the earlier-filed application, and at least one of
`the patent’s claims is supported by the earlier-filed application’s written description in compliance with pre-AIA 35 U.S.C. §112, first
`
`Packet Intelligence Ex. 2013 Page 1 of 144
`
`

`

`EXHIBIT A9
`
`paragraph. The application that issued as Yu was filed on December 16, 1999. Yu claims priority to U.S. Provisional Patent
`Application No. 60/112,859 (“’859 Provisional”), which was filed on December 17, 1998.
`
`
`
`
`
`
`
`
`2
`
`Packet Intelligence Ex. 2013 Page 2 of 144
`
`

`

`EXHIBIT A9
`
`1
`
`Invalidity of U.S. PATENT NO. 6,651,099 in view of Riddle et al.
`CLAIM LANGUAGE
`Exemplary Citations to Riddle et al.
`A packet monitor for examining packets passing
`U.S. Patent No. 6,412,000 (“Riddle”) discloses a packet monitor for examining
`packets passing through a connection point on a computer network in real-time, the
`through a connection point on a computer
`packets provided to the packet monitor via a packet acquisition device connected to
`network in real-time, the packets provided to the
`the connection point.
`packet monitor via a packet acquisition device
`connected to the connection point, the packet
`monitor comprising:
`
`
`
`For example:
`
`“In a packet communication environment, a method is provided for automatically
`classifying packet flows for use in allocating bandwidth resources by a rule of
`assignment of a service level. The method comprises applying individual instances of
`traffic classification paradigms to packet network flows based on selectable
`information obtained from a plurality of layers of a multi-layered communication
`protocol in order to define a characteristic class, then mapping the flow to the defined
`traffic class. It is useful to note that the automatic classification is sufficiently robust to
`classify a complete enumeration of the possible traffic.” Riddle, Abstract.
`
`“According to the invention, in a packet communication environment, a method is
`provided for automatically classifying packet flows for use in allocating bandwidth
`resources and the like by a rule of assignment of a service level. The method comprises
`applying individual instances of traffic classification paradigms to packet network
`flows based on selectable information obtained from a plurality of layers of a multi-
`layered communication protocol in order to define a characteristic class, then mapping
`the flow to the defined traffic class. It is useful to note that the automatic classification
`is sufficiently robust to classify a complete enumeration of the possible traffic.”
`Riddle, 4:6-17.
`
`“3.2 Automatic Traffic Classification Processing
`FIG. 3 depicts components of a system for automatically classifying traffic according
`to the invention. A traffic tree 302 in which new traffic will be classified under a
`particular member class node. A traffic classifier 304 detects services for incoming
`traffic. Alternatively, the classifier may start with a service and determine the hosts
`using it. A knowledge base 306 contains heuristics for determining traffic classes. The
`knowledge base may be embodied in a file or a relational database. In a particular
`
`
`
`3
`
`Packet Intelligence Ex. 2013 Page 3 of 144
`
`

`

`EXHIBIT A9
`
`embodiment, the knowledge is contained within a data structure resident in memory. A
`plurality of saved lists 308 stores classified traffic pending incorporation into traffic
`tree 302. In select embodiments, entries for each instance of traffic may be kept. In
`alternate embodiments, a copy of an entry and a count of duplicate copies for the entry
`is maintained.” Riddle, 12:27-41.
`
`
`Riddle, Fig. 3.
`“The method for automatically classifying heterogeneous packets in a packet
`telecommunications environment of the present invention is implemented in the C
`programming language and is operational on a computer system such as shown in FIG.
`1A. This invention may be implemented in a client-server environment, but a client-
`server environment is not essential. This figure shows a conventional client-server
`
`
`
`
`
`4
`
`Packet Intelligence Ex. 2013 Page 4 of 144
`
`

`

`EXHIBIT A9
`
`computer system which includes a server 20 and numerous clients, one of which is
`shown as client 25. The use of the term "server' is used in the context of the invention,
`wherein the server receives queries from (typically remote) clients, does substantially
`all the processing necessary to formulate responses to the queries, and provides these
`responses to the clients. However, server 20 may itself act in the capacity of a client
`when it accesses remote databases located at another node acting as a database server.
`The hardware configurations are in general standard and will be described only briefly.
`In accordance with known practice, server 20 includes one or more processors 30
`which communicate with a number of peripheral devices via a bus subsystem 32.
`These peripheral devices typically include a Storage Subsystem 35, comprised of a
`memory subsystem 35a and a file storage subsystem 35b holding computer programs
`(e.g., code or instructions) and data, a set of user interface input and output devices 37,
`and an interface to outside networks, which may employ Ethernet, Token Ring, ATM,
`IEEE 802.3, ITU X.25, Serial Link Internet Protocol (SLIP) or the public switched
`telephone network. This interface is shown schematically as a “Network Interface”
`block 40. It is coupled to corresponding interface devices in client computers via a
`network connection 45.” Riddle, 5:53-6:15.
`
`
`
`5
`
`
`
`Packet Intelligence Ex. 2013 Page 5 of 144
`
`

`

`EXHIBIT A9
`
`Riddle, Fig. 1A.
`
`
`Riddle, Fig. 1B.
`“FIG. 1C is illustrative of the internetworking of a plurality of clients such as client 25
`of FIGS. 1A and 1B and a plurality of servers such as server 20 of FIGS. 1A and 1B as
`described herein above. In FIG. 1C, network 60 is an example of a Token Ring or
`
`
`
`
`
`6
`
`Packet Intelligence Ex. 2013 Page 6 of 144
`
`

`

`EXHIBIT A9
`
`frame oriented network. Network 60 links host 61, such as an IBM RS6000 RISC
`WorkStation, which may be running the AIX operating System, to host 62, which is a
`personal computer, which may be running Windows 95, IBM OS/2 or a DOS operating
`system, and host 63, which may be an IBM AS/400 computer, which may be running
`the OS/400 operating system. Network 60 is internetworked to network 70 via a system
`gateway which is depicted here as router 75, but which may also be a gateway having a
`firewall or a network bridge. Network 70 is an example of an Ethernet network that
`interconnects host 71, which is a SPARC workstation, which may be running SUNOS
`operating system with host 72, which may be a Digital Equipment VAX6000 computer
`which may be running the VMS operating system.
`Router 75 is a network access point (NAP) of network 70 and network 60. Router 75
`employs a Token Ring adapter and Ethernet adapter. This enables router 75 to interface
`with the two heterogeneous networks. Router 75 is also aware of the Inter-network
`Protocols, such as ICMP and RIP, which are described herein below.” Riddle, 7:10-34.
`“8. A system for automatically classifying traffic in a packet telecommunications
`network, said network having any number of flows, including zero, comprising:
`a plurality of network links upon which said traffic is carried;
`a network routing means, and,
`a processor means operative to:
`parse a packet into a first flow specification, wherein said first flow specification
`contains at least one instance of any one of the following:
`a protocol family designation,
`a direction of packet flow designation,
`a protocol type designation,
`a pair of ports,
`in HTTP protocol packets, a pointer to a MIME type; thereupon,
`match the first flow specification of the parsing step to a plurality of classes
`represented by a plurality of said classification tree type nodes, each said
`classification tree type node having a traffic specification and a mask,
`according to the mask; thereupon,
`if a matching classification tree type node was not found in the matching step,
`associating said first flow specification with one or more newly-created
`classification tree type nodes, thereupon, incorporating said newly created
`classification tree type nodes into said plurality of said classification tree type
`nodes.” Riddle, Claim 8.
`
`
`
`7
`
`Packet Intelligence Ex. 2013 Page 7 of 144
`
`

`

`EXHIBIT A9
`
`
`
`Riddle, Fig. 1C.
`“This invention relates to digital packet telecommunications, and particularly to
`management of network bandwidth based on information ascertainable from multiple
`layers of OSI network model. It is particularly useful in conjunction with bandwidth
`allocation mechanisms employing traffic classification in a digitally-switched packet
`telecommunications environment, as well as in monitoring, security and routing.”
`Riddle, 1:54-61.
`“Certain pathological loading conditions can result in instability, over-loading and
`data transfer stoppage. Therefore, it is desirable to provide some mechanism to
`optimize efficiency of data transfer while minimizing the risk of data loss. Early
`indication of the rate of data flow which can or must be supported is imperative. In
`fact, data flow rate capacity information is a key factor for use in resource allocation
`decisions. For example, if a particular path is inadequate to accommodate a high rate
`of data flow, an alternative route can be sought out.” Riddle, 2:4-13.
`“The field of this invention is concerned with network level bandwidth management,
`i.e. policies to assign available bandwidth from a single logical link to network
`
`
`
`8
`
`Packet Intelligence Ex. 2013 Page 8 of 144
`
`

`

`EXHIBIT A9
`
`flows.” Riddle, 2:64-67.
`“According to the invention, in a packet communication environment, a method is
`provided for automatically classifying packet flows for use in allocating bandwidth
`resources and the like by a rule of assignment of a service level. The method
`comprises applying individual instances of traffic classification paradigms to packet
`network flows based on selectable information obtained from a plurality of layers of a
`multi-layered communication protocol in order to define a characteristic class, then
`mapping the flow to the defined traffic class. It is useful to note that the automatic
`classification is sufficiently robust to classify a complete enumeration of the possible
`traffic.
`In the present invention network managers need not know the technical aspects of
`each kind of traffic in order to configure traffic classes and service aggregates bundle
`traffic to provide a convenience to the user, by clarifying processing and enables the
`user to obtain group counts of all parts comprising a service.” Riddle, 4:6-23.
`“FIGS. 2A and 2B depict representative allocations of bandwidth made by a
`hypothetical network manager as an example. In FIG. 2A, the network manager has
`decided to divide her network resources first by allocating bandwidth between
`Departments A and B. FIG. 2A shows the resulting classification tree 201, in which
`Department A bandwidth resources 202 and Department B bandwidth resources 204
`each have their own nodes representing a specific traffic class for that department.
`Each traffic class may have a policy attribute associated with it. For example, in FIG.
`2A, the Department A resources node 202 has the policy attribute Inside Host Subnet
`A associated with it. Next, the network manager has chosen to divide the bandwidth
`resources of Department A among two applications. She allocates an FTP traffic class
`206 and a World Wide Web server traffic class 208. Each of these nodes may have a
`separate policy attribute associated with them. For example, in FIG. 2A, the FTP node
`206 for has an attribute Outside port 20 associated with it. Similarly, the network
`manager has chosen to divide network bandwidth resources of Department B into an
`FTP Server traffic class 210 and a World Wide Web server traffic class 212. Each
`may have their own respective policies.
`FIG. 2B shows a second example 203, wherein the network manager has chosen to
`first divide network band width resource between web traffic and TCP traffic. She
`creates three traffic nodes, a web traffic node 220, a TCP traffic node 224 and a
`default node 225. Next, she divides the web traffic among two organizational
`
`
`
`9
`
`Packet Intelligence Ex. 2013 Page 9 of 144
`
`

`

`EXHIBIT A9
`
`departments by creating a Department A node 226, and a Department B node 228.
`Each may have its own associated policy. Similarly, she divides TCP network
`bandwidth into separate traffic classes by creating a Department. A node 230 and a
`Department B node 232. Each represents a separate traffic class which may have its
`own policy.” Riddle, 10:19-51.
`“What is really needed is a method for analyzing real traffic in a customer's network
`and automatically producing a list of the ‘found traffic.’” Riddle, 3:67-4:2.
`“While these efforts teach methods for solving problems associated with scheduling
`transmissions, automatically determining data flow rate on a TCP connection,
`allocating bandwidth based upon a classification of network traffic and automatically
`determining a policy, respectively, there is no teaching in the prior art of methods for
`automatically classifying packet traffic based upon information gathered from a
`multiple layers in a multi-layer protocol network.” Riddle, 3:32-39.
`“A traffic class may be inferred from determining the identity of the creator of a
`resource used by the traffic class. For example, the identity of traffic using a certain
`connection can be determined by finding the identity of the creator of the connection.
`This method is used to detect Real Time Protocol (RTP) for point-to-point telephony,
`RTP for broad cast streaming, CCITT/ITU H320-telephony over ISDN, H323-
`internet telephony over the internet (bidirectional) and RTSP real time streaming
`protocol for movies (unidirectional).” Riddle, 12:3-12.
`“Flows requiring reserved service with guaranteed information rates, excess
`information rates or unreserved service are reconciled with the available bandwidth
`resources continuously and automatically.” Packer, 4:12-16.
`Riddle discloses this element, for example:
`
`“Network 60 is internetworked to network 70 via a system gateway which is depicted
`here as router 75, but which may also be a gateway having a firewall or a network
`bridge.” Riddle, 7:21-24.
`
`“8. A system for automatically classifying traffic in a packet telecommunications
`network, said network having any number of flows, including zero, comprising:
`a plurality of network links upon which said traffic is carried;
`a network routing means, and,
`
`1a
`
`(a) a packet-buffer memory configured to accept
`a packet from the packet acquisition device;
`
`
`
`10
`
`Packet Intelligence Ex. 2013 Page 10 of 144
`
`

`

`EXHIBIT A9
`
`a processor means operative to:
`parse a packet into a first flow specification, wherein said first flow specification
`contains at least one instance of any one of the following:
`a protocol family designation,
`a direction of packet flow designation,
`a protocol type designation,
`a pair of ports,
`in HTTP protocol packets, a pointer to a MIME type; thereupon,
`match the first flow specification of the parsing step to a plurality of classes
`represented by a plurality of said classification tree type nodes, each said
`classification tree type node having a traffic specification and a mask,
`according to the mask; thereupon,
`if a matching classification tree type node was not found in the matching step,
`associating said first flow specification with one or more newly-created
`classification tree type nodes, thereupon, incorporating said newly created
`classification tree type nodes into said plurality of said classification tree type
`nodes.” Riddle, Claim 8.
`
`
`“Conventional bandwidth management in TCP/IP networks is accomplished by a
`combination of TCP end systems and routers which queue packets and discard packets
`when certain congestion thresholds are exceeded.” Riddle, 2:51-54.
`
`“The hardware configurations are in general standard and will be described only
`briefly. In accordance with known practice, server 20 includes one or more processors
`30 which communicate with a number of peripheral devices via a bus subsystem 32.
`These peripheral devices typically include a storage subsystem 35, comprised of a
`memory subsystem 35a and a file storage subsystem 35b holding computer programs
`(e.g., code or instructions) and data, a set of user interface input and output devices 37,
`and an interface to outside networks, which may employ Ethernet, Token Ring, ATM,
`IEEE 802.3, ITU X.25, Serial Link Inter-net Protocol (SLIP) or the public switched
`telephone network. … Client 25 has the same general configuration, although typically
`with less storage and processing capability. Thus, while the client computer could be a
`terminal or a low-end personal computer, the server computer is generally a high-end
`workstation or mainframe, such as a SUN SPARC server. Corresponding elements and
`subsystems in the client computer are shown with corresponding, but primed, reference
`numerals.” Riddle, 6:1-23.
`
`
`
`11
`
`Packet Intelligence Ex. 2013 Page 11 of 144
`
`

`

`EXHIBIT A9
`
`
`
`
`
`Riddle, Fig. 1A.
`
`Based on these disclosures, a POSITA would have understood that Riddle’s buffering
`of packets in its router’s queue is a packet-buffer memory.
`
`“The following paper appendices are included here with and incorporated by reference
`in their entirety for all purposes:
`Appendix A: Source code listing of bandwidth allocation processing an embodiment of
`the invention comprising ten (10) sheets;
`Appendix B: Source code listing of URL classification processing an embodiment of
`the invention comprising twenty-four (24) sheets;
`Appendix C: Source code listing of classification processing an embodiment of the
`invention comprising nine (9) sheets; and
`Appendix D: Source code listing of speed scaling processing an embodiment of the
`
`
`
`12
`
`Packet Intelligence Ex. 2013 Page 12 of 144
`
`

`

`EXHIBIT A9
`
`invention comprising ten (10) sheets.” Packer, 1:54-2:3.
`
`“TCB – transport control block – TCP State information for both directions
`/*
`* BCB – Buffer Control Block. Contains packet info, including parsed * flow spec, as
`well as pointers to various layers of the actual
`* packet buffer
`*/”
`Packer Application, Appendix B.
`
`This teaching further shows that Riddle discloses a packet-buffer memory configured
`to accept packets.
`
`To the extent Riddle does not disclose a packet-buffer memory, a POSITA would have
`been motivated and found it obvious to include a packet-buffer memory in Riddle’s
`routing device based upon a POSITA’s own knowledge of network devices. Before the
`priority date of the ’099 Patent, a POSITA would have known that packet-buffer
`memories, such as queues, were found in every routing device. As the ’099 Patent
`acknowledges, a POSITA would have understood that a packet buffer temporarily
`stores incoming packets until the device is ready to process the packets. See ’099
`Patent, 22:60-23:3. In doing so, the packet buffer avoids packet loss because it
`provides a mechanism to store packets that may otherwise be dropped.
`
`Further, Riddle renders this claim element obvious in view of WO 92/19054
`(“Ferdinand”).
`
`As the ’099 Patent and Ferdinand acknowledge, a POSITA would have understood that
`a packet buffer temporarily stores incoming packets until the device is ready to process
`the packets. In doing so, the packet-buffer avoids packet loss because it provides a
`mechanism to store packets that may otherwise be dropped. Ferdinand’s exemplary
`packet-buffer memory, such as a frame buffer, is used to accept packets in network
`monitors.
`
`
`
`
`13
`
`Packet Intelligence Ex. 2013 Page 13 of 144
`
`

`

`EXHIBIT A9
`
`For example, Ferdinand discloses:
`
`“The following steps occur:
`1. ISR puts Received traffic frame _ITM on RTP input queue
`2. request address of pertinent data structure from STATS (get parse control record for
`this station)
`3. pass pointer to RTP
`4. update statistical objects by call to statistical update routine in STATS using pointer
`to pertinent data structure
`5. parse completed - release buffers” Ferdinand, 49:2-11.
`
`“The available memory is divided into four blocks during system initialization. One
`block includes receive frame buffers. They are used for receiving LAN traffic and for
`receiving secondary link traffic. These are organized as linked lists of fixed sized
`buffers.” Ferdinand, 26:2-7.
`
`“One of the fields of the ITM contains the address of the buffer containing the frame.
`The RTP must hand some received frames to the EM in order to accomplish the
`autotopology function (described later). After a frame has been parsed (whether the
`parse was successful or not), the RTP routine examines the source mac and ip
`addresses. If either of the addresses is that of another Network Monitor, RTP obtains a
`low priority ITM, initializes it and sends the ITM to the EM task. The address data
`structure (in particular, the flags field of the parse control record) within STATS for
`the MAC or the IP address indicates whether the source address is that of another
`Network Monitor. one of the fields of the ITM contains the address of the buffer
`containing the frame.” Ferdinand, 41:17-31.
`
`Based on Ferdinand’s teachings, a POSITA would have been motivated to modify
`Riddle’s monitor with a packet-buffer memory to temporarily store received packets
`and improve performance by limiting packet drops. Including a packet-buffer memory
`in a packet acquisition device in accordance with the teachings of Riddle and
`Ferdinand amounts to nothing more than combining known prior-art technologies used
`in their ordinary and predictable manner to queue packet traffic.
`
`
`
`14
`
`Packet Intelligence Ex. 2013 Page 14 of 144
`
`

`

`EXHIBIT A9
`
`
`Reasons to Modify Riddle in View of Ferdinand:
`
`Riddle and Ferdinand are in the same field of endeavor and contain overlapping
`disclosures with similar purposes. Riddle discloses a packet monitor that connects to a
`network for parsing and examining traffic packets. See, e.g., Riddle, 4:7-17, 12:27-41,
`Fig. 3, 4A-4B. And Riddle teaches its monitor stores flow-entry lists of packet
`identifying information and looks up flow-entries stored in the flow-entry lists. See,
`e.g., Riddle, 12:37-59, Figs. 3, 4A-4B. Further, Riddle’s monitor performs state
`operations to identify previously-encountered conversational flows or to store a new
`flows. See, e.g., Riddle, 9:14-27, 12:44-53, claim 8, Figs. 4A-4B.
`
`Similarly, Ferdinand discloses a packet monitor. For example, Ferdinand teaches that
`network monitor 10 having a “processor which collects packets on the network and
`performs some degree of analysis … to maintain statistical information for use in later
`analysis.” Ferdinand, 12:3-9.
`
`At the time of the Asserted Patents’ priority date, it was well-known and ubiquitous for
`networking devices to include database storage structures, buffers, caches, and distinct
`processing engines. Ferdinand illustrates this fact by describing a packet monitor
`having these features. See, e.g., Ferdinand, 19:8-12, 26:2-7, 28:14-17, Figs. 5, 7A-7C.
`For example, Ferdinand describes that its monitor includes a database for storing
`information about parsed packets. See, e.g., Ferdinand, 19:8-12, 22:18-23:23, 28:14-
`17, Figs. 5, 7A-7C. And Ferdinand teaches its monitor includes a packet buffer,
`database cache, and distinct processing engines. See, e.g., Ferdinand, 20:22-22:12,
`26:2-7, Fig. 5.
`
` A
`
` POSITA would have been motivated and found it obvious to store Riddle’s
`hierarchical classification tree and flow-entries in a database. Before the time of the
`invention, a POSITA would have been motivated to do so because storing Riddle’s
`trees and lists in a database would allow multiple network operators to access
`simultaneously the classification information. As illustrated by Ferdinand, a POSITA
`would have appreciated the increased functionality of storing Riddle’s data in a data-
`base—including searching, analyzing, and modifying the flow-entries. See, e.g.,
`
`
`
`15
`
`Packet Intelligence Ex. 2013 Page 15 of 144
`
`

`

`EXHIBIT A9
`
`Ferdinand 41:32-42:3, 44:8-14, 47:3-48:11. Such motivation would further Riddle’s
`desired goal of determining whether the examined packet belongs to a service
`aggregate, such as an FTP session. See, e.g., Riddle, 11:9-24, 13:36-62, Fig. 4B.
`
` A
`
` POSITA would have been motivated and found it obvious to have separate memory
`portions for Riddle’s buffering, parsing/extraction operations, and state
`patterns/operations. Before the time of the invention, a POSITA would have been
`motivated to do so because Riddle’s memory including a packet-buffer would provide
`a mechanism to store packets that may otherwise be dropped. A POSITA would have
`appreciated this provides the added benefit of improving performance by limiting
`packet drops. And as illustrated by Ferdinand, a POSITA would have been further
`motivated to include a cache coupled to Riddle’s flow-entry database memory to
`reduce look-up times. See, e.g., Ferdinand, 28:14-24, 54:18-22.
`
`Finally, to the extent Patentee argues that the Asserted Claims require distinct
`hardware components for the claimed parsing, lookups, protocol/state identification,
`and state processing/operations, a POSITA would have been motivated and found it
`obvious for Riddle’s monitor to have distinct hardware components. Before the time of
`the invention, a POSITA would have been motivated to do so because using separate
`components allows for increased performance of Riddle’s monitor. And the Asserted
`Patents acknowledge that a POSITA would have been appreciated the benefits and
`drawbacks to using separate hardware components versus software running on fast
`processors:
`Note that while we are describing a particular hardware implementation of
`the invention embodiment of FIG. 3, it would be clear to one skilled in the
`art that the flow of FIG. 3 may alternatively be implemented in software
`running on one or more general-purpose processors, or only partly
`implemented in hardware… To one skilled in the art it would be clear that
`more and more of the system may be implemented in software as processors
`become faster. ’099 Patent, 21:25-38.
`Riddle discloses this element, for example:
`
`“The hardware configurations are in general standard and will be described only
`briefly. In accordance with known practice, server 20 includes one or more processors
`30 which communicate with a number of peripheral devices via a bus subsystem 32.
`
`1b
`
`(b) a parsing/extraction operations memory
`configured to store a database of
`parsing/extraction operations that includes
`information describing how to determine at least
`one of the protocols used in a packet from data
`
`
`
`16
`
`Packet Intelligence Ex. 2013 Page 16 of 144
`
`

`

`in the packet;
`
`EXHIBIT A9
`
`These peripheral devices typically include a storage subsystem 35, comprised of a
`memory subsystem 35a and a file storage subsystem 35b holding computer programs
`(e.g., code or instructions) and data, a set of user interface input and output devices 37,
`and an interface to outside networks, which may employ Ethernet, Token Ring, ATM,
`IEEE 802.3, ITU X.25, Serial Link Inter-net Protocol (SLIP) or the public switched
`telephone network. … Client 25 has the same general configuration, although typically
`with less storage and processing capability. Thus, while the client computer could be a
`terminal or a low-end personal computer, the server computer is generally a high-end
`workstation or mainframe, such as a SUN SPARC server. Corresponding elements and
`subsystems in the client computer are shown with corresponding, but primed, reference
`numerals.” Riddle, 6:1-23.
`
`“FIG. 1B is a functional diagram of a computer system such as that of FIG. 1A. FIG.
`1B depicts a server 20, and a representative client 25 of a plurality of clients which
`may interact with the server 20 via the Internet 45 or any other communications
`method. Blocks to the right of the server are indicative of the processing steps and
`functions which occur in the server's program and data storage indicated by blocks 35a
`and 35b in FIG. A.” Riddle, 6:43-50.
`
`
`
`
`17
`
`Packet Intelligence Ex. 2013 Page 17 of 144
`
`

`

`EXHIBIT A9
`
`Riddle, Fig. 1A.
`
`
`
`
`
`
`18
`
`Packet Intelligence Ex. 2013 Page 18 of 144
`
`

`

`EXHIBIT A9
`
`Riddle, Fig. 1B.
`
`
`
`
`
`19
`
`Packet Intelligence Ex. 2013 Page 19 of 144
`
`

`

`EXHIBIT A9
`
`
`
`Riddle, Fig. 4A (portion).
`“FIG. 4A depicts a flowchart 401 of processing steps for automatically classifying
`traffic. In a step 402, a flow specification is parsed from the flow being classified. Then
`in a step 404, the flow specification parsed from the flow in step 402 is compared with
`the traffic specifications in each node of the classification tree. Rules are checked
`starting from most specific to least specific. In a decisional step 406, a determination is
`made if traffic matches one of the classes being classified. If this is so, then in a step
`408, an entry is made in a list of identifying characteristics, such as protocol type
`(SAP), IP protocol number, server port, traffic type if known, MIME type, a time of
`occurrence of the traffic.” Riddle, 12:42-53.
`“A method for automatically classifying traffic in a packet communications network …
`comprising the steps of: parsing a packet into a first flow specification, wherein said
`first flow specification contains at least one instance of any one of the following: a
`protocol family designation, a direction of packet flow designation, a protocol type
`designation, a pair of hosts, a pair of ports, in HTTP protocol packets, a pointer to a
`MIME type.” Riddle, claims 1, 8, 11.
`“The