`
`U.S. PATENT NO. 8,243,593
`MECHANISM FOR IDENTIFYING AND PENALIZING MISBEHAVING FLOWS IN A NETWORK
`CLAIM CHART FOR CLAIMS 1, 3-6, 8-12, 14, 16-181
`
`Practicing Entity: Defendants Dell Technologies Inc., Dell Inc., and EMC Corporation (collectively, “Dell”)
`
`Representative Accused Instrumentality:2 The Dell EMC SD-WAN Edge 3000 and the Dell EMC SD-WAN Edge 600 Series (Edge 600,
`Edge 610, Edge 620, Edge 640, Edge 680) (collectively, the “Dell ‘593 Products(s)”).
`
`
`
`‘593 Patent Claim
`
`Infringing Instrumentality
`
`[1PRE] A machine-
`implemented method for
`processing a single flow, the
`flow comprising a plurality of
`packets, and the method
`comprising:
`
`Dell directly infringes the claim by performing, controlling, and/or directing each and every step of
`the claimed method. See, e.g., [1a]-[1f]. Specifically, Dell through the operation of the Dell ‘593
`Products performs the method of processing a single flow, the flow comprising a plurality of packets.
`
`For example, to the extent the preamble is limiting, through operation of the Dell ‘593 Products,
`Dell performs, controls, and/or directs a method of processing a single flow, the flow comprising a
`plurality of packets, the method comprising the steps of [1a]-[1f]. See, e.g., [1a]-[1f].
`
`Additionally, and/or in the alternative, Dell indirectly infringes the claim—for example, by actively
`inducing and/or contributing to infringing performance, control, and/or direction of each and every
`step of the claimed method by third parties such as Dell ‘593 Product end users, Dell ‘593 Product
`developers, and Dell ‘593 Product partners. See, e.g., [1a]-[1f].
`
`
`
`[1a] creating a flow block as
`the first packet of a flow is
`processed by a single router;
`
`The Dell ‘593 Products create a flow block as a first packet of a flow is processed. Specifically, the
`Dell ‘593 Products on receiving a data packet process the data packet and if the data packet does not
`match an existing flow, a new flow block is created in the flow table. A flow block is a flow entry
`that is used to match and process packets.
`
`
`
`1 The limitations of this claim are met literally and under the Doctrine of Equivalents. This infringement analysis is preliminary, and
`Plaintiffs’ infringement investigation is ongoing. Plaintiffs may provide additional theories under which one or more products
`and/or services infringe this patent.
`
`2 This list of Infringing Products was created based solely on publicly available information and is not exhaustive.
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 1 of 46
`
`EX1051
`Palo Alto Networks v. Sable Networks
`IPR2020-01712
`
`
`
`EXHIBIT D
`
`The flow blocks created by the Dell ‘593 Products contains both “match fields” for matching packets
`and “counters” to track the packets associated with the flow block. The “match fields” include
`packet headers, the ingress port, and optionally metadata values. These “match fields” are used to
`process packets and match them against existing flow blocks. If when a first packet is processed by
`the Dell ‘593 Products and no match is found a new flow block is created.
`
`
`Dell EMC SD-WAN Solution Overview, DELL DOCUMENTATION at 2 (2019).
`
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 2 of 46
`
`
`
`EXHIBIT D
`
`
`
`VMware SD-WAN by VeloCloud Stateful Firewall (78116), VMWARE KNOWLEDGE BASE (March
`16, 2020), available at: https://kb.vmware.com/s/article/78116
`
`
`Further, the Dell ‘593 Products describe that as packets are processed the data is logged. “Since an
`Edges is now session-aware, there is much more information that can be reported in the firewall
`logs. The logs will contain the following fields: Time, Segment, Edge, Action, Interface, Protocol,
`Source IP, Source Port, Destination IP, Destination Port, Rule, Bytes Received/Sent, Duration.”
`VMware SD-WAN by VeloCloud Stateful Firewall (78116), VMWARE KNOWLEDGE BASE (March
`16, 2020), available at: https://kb.vmware.com/s/article/78116
`The Dell ‘593 Products compile statistics
`
`
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 3 of 46
`
`
`
`EXHIBIT D
`
`[1b] said flow block being
`configured to store payload-
`content-agnostic behavioral
`statistics pertaining to said
`flow, regardless of the presence
`or absence of congestion;
`
`The Dell ‘593 Products are configured to store payload content agnostic statics pertaining to a flow.
`Specifically, the Dell ‘593 Products contain functionality for “counters” in each flow block. When
`a packet is processed by the router the “counter(s)” associated with the flow are updated in the flow
`block. On information and belief, counters that are utilized by the Dell ‘593 Products can include
`“received packets,” “flow duration,” “received bytes,” “transmission rate,” etc. Further, the Dell
`‘593 Products compile statistics for each flow and based on the monitoring of these statistics can
`take “On Demand Remediation” to penalize misbehaving flows.
`
`Tony Banuelos and Jaspreet Bhatia, Know, Understand, Execute: Network Monitoring and
`Analytics with SD-WAN, VMWORLD 2019 SESSION NEDG2576BU PRESENTATION AT 16 (2019).
`
`
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 4 of 46
`
`
`
`EXHIBIT D
`
`The counters that are maintained by the Dell ‘593 Products are payload-content-agnostic behavioral
`statistics. The specification for the ‘593 patent describes the use of these counters as being
`behavioral statistics as they “provide and up to date reflection of the flows behavior.”
`
`[B]ehavioral statistics include a total byte count (sum of all of the bytes in all
`of the packets of the flow that have been processed up to the current time), a
`life duration (how long the flow has been in existence since inception), a flow
`rate (derived by dividing the total byte count by the life duration of the flow),
`and an average packet size (derived by dividing the total byte count by the total
`number of packets in the flow that have been processed). These behavioral
`statistics are updated as information packets belonging to the flow are
`processed; thus, they provide an up to date reflection of the flows behavior.
`
`‘593 patents, col. 2:6-17 (emphasis added).
`
`
`
`[1c] said router updating said
`flow block with the payload-
`content-agnostic behavioral
`statistics of each packet
`belonging to said flow, as each
`packet belonging to said flow is
`processed by said router,
`regardless of the presence or
`absence of congestion;
`
`The ‘593 Products perform the step of updating the flow block with the payload content agnostic
`behavior statics of each packet belonging to flow are processed by the router. Further, the updating
`of the “counters” associated with each flow are updated by the Dell ‘593 products as each packet of
`a flow is processed by the router regardless of network congestion. For example, the Dell ‘593
`Products on receiving a packet and finding it matches an existing flow will update the “duration
`counter” in the flow block to reflect the total duration that the flow has been in existence. Similarly,
`the Dell ‘593 Products will also update the total number of packets associated with the flow. If this
`is the second packet associated with the flow the counter will be incrementally updated from “1” to
`“2.”
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 5 of 46
`
`
`
`EXHIBIT D
`
`
`
`VMware SD-WAN by VeloCloud Stateful Firewall (78116), VMWARE KNOWLEDGE BASE (March
`16, 2020), available at: https://kb.vmware.com/s/article/78116
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 6 of 46
`
`
`
`EXHIBIT D
`
`
`
`[1d] said router heuristically
`determining whether said flow
`exhibits undesirable behavior
`by comparing at least one of
`said payload-content-agnostic
`behavioral statistics to at least
`one pre-determined threshold
`value; and
`
`Guide – VMware SD-WAN by VeloCloud Features & Benefits, VMWARE DOCUMENTATION at 2
`(2019) (emphasis added).
`
`
`
`The Dell ‘593 Products determine whether a flow exhibits undesirable behavior by using heuristic
`techniques. Specifically, the Dell ‘593 products heuristically determine whether the flow exhibits
`undesirable behavior by comparing at least one of the payload-content-agnostic behavioral statistics
`to at least one pre-determined threshold value. For example, the Dell ‘593 products enable the use
`of heuristic calculations that include statistical information about the behavior of the flow such as
`the duration that the flow has exceeded a threshold value such as its rate of transmission. As
`discussed in detail below these types of determinations are heuristic techniques.
`
`
`
`The specification of the ‘593 patent describes that identification of misbehaving flows can be done
`by done in a heuristic way. Specifically, behavioral statistics about the flow might not be directly
`identified with a flow misbehaving but might be strongly indicative of a flow having undesirable
`characteristics. Using behavioral statistical data as a proxy for making a determination about the
`quality of a flow is a heuristic technique because it uses data that produces an approximate
`determination. Specifically, the Dell ‘593 Products use the behavioral statistics (transmission rate,
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 7 of 46
`
`
`
`EXHIBIT D
`
`byte count, etc.) to make an approximate determination that a flow is undesirable and could be part
`of an attack. Similarly, the ‘593 patent describes how one can use behavioral statistics to make a
`determination that a flow is associated with peer-to-peer traffic. The Dell ‘593 Product’s use of flow
`behavior to identify flows and the ‘593 patent specifications description of using flow behavior to
`identify P2P traffic are heuristic as they use data about the flow to make a efficient conclusion about
`the flow. These calculations are not guaranteed to be optimal, perfect, or rational, but are
`nevertheless sufficient for reaching an immediate reasonable result.
`
`These components are included in the function because it has been found that
`they provide a measure of whether a flow is misbehaving. For example, it has
`been found that P2P traffic flows generally have high byte counts, relatively
`long life, relatively high rates, and relatively large average packet sizes. These
`characteristics are also found in other types of abusive/misbehaving flows.
`Thus, these components are manifestations of misbehavior. By taking these
`components into account in the computation of the badness factor, it is possible
`to derive a badness factor that provides an indication of whether a flow is
`misbehaving.
`
`‘593 patent, col. 8:5-15 (emphasis added).
`
`The Dell ‘593 Products compile statistics for each flow and based on the monitoring of these
`statistics can take “On Demand Remediation” to penalize misbehaving flows.
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 8 of 46
`
`
`
`EXHIBIT D
`
`Tony Banuelos and Jaspreet Bhatia, Know, Understand, Execute: Network Monitoring and
`Analytics with SD-WAN, VMWORLD 2019 SESSION NEDG2576BU PRESENTATION AT 16 (2019).
`
`
`
`[1e] upon determination by said
`router that said flow exhibits
`undesirable behavior,
`enforcing, relative to at least
`one packet, a penalty;
`
`The Dell ‘593 Products upon a determination by the router that a flow exhibits undesirable behavior
`enforces a penalty on at least one packet of the flow. Specifically, the Dell ‘593 Products on determining
`that a flow is exhibiting undesirable behavior can drop the flow wherein all packets in the flow are
`dropped. “Since an Edges is now session-aware, there is much more information that can be
`reported in the firewall logs. The logs will contain the following fields: Time, Segment, Edge,
`Action, Interface, Protocol, Source IP, Source Port, Destination IP, Destination Port, Rule, Bytes
`Received/Sent, Duration.” VMware SD-WAN by VeloCloud Stateful Firewall (78116), VMWARE
`KNOWLEDGE BASE (March 16, 2020), available at: https://kb.vmware.com/s/article/78116
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 9 of 46
`
`
`
`EXHIBIT D
`
`
`
`Tony Banuelos and Jaspreet Bhatia, Know, Understand, Execute: Network Monitoring and
`Analytics with SD-WAN, VMWORLD 2019 SESSION NEDG2576BU PRESENTATION AT 16 (2019).
`
`
`
`[1f] wherein the preceding
`steps are performed on said
`router without requiring use of
`inter-router data.
`
`The Dell ‘593 Products perform the preceding steps without requiring use of inter-router data.
`Specifically, one can perform the above steps using only the statistics stored in the flow block and
`do not need to use inter-router data to set policing.
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 10 of 46
`
`
`
`EXHIBIT D
`
`
`
`VMware SD-WAN by VeloCloud Stateful Firewall (78116), VMWARE KNOWLEDGE BASE (March
`16, 2020), available at: https://kb.vmware.com/s/article/78116
`
`
`
`[3PRE] An article of
`manufacture comprising:
`
`Dell makes, sells, offers to sell, imports, and/or uses a system for comprising each and every
`limitation of the claim, and directly infringes the claim on at least these bases. See, e.g., [3a]-[3f].
`
`To the extent the preamble is limiting, the Dell ‘593 Products are articles of manufacture comprising
`elements of [3a]-[3f].
`
`Additionally, and/or in the alternative, Dell indirectly infringes the claim – for example. by actively
`inducing and/or contributing to third-party infringement (e.g., infringement by Dell ‘593 Product
`end-users and/or third-party integrators). See, e.g., [3a]-[3f].
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 11 of 46
`
`
`
`EXHIBIT D
`
`
`
`[3a] a non-transitory computer-
`readable medium having stored
`thereon a data structure;
`
`The Dell ‘593 Products comprise a non-transitory computer-readable medium on which a data structure is
`stored. Specifically, the Dell ‘593 Products enable the storage of a flow block and flow table on the
`routers non-transitory computer readable medium (memory). “Since an Edges is now session-aware,
`there is much more information that can be reported in the firewall logs. The logs will contain the
`following fields: Time, Segment, Edge, Action, Interface, Protocol, Source IP, Source Port,
`Destination IP, Destination Port, Rule, Bytes Received/Sent, Duration.” VMware SD-WAN by
`VeloCloud Stateful Firewall (78116), VMWARE KNOWLEDGE BASE (March 16, 2020), available at:
`https://kb.vmware.com/s/article/78116
`
`
`Dell EMC SD-WAN Solution Overview, DELL DOCUMENTATION at 2 (2019).
`
`
`
`
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 12 of 46
`
`
`
`EXHIBIT D
`
`[3b] a first field containing data
`representing a flow block;
`
`The Dell ‘593 Products comprise a data structure with a first field containing data the represents a
`flow block.
`
`
`
`VMware SD-WAN by VeloCloud Stateful Firewall (78116), VMWARE KNOWLEDGE BASE (March
`16, 2020), available at: https://kb.vmware.com/s/article/78116
`
`
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 13 of 46
`
`
`
`EXHIBIT D
`
`The Dell ‘593 Products contain a data structure with a second field containing data representing payload-
`
`[3c] a second field containing
`data representing payload-
`content-agnostic behavioral
`statistics about dropped and
`non-dropped packets of a flow;
`
`content-agnostic behavioral statistics about dropped and non-dropped packets of a flow.
`VMware SD-WAN by VeloCloud Stateful Firewall (78116), VMWARE KNOWLEDGE BASE (March
`16, 2020), available at: https://kb.vmware.com/s/article/78116
`
`
`
`[3d] a third field containing
`data representing pre-
`determined behavior threshold
`values;
`
`The Dell ‘593 Products determine whether a flow exhibits undesirable behavior by using heuristic
`techniques. Specifically, the Dell ‘593 products heuristically determine whether the flow exhibits
`undesirable behavior by comparing at least one of the payload-content-agnostic behavioral statistics
`to at least one pre-determined threshold value. For example, the Dell ‘593 products enable the use
`of heuristic calculations that include statistical information about the behavior of the flow such as
`the duration that the flow has exceeded a threshold value such as its rate of transmission. As
`discussed in detail below these types of determinations are heuristic techniques.
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 14 of 46
`
`
`
`EXHIBIT D
`
`
`
`The specification of the ‘593 patent describes that identification of misbehaving flows can be done
`by done in a heuristic way. Specifically, behavioral statistics about the flow might not be directly
`identified with a flow misbehaving but might be strongly indicative of a flow having undesirable
`characteristics. Using behavioral statistical data as a proxy for making a determination about the
`quality of a flow is a heuristic technique because it uses data that produces an approximate
`determination. Specifically, the Dell ‘593 Products use the behavioral statistics (transmission rate,
`byte count, etc.) to make an approximate determination that a flow is undesirable and could be part
`of an attack. Similarly, the ‘593 patent describes how one can use behavioral statistics to make a
`determination that a flow is associated with peer-to-peer traffic. The Dell ‘593 Product’s use of flow
`behavior to identify flows and the ‘593 patent specifications description of using flow behavior to
`identify P2P traffic are heuristic as they use data about the flow to make a efficient conclusion about
`the flow. These calculations are not guaranteed to be optimal, perfect, or rational, but are
`nevertheless sufficient for reaching an immediate reasonable result.
`
`These components are included in the function because it has been found that
`they provide a measure of whether a flow is misbehaving. For example, it has
`been found that P2P traffic flows generally have high byte counts, relatively
`long life, relatively high rates, and relatively large average packet sizes. These
`characteristics are also found in other types of abusive/misbehaving flows.
`Thus, these components are manifestations of misbehavior. By taking these
`components into account in the computation of the badness factor, it is possible
`to derive a badness factor that provides an indication of whether a flow is
`misbehaving.
`
`‘593 patent, col. 8:5-15 (emphasis added).
`
`The Dell ‘593 Products compile statistics for each flow and based on the monitoring of these
`statistics can take “On Demand Remediation” to penalize misbehaving flows.
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 15 of 46
`
`
`
`EXHIBIT D
`
`Tony Banuelos and Jaspreet Bhatia, Know, Understand, Execute: Network Monitoring and
`Analytics with SD-WAN, VMWORLD 2019 SESSION NEDG2576BU PRESENTATION AT 16 (2019).
`
`
`
`[3e] a fourth field containing
`data representing the results of
`a heuristic determination of
`whether said flow exhibits
`undesirable behavior
`determined by comparing said
`
`The Dell ‘593 Products are configured to store payload content agnostic statics pertaining to a flow.
`Specifically, the Dell ‘593 Products contain functionality for “counters” in each flow block. When
`a packet is processed by the router the “counter(s)” associated with the flow are updated in the flow
`block. On information and belief, counters that are utilized by the Dell ‘593 Products can include
`“received packets,” “flow duration,” “received bytes,” “transmission rate,” etc. Further, the Dell
`‘593 Products compile statistics for each flow and based on the monitoring of these statistics can
`take “On Demand Remediation” to penalize misbehaving flows.
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 16 of 46
`
`
`
`behavioral statistics to said pre-
`determined threshold values;
`
`EXHIBIT D
`
`Tony Banuelos and Jaspreet Bhatia, Know, Understand, Execute: Network Monitoring and
`Analytics with SD-WAN, VMWORLD 2019 SESSION NEDG2576BU PRESENTATION AT 16 (2019).
`
`
`
`The counters that are maintained by the Dell ‘593 Products are payload-content-agnostic behavioral
`statistics. The specification for the ‘593 patent describes the use of these counters as being
`behavioral statistics as they “provide and up to date reflection of the flows behavior.”
`
`[B]ehavioral statistics include a total byte count (sum of all of the bytes in all
`of the packets of the flow that have been processed up to the current time), a
`life duration (how long the flow has been in existence since inception), a flow
`rate (derived by dividing the total byte count by the life duration of the flow),
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 17 of 46
`
`
`
`EXHIBIT D
`
`and an average packet size (derived by dividing the total byte count by the total
`number of packets in the flow that have been processed). These behavioral
`statistics are updated as information packets belonging to the flow are
`processed; thus, they provide an up to date reflection of the flows behavior.
`
`‘593 patents, col. 2:6-17 (emphasis added).
`
`
`
`[3f] a fifth field containing data
`representing at least one
`penalty to be enforced against
`at least one packet upon
`determination that said flow
`exhibits undesirable behavior.
`
`The Dell ‘593 Products contain a data structure with a fifth field containing data representing at least one
`penalty to be enforced against one or more packets upon a determination that a flow exhibits undesirable
`behavior. . “Since an Edges is now session-aware, there is much more information that can be
`reported in the firewall logs. The logs will contain the following fields: Time, Segment, Edge,
`Action, Interface, Protocol, Source IP, Source Port, Destination IP, Destination Port, Rule, Bytes
`Received/Sent, Duration.” VMware SD-WAN by VeloCloud Stateful Firewall (78116), VMWARE
`KNOWLEDGE BASE (March 16, 2020), available at: https://kb.vmware.com/s/article/78116
`
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 18 of 46
`
`
`
`EXHIBIT D
`
`Tony Banuelos and Jaspreet Bhatia, Know, Understand, Execute: Network Monitoring and
`Analytics with SD-WAN, VMWORLD 2019 SESSION NEDG2576BU PRESENTATION AT 16 (2019).
`
`
`
`[4PRE] A machine
`implemented method for
`processing a flow, the flow
`comprising a series of
`information packets, the
`method comprising:
`
`Dell directly infringes the claim by performing, controlling, and/or directing each and every step of
`the claimed method. See, e.g., [4a]-[4c]. Specifically, Dell through the operation of the Dell ‘593
`Products performs the method of identifying and penalizing misbehaving information packet flows
`in a network.
`
`For example, to the extent the preamble is limiting, through operation of the Dell ‘593 Products,
`Dell performs, controls, and/or directs a method of identifying and penalizing misbehaving
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 19 of 46
`
`
`
`EXHIBIT D
`
`information packet flows in a network, the method comprising the steps of [4a]-[4c]. See, e.g., [4a]-
`[4c].
`
`Additionally, and/or in the alternative, Dell indirectly infringes the claim—for example, by actively
`inducing and/or contributing to infringing performance, control, and/or direction of each and every
`step of the claimed method by third parties such as Dell ‘593 Product end users, Dell ‘593 Product
`developers, and Dell ‘593 Product partners. See, e.g., [4a]-[4c].
`
`
`
`The Dell ‘593 Products perform the step of maintaining a set of behavioral statistics for the flow,
`where the set of behavioral statistics are updated based on each information packet belonging to the
`flow as each information packet belonging to the flow is processed. On iformation and belief, counters
`that are utilized by the Dell ‘593 Products can include “received packets,” “flow duration,” “received bytes,”
`“transmission rate,” etc. Further, the Dell ‘593 Products compile statistics for each flow and based on the
`monitoring of these statistics can take “On Demand Remediation” to penalize misbehaving flows.
`
`[4a] maintaining a set of
`behavioral statistics for the
`flow, wherein the set of
`behavioral statistics is updated
`based on each information
`packet belonging to the flow, as
`each information packet
`belonging to the flow is
`processed;
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 20 of 46
`
`
`
`EXHIBIT D
`
`Tony Banuelos and Jaspreet Bhatia, Know, Understand, Execute: Network Monitoring and
`Analytics with SD-WAN, VMWORLD 2019 SESSION NEDG2576BU PRESENTATION AT 16 (2019).
`
`The counters that are maintained by the Dell ‘593 Products are payload-content-agnostic behavioral
`statistics. The specification for the ‘593 patent describes the use of these counters as being
`behavioral statistics as they “provide and up to date reflection of the flows behavior.”
`
`[B]ehavioral statistics include a total byte count (sum of all of the bytes in all
`of the packets of the flow that have been processed up to the current time), a
`life duration (how long the flow has been in existence since inception), a flow
`rate (derived by dividing the total byte count by the life duration of the flow),
`and an average packet size (derived by dividing the total byte count by the total
`number of packets in the flow that have been processed). These behavioral
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 21 of 46
`
`
`
`EXHIBIT D
`
`statistics are updated as information packets belonging to the flow are
`processed; thus, they provide an up to date reflection of the flows behavior.
`
`‘593 patents, col. 2:6-17 (emphasis added).
`
`
`
`[4b] determining, based at least
`partially upon the set of
`behavioral statistics, whether
`the flow is exhibiting
`undesirable behavior,
`regardless of the presence or
`absence of congestion; and
`
`The Dell ‘593 Products determine whether a flow exhibits undesirable behavior by using heuristic
`techniques. Specifically, the Dell ‘593 products heuristically determine whether the flow exhibits
`undesirable behavior by comparing at least one of the payload-content-agnostic behavioral statistics
`to at least one pre-determined threshold value. For example, the Dell ‘593 products enable the use
`of heuristic calculations that include statistical information about the behavior of the flow such as
`the duration that the flow has exceeded a threshold value such as its rate of transmission. As
`discussed in detail below these types of determinations are heuristic techniques.
`
`
`
`The specification of the ‘593 patent describes that identification of misbehaving flows can be done
`by done in a heuristic way. Specifically, behavioral statistics about the flow might not be directly
`identified with a flow misbehaving but might be strongly indicative of a flow having undesirable
`characteristics. Using behavioral statistical data as a proxy for making a determination about the
`quality of a flow is a heuristic technique because it uses data that produces an approximate
`determination. Specifically, the Dell ‘593 Products use the behavioral statistics (transmission rate,
`byte count, etc.) to make an approximate determination that a flow is undesirable and could be part
`of an attack. Similarly, the ‘593 patent describes how one can use behavioral statistics to make a
`determination that a flow is associated with peer-to-peer traffic. The Dell ‘593 Product’s use of flow
`behavior to identify flows and the ‘593 patent specifications description of using flow behavior to
`identify P2P traffic are heuristic as they use data about the flow to make a efficient conclusion about
`the flow. These calculations are not guaranteed to be optimal, perfect, or rational, but are
`nevertheless sufficient for reaching an immediate reasonable result.
`
`These components are included in the function because it has been found that
`they provide a measure of whether a flow is misbehaving. For example, it has
`been found that P2P traffic flows generally have high byte counts, relatively
`long life, relatively high rates, and relatively large average packet sizes. These
`characteristics are also found in other types of abusive/misbehaving flows.
`Thus, these components are manifestations of misbehavior. By taking these
`components into account in the computation of the badness factor, it is possible
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 22 of 46
`
`
`
`EXHIBIT D
`
`to derive a badness factor that provides an indication of whether a flow is
`misbehaving.
`
`‘593 patent, col. 8:5-15 (emphasis added).
`
`The Dell ‘593 Products compile statistics for each flow and based on the monitoring of these
`statistics can take “On Demand Remediation” to penalize misbehaving flows.
`
`Tony Banuelos and Jaspreet Bhatia, Know, Understand, Execute: Network Monitoring and
`Analytics with SD-WAN, VMWORLD 2019 SESSION NEDG2576BU PRESENTATION AT 16 (2019).
`
`
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 23 of 46
`
`
`
`EXHIBIT D
`
`[4c] in response to a
`determination that the flow is
`exhibiting undesirable
`behavior, enforcing a penalty
`on the flow.
`
`
`
`The Dell ‘593 Products perform the step of enforcing a penalty on the flow in response to a
`determination that the flow is exhibiting undesirable behavior. Specifically, the Dell ‘593 Products
`on determining that a flow is exhibiting undesirable behavior can drop the flow wherein all packets
`in the flow are dropped. “Since an Edges is now session-aware, there is much more information that
`can be reported in the firewall logs. The logs will contain the following fields: Time, Segment, Edge,
`Action, Interface, Protocol, Source IP, Source Port, Destination IP, Destination Port, Rule, Bytes
`Received/Sent, Duration.” VMware SD-WAN by VeloCloud Stateful Firewall (78116), VMWARE
`KNOWLEDGE BASE (March 16, 2020), available at: https://kb.vmware.com/s/article/78116
`
`
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 24 of 46
`
`
`
`EXHIBIT D
`
`Tony Banuelos and Jaspreet Bhatia, Know, Understand, Execute: Network Monitoring and
`Analytics with SD-WAN, VMWORLD 2019 SESSION NEDG2576BU PRESENTATION AT 16 (2019).
`
`
`
`Dell directly infringes the claim by performing, controlling, and/or directing each and every step of
`the claimed method. See, e.g., [5a]-[5c]. Specifically, Dell through the operation of the Dell ‘593
`Products performs the method of processing a flow, the flow comprising a series of information
`packets.
`
`[5PRE] A machine
`implemented method for
`processing a flow, the flow
`comprising a series of
`information packets, the
`method comprising:
`
`SABLE NETWORKS, INC AND SABLE IP, LLC – PRELIMINARY INFRINGEMENT ANALYSIS
`
`Page 25 of 46
`
`
`
`EXHIBIT D
`
`For example, to the extent the preamble is limiting, through operation of the Dell ‘593 Products,
`Dell performs, controls, and/or directs a method of processing a flow, the flow comprising a series
`of information packets, the method comprising the steps of [5a]-[5c]. See, e.g., [5a]-[5c].
`
`Additionally, and/or in the alternative, Dell indirectly infringes the claim—for example, by actively
`inducing and/or contributing to infringing performance, control, and/or direction of each and every
`step of the claimed method by third parties such as Dell ‘593 Product end users, Dell ‘593 Product
`developers, and Dell ‘593 Product partners. See, e.g., [5a]-[5c].
`
`
`
`The Dell ‘593 Products perform the step of maintaining behavioral statistics about a flow wherein
`the behavioral statistics are updated based on each information packet belonging to the flow being
`processed by the Dell ‘593 Products. The behavioral statistics are maintained and updated by the
`Dell ‘593 Products regardless of the presence or absence of congestion. flow block. On information
`and belief, counters that are utilized by the Dell ‘593 Products can include “received packets,” “flow
`duration,” “received bytes,” “transmission rate,” etc. Further, the Dell ‘593 Products compile
`statistics for each flow and based on the monitoring of these statistics can take “On Demand
`Remediation” to penalize misbehaving flows.
`
`[5a] maintaining a set of
`behavioral stati