UNITED STATES PATENT AND TRADEMARK OFFICE
`
`__________________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`__________________________
`
`NETSKOPE, INC.,
`Petitioner,
`v.
`FORTINET, INC.,
`Patent Owner.
`__________________________
`
`PTAB Case No. IPR2023-00456
`Patent No. 11,036,856 B2
`__________________________
`
`REBUTTAL DECLARATION OF DR. MICHAEL FRANZ IN SUPPORT OF
`PETITIONER’S REPLY TO PATENT OWNER’S RESPONSE
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`__________________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`__________________________
`
`NETSKOPE, INC.,
`Petitioner,
`v.
`FORTINET, INC.,
`Patent Owner.
`__________________________
`
`PTAB Case No. IPR2023-00456
`Patent No. 11,036,856 B2
`__________________________
`
`REBUTTAL DECLARATION OF DR. MICHAEL FRANZ IN SUPPORT OF
`PETITIONER’S REPLY TO PATENT OWNER’S RESPONSE
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`TABLE OF CONTENTS
`
`I.
`II.
`
`INTRODUCTION .......................................................................................... 1
`RESPONSES TO PATENT OWNER RESPONSE ...................................... 2
`A.
`Obviousness of the “copying” limitation in the ’856 claims has
`been established .................................................................................... 2
`The references relied upon by Petitioner would have been
`obvious to combine ............................................................................ 17
`In claims 8/19/27, the location of the second repository is
`merely an implementation decision ................................................... 22
`The Sharpe-Seese-Kamalapuram-Dods combination rendered
`claims 3, 6, 11, 15, 17, 23, and 25 obvious ........................................ 24
`PO repeatedly misquoted or mischaracterized my testimony ............ 24
`
`D.
`
`B.
`
`C.
`
`E.
`
`-ii-
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`
`
`
`
`LIST OF APPENDICES
`
`
`Appendix G
`
`Chris Hoffmann, What is ReFS (the Resilient File System) on
`Windows? June 26, 2017.
`
`Appendix H
`
`Andrew Cunningham and Lee Hutchinson, macOS 10.12
`Sierra: The Ars Technica Review, September 20, 2016.
`
`
`
`-iii-
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`
`
`I.
`
`INTRODUCTION
`I, Dr. Michael Franz, have been retained by Petitioner Netskope, Inc.
`
`1.
`
`(“Petitioner”) to investigate and opine on certain issues relating to United States
`
`Patent No. 11,036,856 (“the ’856 patent”). Petitioner requests that the Patent Trial
`
`and Appeal Board (“PTAB” or “Board”) review and cancel claims 1-28 of the ’856
`
`patent.
`
`2.
`
`Last year, I provided a declaration in support of Petitioner’s IPR
`
`Petition. My Opening Declaration is Exhibit 1002 to the Petition and provides an
`
`explanation of my qualifications, a discussion of the technology relevant to the ’856
`
`patent, and my opinions with respect to the ’856 patent.
`
`3.
`
`I have prepared this Rebuttal Declaration to address arguments made in
`
`the Patent Owner Response (“POR”) and the accompanying Declaration of John
`
`Black in support of the Patent Owner Response (Ex. 2004, “Black Response
`
`Declaration”).
`
`4.
`
` In addition to the materials referenced and cited in my Opening
`
`Declaration, I have now reviewed and considered the Board’s Institution Decision,
`
`Patent Owner’s Preliminary Response and its Response, the declaration of John
`
`Black in support of Patent Owner’s Preliminary Response, Dr. Black’s declaration
`
`in support of Patent Owner’s Response, and the transcript of the deposition of Dr.
`
`Black.
`
`-1-
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`
`
`II. RESPONSES TO PATENT OWNER RESPONSE
`A. Obviousness of the “copying” limitation in the ’856 claims has
`been established
`1.
`PO interprets a “copying” operation more narrowly than
`would a POSITA
`It is my understanding that Dr. Black contends “[c]opying” information
`
`5.
`
`requires creating, at least temporarily, a second copy of portions of that information
`
`and “[m]oving” merely requires changing the location of the information within a
`
`file, and that the ’856 patent does not use those terms interchangeably. (Black Supp.
`
`Declaration, ¶¶48-61.) Dr. Black contends “moving” occurs when data is moved
`
`within the same file share (what he calls “moving without copying” or Moving Type
`
`I), while “copying” occurs when data is moved between file shares (what he calls
`
`“moving with copying” or Moving Type II). (Black Dep. Tr., 9:5-10:11.) Dr. Black
`
`also contends “plain old copying,” “sharing,” and “transferring” are not
`
`interchangeably used in the ’856 patent and the industry. For the reasons below, I
`
`disagree.
`
`a.
`
`6.
`
`Various
`
`The ’856 patent uses “moving” and “copying”
`interchangeably
`sections of
`the
`
`’856 patent use moving/copying
`
`interchangeably. Figures 1a and 1b speak of “moving” files and do not mention
`
`copying at all. The specification additionally uses the terms “transfer” (8:28) and
`
`“copying” in (8:56) to refer to those same “moving” operations:
`
`2
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`“mak[ing] the clean file accessible to the users by copying and/or
`
`transferring the clean file from dirty file store 106 to clean file store
`
`110 that is accessible to the users.”
`
`7.
`
`So the specification uses “moving,” copying,” and “transferring” to
`
`refer to the same operations. While the specification uses the terminology “copying
`
`and/or transferring,” the almost exact same language is re-iterated in the claims as:
`
` makes the clean file accessible to the users by, […], copying the
`
`clean file from the first repository to a second repository that is
`
`accessible to the users (Claim 1)
`
` making the clean file accessible to the users by, [..], copying the
`
`clean file from the first repository to a second repository that is
`
`accessible to the users (Claim 13).
`
` make the clean file accessible to the users by, […], copying the clean
`
`file from the first repository to a second repository that is accessible
`
`to the users (Claim 21).
`
`8.
`
`Claim 12 recites both “moving” and “copying” and uses the terms
`
`interchangeably. Claim 12 depends from claim 1, which, as noted above, states
`
`“copying the clean file from the first repository to a second repository.” Claim 12
`
`recites:
`
`3
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`(’856 patent, cl. 12 (highlighting added); see also ’856 patent, 6:36-45.) Here, the
`
`terms “moving” and “copying” are used interchangeably. Under PO’s view of
`
`“copying” and “moving,” claim 12 makes no sense. If “copying” is only used when
`
`moving files to a different file system, then the first repository and second repository
`
`would need to be separate file systems. But that cannot be true because the third
`
`repository “moves” files—an operation PO contends only happens when files are
`
`moved between the same file system—to the physically-separate first and second
`
`repository
`
`9.
`
`In the latter option where the file is moved from the first repository to
`
`the second repository, the operation of “copying” a clean file from the first repository
`
`to the second repository (from claim 1) is realized by “moving” the file to the third
`
`repository then “moving” the file again to the second repository – thus appearing to
`
`perform a “copy” operation by two “move” operations.
`
`4
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`
`
`10. Other parts of the ’856 patent also use “moving” and “copying”
`
`interchangeably with other operations including “transferring” and “sharing,” as the
`
`Board noted. (ID, 22-23.) For example:
`
` Claim 5: “copies the file to the second repository by sharing it by
`
`means of any or a combination of network file system (NFS), file
`
`transfer protocol (FTP), common Internet file system (CIFS),
`
`Internet Small Computer Systems Interface (iSCSI), Storage Area
`
`Network (SAN), and local storage.”
`
` Figure 4A, reference 408: “moving clean files into clean S3 bucket.”
`
` 6:5-6: “In an embodiment, the network security device can copy the
`
`file to the second repository by sharing it.”
`
` 8:54-57: “network security device 108 can make the clean file
`
`accessible to the users by copying and/or transferring the clean file
`
`from dirty file store 106 to clean file store 110 that is accessible to
`
`the users.”
`
` 10:17-22: “clean file transfer module 204 can make the clean file …
`
`accessible to the users by, copying or transferring the clean file
`
`from a first repository (e.g., dirty file store 104) that is inaccessible
`
`to end users to a second repository (e.g., clean file store 110) that is
`
`accessible to end users.”
`
`5
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`
`
` 10:28-29: “clean file transfer module 204 can copy the file to the
`
`second repository by sharing it.”
`
`11. Finally, to support their interpretation of the claimed “copying”
`
`operation, PO points to Figure 1B and argues that the patent claims “copying”
`
`because “‘moving’ files without ‘copying’ is not practical” in the Figure 1B
`
`implementation. (POR, 20, 22.) “Circumstances” envisioned by the patent allegedly
`
`motivate a POSITA to “to copy files rather than move them without copying.”
`
`(Black Supp. Decl., ¶60.)
`
`12.
`
`I disagree with these arguments. They result in PO reading out
`
`embodiments of the ’856 patent. First, both Figure 1B and Figure 1A state that
`
`“Clean Files are Moved to Clean File Store” (emphasis added). There is no reason
`
`to conclude either from the figures or from the corresponding description in the
`
`specification that “moved” in one figure has a different meaning than “moved” in
`
`the other figure. I also note that the fact that Figure 1A uses “moved” and “copied”
`
`when describing a file going from the first to second repository on the same data
`
`store undermines PO’s argument that “copying” is only used when data moves to a
`
`different file store.
`
`13. Furthermore, even if a POSITA would understand that “moving” a file
`
`can be implemented in different ways depending on the configuration of the file
`
`system (see infra, ¶23-25), claim 1 does not specify the location of the second
`
`6
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`
`
`repository and thus is not limited to the particular implementation in which “copying”
`
`means “moving by copying” that PO apparently believes to follow from Figure 1B.
`
`Dependent claim 9 in fact states that the second repository is “part of the public
`
`cloud file store,” like the first repository, and thus is directed to the embodiment of
`
`Figure 1A. The specification states that the “sanitized storage area…may or may
`
`not be a part of the public cloud file store.” (’856, 3:34-35.) PO’s interpretation of
`
`“copy” as an operation that is performed when the first and second repositories are
`
`located on separate storage volumes reads out the dependent claims and the
`
`embodiments in the specification that do not require this configuration.
`
`b.
`
`PO’s own references use “moving” and “copying”
`interchangeably.
`14. PO’s attempts to distinguish between “moving” and “copying” are
`
`undercut by their own literature. First, the FortiSandbox manual cited in the Petition,
`
`provides an option to “keep a copy of the original file on FortiSandbox.” See the
`
`following excerpt from p. 115:
`
`(FortiSandbox, p. 115)
`
`
`
`If this option is one that the user can select, whether a copy remains is immaterial
`
`to the operation of the FortiSandbox device.
`
`7
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`
`
`15. Additionally, Ex. 2003, a
`
`later version of
`
`the FortiSandbox
`
`Administration guide, uses “moving” and “copying” interchangeably. Although Ex.
`
`2003 was published in 2023, its use of “moving” and “copying” reflects what a
`
`POSITA would have understood in 2018, at the time of the ’856 patent’s filing,
`
`because there were no significant changes to these fundamental file system concepts
`
`between 2018 and 2023. For example, the following excerpt from p. 76 uses the
`
`combined term “copying or moving”.
`
`
`
`(Ex. 2003, p. 76; annotated)
`
`16. Even more confusingly, or perhaps amusingly, the later edition of the
`
`FortiSandbox manual provided in Ex. 2003 uses the terminology of “moving” in
`
`conjunction with the option of “leaving a copy in its original location.” In the
`
`excerpts below, what the PO now calls “copying” appears to have been described as
`
`“moving while keeping a copy.”
`
`(Ex. 2003, p. 76; annotated)
`
`8
`
`
`
`
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`
`
`
`
`
`
`
`
`(Ex. 2003, p. 79; annotated)
`
`
`
`(Ex. 2003, p. 99; annotated)
`
`c.
`
`
`PO's distinctions between “moving” and “copying”
`are inconsistent with the way a POSITA would
`understand these terms
`17. The PO keeps making the argument that copying files is “less efficient”
`
`than moving files because “the amount of processing required to copy a real-word
`
`[sic] file is more than the amount of processing required to modify file system
`
`directory entries.” (POR, 22.)
`
`18. This is a naïve understanding of how modern file systems actually work.
`
`A POSITA having at least two years of practical experience with computer
`
`networking and computer security (Franz Op., ¶28) would have had a much more
`
`advanced understanding of modern file systems and their operations, based on actual
`
`systems in use at the time and their specific deployment to counter computer security
`
`threats. In particular, a POSITA would be familiar with “copy-on-write
`
`functionality” introduced into modern file systems from 2008 onwards.
`
`9
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`
`
`19.
`
`In such copy-on-write file systems, additional disk storage blocks are
`
`allocated only at the time that one of the copies is modified (i.e., “upon writing”), to
`
`store the modified bits of the affected copy–while any remaining copies continue to
`
`share the original bits.
`
`20. Because of its ability to create almost instantaneous copies of files
`
`without having to duplicate the underlying bits, copy-on-write file systems rapidly
`
`gained in popularity. For example, the copy-on-write feature is supported in
`
`Microsoft’s Windows Server 2012 operating system, released in August 20121, and
`
`in Apple’s APFS File system, announced in June 2016 and rolled out to both iOS
`
`and MacOS in the following year.2
`
`21. The functionality of copy-on-write has been widely used, and would
`
`have been known to a POSITA, for applications that include combating the problem
`
`of ransomware, which is malware that surreptitiously encrypts an organization’s
`
`files and will release the encryption key only upon payment of a ransom payment.
`
`22. A common defense against ransomware is taking “snapshots” of the file
`
`system, each of which is typically an inaccessible hidden copy of the entire file
`
`system’s contents. Obviously, it would be extremely wasteful to duplicate the bit-
`
`10
`
`
`
` 1
`
` See Appendix G
`2 See Appendix H
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`level content of every file for every snapshot. This is where “copy on write” comes
`
`in: in a file system providing copy-on-write, “copying a file” entails only a directory
`
`pointer operation if both the source and destination are mapped to the same storage
`
`volume: a duplicate directory entry is created that points to the same sequence of
`
`disk blocks as the original file. Hence, once can create as many copies of a file as
`
`one likes without requiring any additional storage space beyond the extra directory
`
`entries, and the cost of the “copy” operation itself is independent of the length of the
`
`file.
`
`23. Hence, as I explained previously, a POSITA would understand that in
`
`a modern operating system, “moving” and “copying” of a file on the same storage
`
`volume are both mere directory entry operations that require no file content bits to
`
`be duplicated, while “moving” and “copying” of a file to a different storage volume
`
`both require the actual duplication of content bits. Hence, the “efficiency” of such
`
`an operation is not determined by whether it is “copying” or “moving”, but whether
`
`source and destination are on the same volume or not. The following table
`
`summarizes this:
`
`destination path is
`mapped to a different
`storage volume as the
`source
`
`destination path is
`mapped to the same
`storage volume as the
`source
`
`11
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`
`
`file-level “copy”
`operation
`
`file-level “move”
`operation
`
`(2) a new directory entry
`is created that points to
`the existing storage
`blocks of the original file
`
`(4) the original directory
`entry is modified and
`continues pointing to the
`existing storage blocks of
`the original file
`
`(1) the blocks of the file
`are duplicated to the
`destination medium
`(effort proportional to the
`size of the file), then a
`new directory entry is
`created to point to the
`newly allocated storage
`blocks
`(3) the blocks of the file
`are duplicated to the
`destination medium
`(effort proportional to the
`size of the file), then the
`original directory entry is
`modified to point to the
`newly allocated storage
`blocks
`
`
`
`24.
`
`It is also worthwhile to note that in (3) above (moving a file from one
`
`storage volume to another), the original bits are usually not actually deleted from the
`
`storage volume until the corresponding blocks are re-used for storing something else.
`
`So, at least temporarily, a second copy of the file contents exists.
`
`25.
`
`In summary, whether or not content bits are duplicated depends on the
`
`configuration of the filesystem and not on the operation used: If source and
`
`12
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`
`
`destination are located on different volumes, both “copying” and “moving” would
`
`entail duplication of bits. If the source and destination are on the same volume,
`
`“copying,” like “moving,” can be implemented by just updating a pointer in a file
`
`system directory without duplication of bits (at least until one of the copies is
`
`modified).
`
`26. A POSITA would have been able to determine how exactly to
`
`implement either of these operations within a system, based on the particular
`
`configuration of the system.
`
`d.
`
`To achieve the expressed purpose of the alleged
`invention, it is immaterial whether one is “moving” or
`“copying”
`27. The relevant purpose of “moving”/ “copying” in the alleged invention
`
`described in the ’856 patent is for “making clean files available to the end users”
`
`after they have successfully passed the determination phase. For this goal, it makes
`
`no difference whether they are moved or copied, i.e., it is immaterial whether
`
`possibly inaccessible duplicate copies of the clean files remain in the dirty file
`
`storage or not.
`
`28. One could go even further and argue that requiring that such
`
`inaccessible duplicate copies remain in the dirty file storage is nonsense. It most
`
`certainly isn’t an “invention.”
`
`13
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`
`
`e.
`PO’s definition of “copying” makes their
`argument nearly impossible to follow
` PO’s convoluted distinctions between “copying,” “moving by copying,”
`
`29.
`
`“moving without copying,” etc., make it challenging to understand both the scope of
`
`the ’856 patent and their arguments in this proceeding. For example, as discussed
`
`above, Figures 1A and 1B both state that files are “moved” to a clean file repository
`
`and, by PO's argument, one is supposed to be able to conclude from Figure 1B that
`
`its moving operation includes a copy operation. At the same time, PO argues that
`
`“moving by copying” would not have been obvious when Petitioner’s references use
`
`the term “moving.” It is entirely unclear how one would know that “moving”
`
`includes “copying” in one instance, but would not know this in another instance.
`
`30.
`
`In another example, Dr. Black distinguishes between a “type 2 move,
`
`which is copy and erase” and “a plain old copy.” (Black Dep. Tr., 18:5-6.) Dr.
`
`Black explained how “moving by copying” differs from “just copying” as follows:
`
`“[M]oving by copying implies that you’re doing a copy and then an erasure of the
`
`original….Copying implies that you make a copy and you don’t remove the original.”
`
`(Id., 27:11-19.) Where claim 1 recites “copying,” then, how would a POSITA know
`
`what the scope of this operation would entail? The internal contradictions of PO’s
`
`argument is brought even more into focus in the context of claim 12, which recites
`
`multiple “moving” operations and a “copying” operation.
`
`14
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`
`
`2.
` Burdett renders obvious “copying” a file
`31. Burdett describes “moving” a file and describes one example in which
`
`this is performed by changing a path in a file system. (Burdett, 25:28-31.) This is
`
`consistent with “copying” a file, at least in some cases. For example, as described
`
`above, “copying” can be implemented by updating a pointer if the source and
`
`destination are on the same volume using the well-known copy-on-write technique.
`
`A POSITA would have known that using this technique would in fact have the same
`
`performance characteristics as “move”.
`
`32. Even implementing a “copy” operation by other techniques would not
`
`materially impact efficiency of Burdett’s system. PO’s only argument against the
`
`efficiency of a “copy” operation relative to a “move” operation compares the
`
`processing requirements of a “move” operation within the same file system on the
`
`same volume to a “copy” operation between different file systems or volumes. (POR,
`
`2, 24-27.) This comparison is irrelevant. For example, a “move” operation from
`
`one volume to another would entail similar duplication of bits as a “copy” operation
`
`because – even as admitted by PO – the only material difference between these
`
`operations is whether an original file is deleted from its initial location. (Black Dep.
`
`Tr., 10:10-11.) Besides, the performance impact of making even full copies of all
`
`the content bits of a file would likely be immaterial in comparison to other, far more
`
`15
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`
`
`expensive operations in Burdett’s overall system, such as the cost of performing the
`
`security checks on the files.
`
`3.
`
`The Sharpe-Seese-Kamalapuram combination renders
`obvious “copying” a file
`33. As described in the Petition, Kamalapuram discloses or renders obvious
`
`“copying” a file to a second repository. (Pet., 67-68.) Kamalapuram describes
`
`“moving” when it stated, “a file may be stored in an isolated area of the network
`
`storage system while waiting to be scanned, and may be moved to a general storage
`
`area only after the file has been scanned by a security analysis system of the network
`
`storage system.” (Kamalapuram, [0122].) Kamalapuram does not specify whether
`
`the “isolated area of the network storage system” and the “general storage area” are
`
`located on the same physical volume. A POSITA would have known how to
`
`implement a “move” under various configurations of the file system as described
`
`above, including how to implement “moving by copying.” (See infra at ¶¶23-26.)
`
`34. Likewise, for the same reasons as those discussed with respect to
`
`Burdett, implementing a “copy” operation in the combined Sharpe-Seese-
`
`Kamalapuram system would not materially impact efficiency. Recycling their
`
`arguments against Burdett, PO argues that “it would be nonsensical to implement
`
`Kamalapuram’s ‘moving’ using any copying – the much more efficient solution
`
`would be to ‘move’ files by changing file system directory entries and thus without
`
`‘copying.’” (POR, 32.) But once again, this argument (1) assumes that the ’856
`
`16
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`
`
`claims only cover the implementation in which the first and second repositories are
`
`located on different volumes, (2) reads into Kamalapuram a non-existent
`
`requirement to only move files within the same file system, and (3) makes
`
`unreasonable efficiency comparisons accounting for only some, but not all
`
`embodiments of the systems in question.
`
`B.
`
`35.
`
`The references relied upon by Petitioner would have been obvious
`to combine
`1.
`Burdett and FortiSandbox would have been obvious to
`combine
` PO argued that the Burdett-FortiSandbox combination would not have
`
`been obvious because “moving Burdett’s scanning service 304 from its original
`
`location in cloud infrastructure 302 to the FortiSandbox device would be detrimental
`
`to the performance of Burdett’s system.” (POR, 28.)
`
`36.
`
`I disagree. Burdett describes copying a file to repositories outside the
`
`cloud file store for malware scans. For example, Burdett describes how a file is
`
`“copied to the data store of the scanning service” to be scanned for malicious content.
`
`(Burdett, 29:34-38.) Later, Burdett similar states that “The scanning service may
`
`copy the file from the cloud data store to another data store” for scanning the file,
`
`where “[t]he another data store may be a local data store.” (Burdett, 30:59-62.)
`
`Based on this disclosure, there would not be significant inefficiencies caused by
`
`17
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`
`
`copying a file to a local data store on the FortiSandbox device for scanning by the
`
`FortiSandbox device.
`
`37. Furthermore, performing scans on a device on an enterprise network
`
`would also have been obvious because of concerns such as privacy and
`
`controllability, as further explained in the Petition and my supporting declaration.
`
`(Pet., 19; Ex. 1002, ¶¶43, 46, 69-70, 88-89.) In an example, an enterprise may, as
`
`they often do, want to control their scans, such as wanting the ability to perform bulk
`
`scans, scheduling scans, or performing on-demand scans when they want, or
`
`performing more advanced security scans. Using a cloud service provider's scanning
`
`can hamper that control because the cloud service provider controls which types of
`
`scans are available, when and how they can be done, the uptime of the service, the
`
`security of the service, etc.
`
`38. Dr. Black identifies several purported disadvantages to the combination
`
`of Burdett and FortiSandbox. I disagree with each of these.
`
`Negative Repercussions of Burdett-
`
`Response
`
`FortiSandbox Combination cited by
`
`Dr. Black (Black Supp. Decl., ¶65)
`
`“Scanning service 304 cannot start
`
`There is no reason why the file would
`
`processing a file until it arrives at the
`
`need
`
`to
`
`entirely
`
`arrive
`
`at
`
`the
`
`FortiSandbox device. The device does
`
`18
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`
`
`FortiSandbox device, injecting delay
`
`not need to download an entire file, and
`
`into the system.”
`
`it can begin scanning as soon as blocks
`
`of the file begin arriving.
`
`“The additional network traffic from
`
`Again, the FortiSandbox device does
`
`transmitting
`
`files
`
`from
`
`cloud
`
`not necessarily need to download an
`
`infrastructure 302 to the FortiSandbox
`
`entire file. For example, if the first block
`
`device consumes bandwidth and may
`
`of the file is sufficient to determine that
`
`result in network congestion.”
`
`the file contains malware, then the rest
`
`of the file no longer needs to be
`
`considered because it won't change the
`
`overall classification of the file.
`
`“Transmitting
`
`files
`
`from
`
`cloud
`
`If the network connection is encrypted,
`
`infrastructure 302 to the FortiSandbox
`
`there is little risk of snooping. On the
`
`devices results in unnecessary security
`
`other hand, leaving the scan to be
`
`risks, since
`
`there
`
`is always
`
`the
`
`performed in the cloud can lead to
`
`possibility of a third party snooping
`
`security risks because an enterprise
`
`traffic.”
`
`cannot be certain that the cloud scanner
`
`actually
`
`performs
`
`the
`
`expected
`
`functionality. A scanner under the
`
`19
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`
`
`operational control of the enterprise is
`
`much easier to supervise.
`
`“There
`
`are
`
`additional managerial
`
`Any managerial complexities that result
`
`complexities in configuring permissions
`
`from
`
`the combination are
`
`likely
`
`on both the FortiSandbox device and
`
`desirable, or at least outweighed by
`
`cloud
`
`infrastructure 302
`
`to permit
`
`other benefits, because, as discussed
`
`scanning
`
`service
`
`304
`
`on
`
`the
`
`above, there are advantages to the
`
`FortiSandbox device to access files in
`
`enterprise having control over the scan.
`
`cloud infrastructure 302.”
`
`
`
`39. Additionally, as described in the Petition and my declaration in support
`
`of the Petition, it would have been obvious to natively mount Burdett’s cloud file
`
`store to the FortiSandbox device at least because this combination would have
`
`enabled batch scans of entire directories of the cloud file store. (Pet., 30; Ex. 1002,
`
`¶¶85-89.) These batch scans would have been more efficient than the file-by-file
`
`scanning taught by Burdett. (See, e.g., Burdett, 28:41-45 (describing event
`
`notifications in the form of JSON files passed onto a queue, where “The scanning
`
`service may pull this JSON structure from the queue”); 29:31-34 (“Based on a
`
`notification of a file event…the scanning service may request a copy of the file to
`
`be examined.”)) For example, there would be a single (“push”) notification in the
`
`20
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`combination that indicates a change to a directory. The FortiSandbox device could
`
`then scan the directory (“pull”) for any of the updates that occurred since the last
`
`notification – thus batching any file scans into one bulk operation. As I explained
`
`in my original declaration, the combination would be more efficient than Burdett’s
`
`process in which you have to wait for an individual push notification to arrive for
`
`each file before you can process it. The combination would reduce the number of
`
`notifications that are generated and would enable initiating individual file scans
`
`based on direct observation of changes in the file directory. (Ex. 1002, ¶¶52-56. 85-
`
`89).3 Dr. Black argued that information about “which files are new and need to be
`
`scanned…[can] easily be included in the notification, thereby allowing bulk scans.”
`
`(Black Supp. Decl., ¶64.) However, Dr. Black does not explain how the single-file
`
`notifications in Burdett would allow bulk scans.
`
`Sharpe and Seese would have been obvious to combine
`2.
`PO’s arguments against the Sharpe-Seese combination are similar to
`
`40.
`
`those against the Burdett-FortiSandbox combination, and I disagree with these
`
`arguments for similar reasons.
`
`3Patent Owner also mischaracterized my deposition testimony on this point. See
`infra, ¶50.
`
`21
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`
`
`41. First, PO argues that it would have been more efficient to “run Sharpe’s
`
`malware scans directly in the same cloud storage provider environment 4210.”
`
`(POR, 34.) However, there is no basis for this argument in Sharpe. Instead, Sharpe
`
`describes locating an anti-virus service at a remote, secure site: an anti-virus service
`
`“located at a secure site in close network proximity with the cloud storage
`
`system…[could] perform anti-virus scans for the distributed filesystem.” (Sharpe,
`
`98:26-32; see also Pet., 53). Seese describes just such a remote, secure site that a
`
`POSITA would have found obvious to use with Sharpe. (Seese, [0018], [0064],
`
`[0067]; Pet., 63-64.) Additionally, Sharpe describes how a cloud controller
`
`“accesses the data blocks for the new file from cloud storage system 302…and the
`
`files are transferred to anti-virus services 4214.” (Sharpe, 97:48-51; emphasis
`
`added.) Since at least this portion of Sharpe already describes transferring files
`
`between different environments, it would not have been prohibitively inefficient to
`
`combine Sharpe and Seese by performing an anti-virus scan on a network security
`
`device.
`
`C.
`
`In claims 8/19/27, the location of the second repository is merely
`an implementation decision
`42. With respect to dependent claims 8, 19, and 27, PO makes a convoluted
`
`argument that it would not be obvious to be taking a file from a public cloud file
`
`store and, after determining that the file is clean, moving/copying that file to a
`
`22
`
`Netskope, 1013
`Netskope v. Fortinet, IPR2023-00456
`
`
`
`
`
`different storage location that is either part of the network security device or part of
`
`an external storage device that forms part of the enterprise network. (POR, 37-39.)
`
`43.
`
`I disagree. A POSITA would have understood that files on a public file
`
`storage can be potentially malicious – we do not want these files inside of our
`
`network. But once these files have successfully passed examination, they are safe
`
`to store anywhere, including in the enterprise network. Any further details are merely
`
`an implementation decision.
`
`44. Contrary to the PO’s argument, modifying the reference
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
