IPR2023-00459
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`________________
`
`
`Netskope, Inc.,
`Petitioner,
`
`v.
`
`Fortinet, Inc.,
`Patent Owner
`________________
`
`Case IPR2023-00459
`U.S. Patent No. 10,084,825
`________________
`
`
`
`
`
`
`SUPPLEMENTAL DECLARATION OF DR. JOHN BLACK JR.
`
`IN SUPPORT OF PATENT OWNER’S RESPONSE
`
`
`
`
`
`
`
`Fortinet Ex-2004
`
`04880-00038/14648296.2
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`________________
`
`
`Netskope, Inc.,
`Petitioner,
`
`v.
`
`Fortinet, Inc.,
`Patent Owner
`________________
`
`Case IPR2023-00459
`U.S. Patent No. 10,084,825
`________________
`
`
`
`
`
`
`SUPPLEMENTAL DECLARATION OF DR. JOHN BLACK JR.
`
`IN SUPPORT OF PATENT OWNER’S RESPONSE
`
`
`
`
`
`
`
`Fortinet Ex-2004
`
`04880-00038/14648296.2
`
`
`
`
`IPR2023-00459
`
`1.
`
`I have been retained on behalf of Fortinet, Inc. (“Patent Owner”) in
`
`connection with the above-captioned inter partes review (IPR). I have been retained
`
`to provide my opinions in support of Fortinet’s Patent Owner Preliminary Response.
`
`I am being compensated for my time at the rate of $625 per hour. I have no interest
`
`in the outcome of this proceeding.
`
`2.
`
`In preparing this declaration, I have reviewed and am familiar with the
`
`Petition for IPR2023-00459, U.S. Patent No. 10,084,825 (“the ’825 patent”) and its
`
`file history, and all other materials cited and discussed in the Petition (including the
`
`declaration of Petitioner’s expert Michael Franz, Ph.D.), and cited and discussed in
`
`this Declaration. I have also reviewed the Board’s Institution Decision.
`
`3.
`
`The statements made herein are based upon my own knowledge and
`
`opinion. This Declaration represents only the opinions I have formed to date. I may
`
`consider additional documents as they become available or other documents that are
`
`necessary to form my opinions. I reserve the right to revise, supplement, or amend
`
`my opinions based on new information and on my continuing analysis.
`
`I.
`
`QUALIFICATIONS
`
`4. My qualifications can be found in my Curriculum Vitae (see Ex. 2002),
`
`which includes my detailed employment background, professional experience, and
`
`list of technical publications and patents.
`
`04880-00038/14648296.2
`
`
`Fortinet Ex. 2004, Page 1
`
`
`
`IPR2023-00459
`
`5.
`
`I am an Associate Professor of Computer Science at the University of
`
`Colorado, Boulder. I received a B.S. in Mathematics and Computer Science from
`
`the California State University at Hayward (now "California State University, East
`
`Bay") in 1988. I received an M.S. in Computer Science in 1997, and a Ph.D. in
`
`Computer Science in 2000, both from the University of California at Davis.
`
`6.
`
`I have taught more than 60 classes in computer science, on subjects
`
`including data structures, algorithms, networking, operating systems, software
`
`engineering, security, cryptography, discrete mathematics, and quantum
`
`computing. I have authored or coauthored more than 20 publications, primarily on
`
`issues relating to computer security. I have been involved with computers for over
`
`40 years in both commercial and academic capacities.
`
`7. My earliest interest was in networks and security. My first memories
`
`in this regard were around 1975 when a group of friends and I learned about the
`
`telephone network and its security. A few years later, personal computers became
`
`available and I spent most of my free time studying, programming, and modifying
`
`them. I worked extensively with various networking products throughout the
`
`1980s, and developed an interest in cryptography soon thereafter. Although my
`
`undergraduate institution had no courses in cryptography or security in the 1980s, I
`
`decided to pursue self-study at the time, and opted to double major in Computer
`
`04880-00038/14648296.2
`
`
`Fortinet Ex. 2004, Page 2
`
`
`
`IPR2023-00459
`
`Science and Mathematics because cryptography is a blend of these two subject
`
`areas.
`
`8.
`
`After earning my B.S. degree in 1988, I worked for six years at Ingres
`
`Corp as a software developer, writing and reviewing code written in C. My work
`
`primarily was directed at transaction logging, data type support, and security.
`
`9.
`
`In 1995, I began my Ph.D. at UC Davis under cryptographer Phillip
`
`Rogaway. My area of focus was cryptography and security and my research
`
`involved encryption, authentication, hash functions, and network security.
`
`10. After graduation I took a position as an Assistant Professor at the
`
`University of Nevada at Reno. In the Fall of 2001, I taught the networking class
`
`there, which included coverage of Ethernet, interior gateway protocols, exterior
`
`gateway protocols, ARP, DHCP/BOOTP, IP, UDP, TCP, HTTP, SMTP and other
`
`protocols. In 2001, a graduate student and I looked at the security of ARP and
`
`invented a new protocol "AuthARP" to add security to the protocol.
`
`11.
`
`In 2002, I moved to the University of Colorado at Boulder where I am
`
`currently employed. In the Fall of 2002, I co-designed and co-taught a new course
`
`called "Foundations of Computer and Network Security," which included
`
`descriptions of security issues around both wired and wireless security challenges,
`
`mostly for public-facing network services including the world-wide web. I have
`
`04880-00038/14648296.2
`
`
`Fortinet Ex. 2004, Page 3
`
`
`
`IPR2023-00459
`
`taught this class seven more times since then, including modern topics such as
`
`wireless networking, the Internet of Things, and so forth.
`
`12.
`
`In my career at the University of Colorado, I have published several
`
`more papers in the area of cryptography and network security. I have taught more
`
`than 30 courses in network security and cryptography, and have graduated several
`
`PhD students in these areas.
`
`13.
`
`I also have worked for a consulting company at times, writing
`
`software on contract basis. Although most projects are covered by NDAs, many
`
`involved networks and/or aspects of computer security.
`
`14.
`
`In 2011, I began technical consulting for a local company called
`
`Cardinal Peak, which focuses primarily on video encoding and delivery systems.
`
`My work for Cardinal Peak has largely been directed to video encoding,
`
`transcoding, compression, encryption, and DRM, but also has included networking
`
`projects and embedded device work. For example, I designed the security system
`
`for the Pro1 smart thermostat, implemented the DRM for the Yonder Music App,
`
`worked on 802.1X code for smart dog collars, and helped design the cryptography
`
`used in Fitbit devices for wireless transfer of a Fitbit watch to a phone or laptop.
`
`15.
`
`In 2016, I took a two-and-a-half year leave of absence from the
`
`University of Colorado to start a company named "SecureSet" in Denver,
`
`Colorado. The objective of SecureSet is to take reasonably proficient technical
`
`04880-00038/14648296.2
`
`
`Fortinet Ex. 2004, Page 4
`
`
`
`IPR2023-00459
`
`people and turn them into computer and network security specialists via five
`
`months of intensive training. SecureSet was sold to WeWork in 2019 and
`
`continues to offer computer security classes today. In 2018 I returned to my
`
`position at the University where I remain employed to the present day.
`
`II. LEGAL UNDERSTANDING
`
`A. The Person of Ordinary Skill in the Art
`
`16.
`
`I understand that a person of ordinary skill in the relevant art at the time
`
`of the invention (also referred to herein as “ordinary artisan”) is presumed to be
`
`aware of all pertinent art, thinks along conventional wisdom in the art, and is a person
`
`of ordinary creativity—not an automaton.
`
`17.
`
`I have been asked to consider the level of ordinary skill in the field that
`
`someone would have had at the time the claimed invention was made. In deciding
`
`the level of ordinary skill, I considered the following:
`
`• the levels of education and experience of persons working in the
`
`field;
`
`• the types of problems encountered in the field; and
`
`• the sophistication of the technology.
`
`18. A person of ordinary skill in the art relevant to the ’825 patent at the
`
`time of the invention would have a Bachelor of Science degree in electrical
`
`engineering and/or computer science, and two years of work or research experience
`
`04880-00038/14648296.2
`
`
`Fortinet Ex. 2004, Page 5
`
`
`
`IPR2023-00459
`
`in the fields of network and data security, or a Master’s degree in electrical
`
`engineering and/or computer science and one year of work or research experience in
`
`related fields.
`
`19.
`
`I have reviewed the declaration of Dr. Franz, including his opinions
`
`regarding the Person of Ordinary Skill in the Art. My description of the level of
`
`ordinary skill in the art is essentially the same as that of the Dr. Franz. The opinions
`
`set forth in this Declaration would be the same under either my or Dr. Franz’s
`
`proposal.
`
`20.
`
`I am well-qualified to determine the level of ordinary skill in the art and
`
`am personally familiar with the technology of the ’825 patent. I was a person of at
`
`least ordinary skill in the art at the time of the priority date of the ’825 patent.
`
`Regardless if I do not explicitly state that my statements below are based on this
`
`timeframe, all of my statements are to be understood as an ordinary artisan would
`
`have understood something as of the priority date of the ’825 patent.
`
`B.
`
`Legal Principles
`
`21.
`
`I am not a lawyer and will not provide any legal opinions. Though I am
`
`not a lawyer, I have been advised that certain legal standards are to be applied by
`
`technical experts in forming opinions regarding the meaning and validity of patent
`
`claims.
`
`1.
`
`Obviousness
`
`04880-00038/14648296.2
`
`
`Fortinet Ex. 2004, Page 6
`
`
`
`IPR2023-00459
`
`22.
`
`I understand that to obtain a patent, a claimed invention must have, as
`
`of the priority date, been nonobvious in view of prior art in the field. I understand
`
`that an invention is obvious when the differences between the subject matter sought
`
`to be patented and the prior art are such that the subject matter as a whole would
`
`have been obvious at the time the invention was made to a person having ordinary
`
`skill in the art.
`
`23.
`
`I understand that to prove that prior art, or a combination of prior art,
`
`renders a patent obvious, it is necessary to: (1) identify the particular references that
`
`singly, or in combination, make the patent obvious; (2) specifically identify which
`
`elements of the patent claim appear in each of the asserted references; and (3) explain
`
`how the prior art references could have been combined to create the inventions
`
`claimed in the asserted claim.
`
`24.
`
`I understand that a patent composed of several elements is not proved
`
`obvious merely by demonstrating that each of its elements was, independently,
`
`known in the prior art, and that obviousness cannot be based on the hindsight
`
`combination of components selectively culled from the prior art to fit the parameters
`
`of the patented invention.
`
`25.
`
`I also understand that a reference may be said to teach away when a
`
`person of ordinary skill, upon reading the reference, would be discouraged from
`
`following the path set out in the reference, or would be led in a direction divergent
`
`04880-00038/14648296.2
`
`
`Fortinet Ex. 2004, Page 7
`
`
`
`IPR2023-00459
`
`from the path that was taken by the applicant. Even if a reference is not found to
`
`teach away, I understand its statements regarding preferences are relevant to a
`
`finding regarding whether a skilled artisan would be motivated to combine that
`
`reference with another reference.
`
`2. My Understanding of Claim Construction Law
`
`26.
`
`I have been informed that patent claims are construed from the
`
`viewpoint of a person of a ordinary artisan and that patent claims generally should
`
`be understood consistent with their ordinary and customary meaning at the time of
`
`the invention. A review of the patent claim language, the patent specification, and
`
`its prosecution history are also necessary to determine the proper meaning and scope
`
`of the term at issue.
`
`27.
`
`I have further been informed that in the specification and prosecution
`
`history the patentee may define a claim term in a way that differs from the ordinary
`
`and customary meaning. I understand that during prosecution of the patent before
`
`the U.S. Patent and Trademark Office, the Applicant may make representations or
`
`provide definitions of terms that may affect the scope of the patent claims. In
`
`particular, the Applicant may, during the course of prosecution, limit the scope of
`
`the claims to overcome prior art and/or disavow claim coverage by making clear and
`
`unambiguous statements to that effect.
`
`04880-00038/14648296.2
`
`
`Fortinet Ex. 2004, Page 8
`
`
`
`IPR2023-00459
`
`28.
`
`I have been informed that a ordinary artisan may, among other things,
`
`consider dictionaries, publications, other patents, and treatises (i.e., “extrinsic
`
`evidence”). I understand that extrinsic evidence may generally not be relied on if it
`
`contradicts the meaning of claim language provided by the intrinsic evidence, such
`
`as express definitions given for terms in the specification.
`
`III. OVERVIEW OF THE ’825 PATENT
`
`A. The ’825 Patent Specification
`
`29. The ’825 patent, entitled “Reducing Redundant Operations Performed
`
`by Members of a Cooperative Security Fabric” was filed June 27, 2017 and claims
`
`priority to a provisional application filed on May 8, 2017. Ex. 1001.
`
`30. The ’825 patent explains that “[i]n a large network” with “many
`
`network security appliances,” each appliance may “work independently and
`
`execute operations” on “network traffic transmitted to/from the network” that may
`
`be wasteful and redundant. Ex. 1001, 1:33-37, 1:45-52.
`
`31. The ’825 patent solves this issue by using a “cooperative security
`
`fabric (CSF)” (a product that Patent Owner introduced to the market a few months
`
`before the ’825 patent’s earliest filing date) with interconnected network security
`
`appliances that can “coordinat[e] security operations” using flags carried by
`
`incoming/outgoing network traffic to indicate which operations have already been
`
`04880-00038/14648296.2
`
`
`Fortinet Ex. 2004, Page 9
`
`
`
`IPR2023-00459
`
`executed by an appliance, and further indicate whether the packets were
`
`transmitted by participating appliances in the CSF.
`
`32. Figure 2 of the ’825 patent is an example topology of a CSF. The
`
`“root node … is the outermost network security appliance of the cooperative
`
`security fabric [and] acts as a WAN role in topology 200 that connects a private
`
`network to other networks or the Internet.” Ex. 1001, 5:52-56. There are also
`
`branch nodes that constitute a middle layer and leaf nodes that connect endpoint
`
`devices to the network. Id., 5:60-6:5. As is evident, there are several different
`
`paths that network traffic could take, thereby requiring different coordination
`
`depending on the path. The ’825 patent explains that a topology may have
`
`multiple root nodes, multiple layers of branch nodes, and paths that do not involve
`
`branch nodes (such as the red path below). Id., 6:14-24. The below figure is a
`
`modified version of Figure 2 which shows that each leaf node is a network security
`
`appliance for a subnetwork of endpoints.
`
`04880-00038/14648296.2
`
`
`Fortinet Ex. 2004, Page 10
`
`
`
`IPR2023-00459
`
`
`
`33. Thus, in the ’825 patent, when coordinating operations, the network
`
`security appliances operate on “downstream network traffic that is transmitted
`
`from the Internet 110 to a subnet” or “upstream network traffic that is transmitted
`
`from [a] subnet ... to the Internet 110.” Id., 5:33-38. The network appliances will
`
`inspect network packets for flags that, if present, indicate that the flag “was added
`
`to the original network packet by a previous member node along the transmission
`
`path ... to indicate that the network packet is transmitted from a member node” as
`
`well as “information about the distribution of security operations among member
`
`nodes of a CSF.” Id., 6:53-7:4. However, if the flag is not present, “it means that
`
`04880-00038/14648296.2
`
`
`Fortinet Ex. 2004, Page 11
`
`
`
`the member node is the first member of the CSF to receive the incoming packet”
`
`which “happen[s] to root nodes for downstream network traffic and leaf nodes for
`
`IPR2023-00459
`
`upstream network traffic.” Id., 7:26-30.
`
`IV. OVERVIEW OF CERTAIN ART
`
`34. Although the petition cites to a number of references, the main
`
`references it relies on for its challenge against the independent claims of the ’825
`
`patent are Chandra (for Grounds 1-4) and Keohane (for Grounds 5-8). The petition’s
`
`first ground of challenge asserts Chandra alone renders obvious the independent
`
`claims (as well as some of the dependent claims). The petition’s fifth ground of
`
`challenge asserts that Keohane alone renders obvious the independent claims (as
`
`well as some of the dependent claims). Below, I summarize Chandra and Keohane.
`
`A. Chandra (Ex. 1004)
`
`35. Chandra is directed to a network where “data is transferred between
`
`network devices,” i.e. network traffic only within a network. Ex. 1004, ¶4. Chandra
`
`notes that, with respect to a network involving multiple VPN sites, the VPN firewall
`
`policies may “be uniform among all the VPN sites.” Id., ¶6. However, “[t]his can
`
`result in the same action being performed by more than one VPN site.” Id.
`
`36. To resolve this specific issue of redundant actions performed on
`
`internal network traffic, Chandra describes a system involving coordination between
`
`“a transmitting Customer Edge (CE)” and a “receiving CE,” where the transmitting
`
`04880-00038/14648296.2
`
`
`Fortinet Ex. 2004, Page 12
`
`
`
`IPR2023-00459
`
`CE and receiving CE can be “for example, Intrusion Detection Systems (IDSs),
`
`firewalls, etc.” Id., ¶30. In other words, the transmitting CE may be a firewall for
`
`the VPN site that receives traffic from the transmitting endpoint, and the receiving
`
`CE may be a firewall for another VPN site that sends traffic to the receiving
`
`endpoint. See Fig. 2.
`
`
`
`37. Transmitting CE and receiving CE coordinate which actions to perform
`
`on the network traffic by using labels that are used to tag the data packets. Id., ¶¶31-
`
`32. Prior to that, the transmitting CE and receiving CE will first “authenticate each
`
`other” and exchange the “CE labels that can be used for tagging the data packets.”
`
`Id., ¶33.
`
`04880-00038/14648296.2
`
`
`Fortinet Ex. 2004, Page 13
`
`
`
`IPR2023-00459
`
`38. Thus, as shown above, Chandra only discloses coordination for traffic
`
`between two nodes within the same network, not traffic coming into or going out of
`
`the network. Id., ¶21. For incoming traffic that originates from outside the network,
`
`such as the Internet, only the “receiving CE” receives such traffic and thus only the
`
`receiving CE will be able to perform actions on such traffic. Id., ¶53; see also ¶77
`
`(“[R]eceiving end can identify a data packet from the Internet as insecure, and
`
`perform rigorous actions on it.”).
`
`B. Keohane (Ex. 1008)
`
`39. Keohane is directed to a method for performing iterative security
`
`operations on incoming network traffic in a single direction. Ex. 1008, ¶¶33-37.
`
`Keohane’s method is depicted in Figure 3 below.
`
`04880-00038/14648296.2
`
`
`Fortinet Ex. 2004, Page 14
`
`
`
`
`
`IPR2023-00459
`
`40. As shown in the figure, Keohane screens incoming data through a
`
`Firewall (300) and a Mail Gateway (302) before ultimately allowing the data to be
`
`transmitted to the packet.
`
`41. Keohane’s data screen methods involve the attachment of a signature
`
`located in the header of a data packet by an upstream network element in order for a
`
`downstream network element to be able to confirm the traffic was received from the
`
`upstream network element. Id., ¶11. Thus, as depicted in Figure 3, a data packet
`
`travels in one direction from network element “firewall 300,” to “mail gateway
`
`302,” and to “client 304,” with each network element performing a security action
`
`on the data and inserts a “signature ... indicat[ing] that a previous security action has
`
`been performed on the data packet.” Id., ¶¶32-37.
`
`V. CLAIM CONSTRUCTION
`
`42.
`
`In my opinion, all claim terms should be given their ordinary meaning.
`
`I understand that Petitioner and Dr. Franz also agree that all the terms should be
`
`given their ordinary meaning. Pet. 14; Ex. 1003, ¶53.
`
`43.
`
`In my first declaration in support of Patent Owner’s Preliminary
`
`Response, I opined that the term “fabric” “requires network nodes that process
`
`bidirectional communications.” Ex. 2001, ¶¶43-51. I understand that while the
`
`Board credited my testimony and the evidence I cited to, it construed “fabric” as “a
`
`network topology such as the physical structure of a switch or network.” Paper 10
`
`04880-00038/14648296.2
`
`
`Fortinet Ex. 2004, Page 15
`
`
`
`IPR2023-00459
`
`at 9. I understand that Petitioner, through its expert Dr. Franz, has broadly
`
`interpreted the Board’s construction to cover any network configuration, including
`
`two computers connected by a single cable or one computer sending unidirectional
`
`data to a second computer. See Ex. 2005, 14:18-24 (“[T]he network fabric in this
`
`case is just these two boxes with the cable.”); 17:13-18 (opining that two computers
`
`communicating in one direction is still “two computers networked together”). This
`
`is in conjunction with Petitioner’s position that the larger phrase “cooperative
`
`security fabric” can be met by just two devices connected directly to each other. Pet.
`
`27 (arguing that “as few as two [appliances] are needed” to “form a CSF”). I note
`
`that Dr. Franz admitted he lacked familiarity with the field of “distributed
`
`computing,” which is a key technology of the ’825 patent, which describes managing
`
`the “distribution of security operations among member nodes of a CSF.” Ex. 1001,
`
`7:2-4, 8:50-52; Ex. 2005, 15:4-6, 16:1-7. The CSF can be viewed as distributed
`
`computing because the execution of network security operations are distributed
`
`within the nodes of the CSF—each node doing one of the requisite security
`
`operations.
`
`44. As I discuss below, in view of the context of the ’825 patent and the
`
`plain meaning of a “cooperative security fabric,” I believe that Petitioner’s broad
`
`interpretation of the Board’s construction is problematic and not supported by the
`
`evidence. A “fabric” is analogous to clothing, which is in fact where the term comes
`
`04880-00038/14648296.2
`
`
`Fortinet Ex. 2004, Page 16
`
`
`
`IPR2023-00459
`
`from—it refers to multiple, interwoven threads, or paths. However, Petitioner and
`
`Dr. Franz are interpreting it to include a single thread, which is contrary to the plain
`
`meaning of fabric and CSF. The ’825 patent is directed not just to any fabric, but a
`
`specific type of fabric called a “cooperative security fabric,” which, as the patent
`
`explains, specifically addresses challenges with coordinating security operations on
`
`incoming or outgoing traffic within “a larger network” with “many network security
`
`appliances.” Ex. 1001, 1:33-37, 5:38-40. In such a network, there is “a need for a
`
`cooperative security fabric (CSF) that may coordinate operations performed on
`
`network traffic to avoid or reduce redundant operations among members of the
`
`CSF.” Id., 1:64-67. Thus, I discuss below what the plain meaning of a CSF is based
`
`on the intrinsic and extrinsic evidence.
`
`45.
`
`In my opinion, the plain meaning of a CSF is “a topology of network
`
`security appliances that cooperate to inspect incoming and outgoing traffic along
`
`multiple interconnected paths.” Petitioner and Dr. Franz’s interpretation, however,
`
`is overly broad, removes any meaning of the term within the claims, and is contrary
`
`to the very purpose of the ’825 patent’s cooperative processing.
`
`A.
`
`Intrinsic Evidence
`
`46.
`
`I begin with the intrinsic evidence, and specifically the specification of
`
`the ’825 patent. The specification supports my definition of a CSF.
`
`04880-00038/14648296.2
`
`
`Fortinet Ex. 2004, Page 17
`
`
`
`IPR2023-00459
`
`47. The ’825 patent is directed to cooperative security within a “large
`
`network” with “many network security appliances … deployed at different locations
`
`within the network.” Ex. 1001, 1:33-37.
`
`48.
`
`In its earlier days, computer networks were straightforward. For
`
`example, two computers could be connected directly to each other (called a point-
`
`to-point
`
`topology), multiple computers could have access
`
`to
`
`the same
`
`communication medium (called a bus topology), or they could be connected to each
`
`other in a ring (called a ring topology). In these topologies, there were clearly
`
`defined paths between individual computers. Over time, however, networks grew
`
`more complex as enterprises increased the number of offices, locations, departments,
`
`functions, etc., that needed to be connected to each other via a network.
`
`49. By 2017, a “network fabric” was a term of art. As enterprise networks
`
`became larger and larger, a complex, interconnected topology known as a “fabric”
`
`was developed to handle the management of such networks. In particular, enterprise
`
`networks needed to support increasingly numerous subnetworks as a result of, for
`
`example, increases in the enterprise’s number of office locations, departments,
`
`enterprise functions, etc. Thus, a fabric of network devices (such as switches or
`
`access points for each subnetwork) was developed to manage network traffic
`
`between subnetworks, and to and from the Internet. In contrast to more traditional
`
`network topologies, such as point-to-point, bus, and ring topologies, a “fabric”
`
`04880-00038/14648296.2
`
`
`Fortinet Ex. 2004, Page 18
`
`
`
`IPR2023-00459
`
`topology consists of multiple paths to and from endpoints. The resultant cabling
`
`resembles interwoven threads in a piece of cloth—i.e., a “fabric.”
`
`50. The ’825 patent sought to improve such fabrics, by using a specific type
`
`of fabric called a “cooperative security fabric.” The patent notes that within a
`
`network fabric, “[n]etwork traffic transmitted to/from the network may go through
`
`multiple network security appliances along a path within the network.” Ex. 1001,
`
`1:33-37. In the prior art, the network security appliances “work[] independently,”
`
`which possibly leads to an appliance performing a “redundant” operation that have
`
`“already been done by a previous network security appliance at a previous hop.” Id.,
`
`1:46, 1:54-56. The ’825 patent therefore notes a “need for a cooperative security
`
`fabric (CSF) that may coordinate operations performed on network traffic,” i.e.
`
`traffic “transmitted to/from the network,” “to avoid or reduce redundant operations
`
`among members of the CSF.” Id., 1:64-67.
`
`51.
`
`In a simple network, where network traffic traverses the same path of
`
`network appliances, no coordination is necessary, even if that path traverses multiple
`
`network security appliances. In such a simplistic topology, each network security
`
`appliance could be configured to always perform the same subset of security
`
`operations, thereby eliminating redundancy even without cooperation.
`
`52. A network fabric, however, is more complex. There are many different
`
`paths of network appliances through which traffic can flow, and thus, cooperation is
`
`04880-00038/14648296.2
`
`
`Fortinet Ex. 2004, Page 19
`
`
`
`IPR2023-00459
`
`needed to avoid redundant operations. Figure 2 of the ’825 patent depicts a topology
`
`for a cooperative security fabric, which encapsulates this understanding of a fabric.
`
`I have provided below a modified version of Figure 2 where each leaf is further
`
`connected to one or more endpoints, such as the endpoints shown in Figure 1 (see
`
`Ex. 1001, 6:1-3), and further annotated it to show three different paths through the
`
`network.
`
`53.
`
`In this example, all three transmission paths traverse Root node 220,
`
`but diverge thereafter. In the blue and green transmission path, traffic goes through
`
`the same Root node 220 but then through different Branch nodes 230a and 230b, and
`
`
`
`04880-00038/14648296.2
`
`
`Fortinet Ex. 2004, Page 20
`
`
`
`IPR2023-00459
`
`different Leaf nodes 240a and 240d. In addition, the blue transmission path is shown
`
`as being “downstream,” i.e., from the Internet to an endpoint, whereas the green
`
`transmission path is shown as being “upstream,” i.e., from an endpoint to the
`
`Internet. See Ex. 1001, 5:32-38 (“[D]ownstream network traffic that is transmitted
`
`from the Internet 110 to a subnet 141 goes through three network security appliances,
`
`i.e. a root, a middle and a subnet network security appliance, while upstream network
`
`traffic that is transmitted from subnet 141 to the Internet 110 goes through a subnet,
`
`a middle and a root network security appliance.”).
`
`54. The red transmission path also differs from the blue transmission path
`
`as it has “no branch nodes.” Id., 6:18-20. Finally, while not pictured, “Topology
`
`200 may have multiple layers of branch nodes, i.e., multiple branch nodes exist
`
`between a root node and a leaf node” and nodes that act “as multiple roles in the
`
`topology 200,” such as “a network security appliance [that is] connect[ed] to another
`
`network security appliance as well as endpoint devices,” thereby acting as “a branch
`
`node and a leaf node in the same time.” Id., 6:21-27.
`
`55.
`
`It is this complexity and existence of multiple possible paths through a
`
`network “fabric” that creates “a need for … coordinat[ing] operations performed on
`
`network traffic to avoid or reduce redundant operations” as traffic traverses any one
`
`of multiple potential paths through the network fabric. Ex. 1001, 1:64-67. For
`
`example, in the annotated version of Figure 2 above, traffic arriving at a leaf node
`
`04880-00038/14648296.2
`
`
`Fortinet Ex. 2004, Page 21
`
`
`
`IPR2023-00459
`
`may have traversed zero network security appliances (green upstream path), one
`
`network security appliance (red downstream path), or two network security
`
`appliances (blue downstream path). In this scenario, a mechanism is needed to
`
`dynamically determine what security operations have already been performed and
`
`what additional security operations still need to be performed. Thus, the ’825 patent
`
`describes that each “member node of the cooperative security fabric may add one or
`
`more flags ... to a network packet,” which is then “transmitted to another member
`
`node at the next hop.” Ex. 1001, 6:28-34. The member node that receives the packet
`
`“can be any node of the CSF.” Id., 6:50-51.
`
`56. Based on the above, the ’825 patent describes that a CSF inspects
`
`incoming and outgoing traffic along multiple interconnected paths.
`
`57. There are a few additional points to make. I note that in its Institution
`
`Decision, the Board stated that the ’825 patent “describes methods of performing
`
`security operations on network traffic passing through a cooperative security fabric
`
`(CSF) of network security appliances that coordinate their security operations to
`
`avoid redundant security operations.” Paper 10 at 3. I agree with the Board’s
`
`description, because the CSF inspects traffic that passes through the network, i.e.
`
`traffic transmitted into or out of the network. I also note that Dr. Franz testified that
`
`he agrees with this description. Ex. 2005, 19:10-16; see also 26:4-7 (“[T]he CSF
`
`has the ... objective of coordinating security operations on the network traffic passing
`
`04880-00038/14648296.2
`
`
`Fortinet Ex. 2004, Page 22
`
`
`
`IPR2023-00459
`
`through them.”). Dr. Franz further confirmed that the ’825 patent does not provide
`
`any examples of “performing security operations on traffic between two subnets” of
`
`the same network. Id., 35:7-17.
`
`58. Dr. Franz was also asked about the ’825 patent’s disclosure that “a
`
`subnet 151 and a subnet security appliance 150 [that] are connected to private
`
`network 120 through the Internet 110 via VPN” and thus “may be seen as a part of
`
`private network 110.” Ex. 1001, 4:65-5:2. He described this disclosure as
`
`“subnetworks being able to communicate with each other.” Ex. 2005, 74:14-23.
`
`However, the ’825 patent does not describe that such VPN traffic to other endpoints
`
`within the network is inspected by the CSF.
`
`59. A POSITA would understand that a VPN is considered to be part of the
`
`same network it is connected to. Ex. 2005, 42:12-43:5 (“[O]ne of the purposes of
`
`VPN technology is that from the perspective of the two endpoints … they appear to
`
`be connected to the same virtual private network.”); Ex. 1001, 4:65-5:2 (“[A] subnet
`
`151 and a subnet security appliance 150 [that] are connected to private network 120
`
`through the Internet 110 via VPN … may be seen as a part of private network 110.”).
`
`60. But the ’825 patent is concerned with and direct
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
