UNITED STATES PATENT AND TRADEMARK OFFICE
`
`__________________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`__________________________
`
`NETSKOPE, INC.,
`Petitioner,
`v.
`FORTINET, INC.,
`Patent Owner.
`__________________________
`
`PTAB Case No. IPR2023-00459
`
`Patent No. 10,084,825
`__________________________
`
`REBUTTAL DECLARATION OF MICHAEL FRANZ IN SUPPORT OF
`PETITIONER’S REPLY TO PATENT OWNER’S RESPONSE
`__________________________
`
`Netskope Exhibit 1019
`
`

`

`
`Table of Contents
`
`C. 
`
`B. 
`
`
`I. 
`INTRODUCTION ....................................................................................... 1 
`II.  MY EXPERTISE IN COMPUTER NETWORKING AND
`NETWORK SECURITY ENABLES ME TO DETERMINE
`THE PLAIN MEANING OF “CSF” IN THE ART .................................... 2 
`III.  THE BOARD CORRECTLY CONSTRUED “FABRIC” AND
`CORRECTLY FOUND CHANDRA AND KEOHANE TEACH
`A “COOPERATIVE SECURITY FABRIC” ............................................... 4 
`A. 
`I Agree with The Board’s Construction of “Fabric.” ........................ 4 
`B. 
`“CSF” Requires Devices That Form a Network Topology and Work
`Together to Coordinate Security Operations Among Them. ............ 5 
`Chandra Taught a “CSF” Under Its Correct Meaning. ..................... 7 
`C. 
`D.  Keohane Taught a “CSF” Under Its Correct Meaning. .................... 9 
`IV.  THE PO’S CONSTRUCTION OF “CSF” IS UNSUPPORTED
`BUT NEVERTHELESS DISCLOSED BY CHANDRA AND
`KEOHANE ................................................................................................ 10 
`A. 
`THE PO’s Construction Is Riddled with Hidden Limitations. ....... 10 
`B. 
`THE PO’s Construction Has No Support In the Intrinsic or
`Extrinsic Record. ............................................................................. 11 
`1. 
`Intrinsic Evidence ................................................................. 11 
`2. 
`Extrinsic Evidence ................................................................ 17 
`Chandra Taught A “CSF” Even Under the PO’s Incorrect
`Construction .................................................................................... 20 
`D.  Keohane Taught A “CSF” Even Under the PO’s Incorrect
`Construction .................................................................................... 21 
`PRIOR ART TAUGHT OR RENDERED OBVIOUS THE
`DEPENDENT CLAIMS ............................................................................ 24 
`A. 
`Chandra Taught or Rendered Obvious “Local Network Policies”
`(Claims 2, 4, 15). ............................................................................. 24 
`Chandra and Keohane Rendered Obvious that Flags Were Carried
`In “a First Packet of a Session” (Claim 12). ................................... 25 
`
`V. 
`
`
`
`- i -
`
`Netskope Exhibit 1019
`
`

`

`C.
`
`D.
`
`Keohane Taught or Rendered Obvious a “Next Network
`Appliance” (Claims 6, 17, 23, 28) and “Next Network Appliance
`Participating in a CSF” (Claims 7, 18, 24, 29). .............................. 26
`Keohane Taught or Rendered Obvious a First Network Security
`Appliance that Received Traffic “Not Transmitted from the Second
`Network Security Appliance” (Claim 4). ........................................ 29
`Keohane Taught or Rendered Obvious a “Next Network
`Appliance” (Claims 6, 17, 23, 28) and “Next Network Appliance
`Participating in a CSF” (Claims 7, 18, 24, 29). .............................. 30
`A POSITA Would Be Motivated to Use Buruganahalli’s Updating
`of Tags with Keohane’s Signatures (Claims 6, 17, 23, 28). ........... 32
`A POSITA Would Be Motivated to Remove Keohane’s Signatures.32
`G.
`VI. CONCLUSION .......................................................................................... 33
`
`E.
`
`F.
`
`- ii -
`
`Netskope Exhibit 1019
`
`

`

`
`
`Appendix A
`
`Appendix B
`
`Appendix C
`
`Appendix D
`
`LIST OF APPENDICES
`
`Curriculum Vitae of Michael Franz, Ph.D.
`
`National Security Agency/Central Security Service Information
`Assurance Directorate - Mobile Access Capability Package
`(June 19, 2015)
`
`National Security Agency/Central Security Service Information
`Assurance Directorate - Multi-site Connectivity Capability
`Package (May 4, 2016)
`
`Litigation Summary of Michael Franz, Ph.D.
`
`
`– iii –
`
`
`
`
`
`Netskope Exhibit 1019
`
`

`

`
`
`I. INTRODUCTION
`1.
`I, Michael Franz, have been retained by Petitioner Netskope, Inc.
`
`(“Petitioner”) to investigate and opine on certain issues relating to United States
`
`Patent No. 10,084,825 (“the ’825 patent”). Petitioner requests that the Patent Trial
`
`and Appeal Board (“PTAB” or “Board”) review and cancel claims 1-7 and 10-31 of
`
`the ’825 patent.
`
`2.
`
`Last year, I provided a declaration in support of Petitioner’s IPR
`
`Petition. My Opening Declaration (“Franz”) is Exhibit 1002 to the Petition and
`
`provides an explanation of my qualifications, a discussion of the technology relevant
`
`to the ’825 patent, and my opinions with respect to the ’825 patent.
`
`3.
`
`I have prepared this Rebuttal Declaration to address arguments made in
`
`the Patent Owner Response (“POR”) and the accompanying Declaration of John
`
`Black in support of the Patent Owner Response (Ex. 2004, “Black Supp. Decl.”).
`
`4.
`
`In addition to the materials referenced and cited in my Opening
`
`Declaration, I have now reviewed and considered the Board’s Institution Decision
`
`(“ID”), Patent Owner’s Preliminary Response (“POPR”) and its attached exhibits,
`
`Patent Owner’s Response and its attached exhibits, Dr. Black’s declaration in
`
`support of Patent Owner’s Preliminary Response, Dr. Black’s declaration in support
`
`of Patent Owner’s Response (“Black Decl.”), and the transcript of the deposition of
`
`Dr. Black (“Black. Depo. Tr.”).
`
`
`
`– 1 –
`
`Netskope Exhibit 1019
`
`

`

`
`
`II. MY EXPERTISE IN COMPUTER NETWORKING AND NETWORK
`SECURITY ENABLES ME TO DETERMINE THE PLAIN MEANING
`OF “CSF” IN THE ART
`5.
`The Patent Owner (“PO”) and Dr. Black question my knowledge as a
`
`POSITA of a critical technology of the ’825 patent because I allegedly lack
`
`experience and familiarity with “distributed computing.” The PO and Dr. Black
`
`claim that “[c]oordinating operations among multiple network security appliances
`
`falls squarely in the field of distributed computing (POR, 11),” and that “[t]he CSF
`
`can be viewed as distributed computing because the execution of network security
`
`operations are distributed within the nodes of the CSF—each node doing one of the
`
`requisite security operations (Black Supp. Decl., ¶3).” These statements are
`
`misleading.
`
`6.
`
`Distributed computing is a very wide field of study. While I cannot
`
`claim expertise in every aspect of distributed computing, my experience in and
`
`knowledge of it is sufficient for me to understand the computer networking and
`
`network security aspects of it, which are the focus of the ’825 patent’s invention.
`
`7.
`
`In fact, a substantial proportion of my past research and publication
`
`history has focused on distributed computing. For example, between 2002 and 2005
`
`I led a major multi-university research effort sponsored by the U.S. National Science
`
`Foundation entitled “Virtual Power for a Wireless Campus: Orchestrated Modeling,
`
`Analysis, Composition and Compilation Strategies for Distributed Embedded
`
`
`
`-2-
`
`Netskope Exhibit 1019
`
`

`

`
`
`Systems” which pioneered techniques for distributed computing using wireless
`
`networking.
`
`8.
`
`Even more important are my contributions to distributed systems
`
`security: I have published no fewer than 6 papers in the most prestigious academic
`
`conference on the topic, the Network and Distributed Systems Security Symposium
`
`(NDSS) organized by The Internet Society, and have served on its program
`
`committee responsible for selecting the papers presented. This annual conference
`
`receives several hundred submissions of full-length papers every year and after a
`
`rigorous selection process typically accepts between 15 and 17 percent of the
`
`submitted papers.
`
`9.
`
`I have also been repeatedly invited to serve on the program committee
`
`(responsible for judging the submitted papers) of the top-tier IEEE International
`
`Conference on Distributed Computing Systems (ICDCS), and I accepted this
`
`invitation both for the 2016-2017 and 2017-2018 reviewing cycles. Hence, precisely
`
`around the time of the alleged invention, I was closely involved in judging the
`
`novelty of research in distributed computing systems submitted by some of the top
`
`academic and industrial researchers in the world.
`
`10. Distributed computing as a general field of study is a very wide field
`
`but only the computer networking and network security aspects of distributed
`
`computing are the enabling technologies for the ’825 patent. In fact, as Dr. Black
`
`
`
`-3-
`
`Netskope Exhibit 1019
`
`

`

`
`
`admits, his definition of a POSITA does not mention any requirement as to
`
`knowledge of or experience in distributed computing. (Black Supp. Decl., ¶3; Black.
`
`Depo. Tr. 75:10-18.) My expertise in computer networking and network security
`
`(see Franz, ¶6-21) makes me familiar with the concept of coordinating security
`
`operations among multiple network security appliances and enables me to determine
`
`the plain meaning of “CSF” in the art.
`
`III. THE BOARD CORRECTLY CONSTRUED “FABRIC” AND
`CORRECTLY FOUND CHANDRA AND KEOHANE TEACH A
`“COOPERATIVE SECURITY FABRIC”
`A.
`I Agree with The Board’s Construction of “Fabric.”
`
`11.
`
`I agree with the Board that “fabric” in “cooperative security fabric
`
`(CSF)” is simply “a network topology such as the physical structure of a switch or
`
`network.” (ID, 9.) I agree with the Board that such construction “is consistent with
`
`an ordinary, customary meaning” of the term, such as the dictionary definition
`
`referring to “fabric” as “[a] descriptive term referring to the physical structure of a
`
`switch or network” supplied by the PO. (Id.) Dr. Black agrees that the term “fabric”
`
`can refer to the “physical structure of a [network] topology.” (Black Dep. Tran.,
`
`77:6-8.) That definition is consistent with the 10th Edition of the Dictionary of
`
`Computer and Internet Terms’ definition of “fabric” as simply “network
`
`interconnections.” (Ex. 1020, 185.) Therefore, the Board’s construction is
`
`
`
`-4-
`
`Netskope Exhibit 1019
`
`

`

`
`
`consistent with the term’s ordinary and customary use. (Franz Dep. Tr., 7:8-23,
`
`26:16-17.)
`
`B.
`
`“CSF” Requires Devices That Form a Network Topology and
`Work Together to Coordinate Security Operations Among Them.
`
`12. With the plain meaning of “fabric” in mind, by extension, a
`
`“cooperative security fabric” simply requires devices that form a network topology
`
`and work together to coordinate security operations among them.
`
`13.
`
`I reviewed the ’825 patent’s claims and found the claim term “CSF”
`
`easily understandable from the ordinary usage of its individual words. As discussed
`
`above, “fabric” refers to a network topology. In 2016, Merriam-Webster defined
`
`“cooperative” as “marked by a willingness and ability to work with others (Ex.
`
`1013),” and defined “security” as “measures taken to guard against espionage or
`
`sabotage, crime, attack, or escape (Ex. 1014).” Therefore, “cooperative” refers to
`
`working together—in this context, the network appliances—and “security” refers to
`
`security measures or operations against attacks. Putting these well-understood terms
`
`together, a POSITA would have understood the plain meaning of “CSF” as devices
`
`that form a network topology and work together to coordinate security operations
`
`among them. (See Franz Dep. Tr., 7:13-15.)
`
`14. This plain meaning is further supported by other limitations in the
`
`claims. The claims describe a first network security appliance in a CSF that receives
`
`network traffic, determines whether the traffic is from a second network security
`
`
`
`-5-
`
`Netskope Exhibit 1019
`
`

`

`
`
`appliance in the CSF, determines the security operations executed on the traffic by
`
`the second network security appliance in the CSF, and executes security operations
`
`based on the security actions already executed by the second network security
`
`appliance in the CSF. (See ’825 patent, cls. 1, 15, 21, 27.) Thus, the claims require
`
`a first network security appliance in a CSF cooperating with a second network
`
`security appliance in the CSF to coordinate security functions performed on network
`
`traffic received by the first network security appliance in the CSF.
`
`15. This interpretation is also supported by the specification. The ’825
`
`patent concerns “coordinating security operations among members of a cooperative
`
`security fabric.” (’825 patent, Abstract.) Because the security operations executed
`
`by multiple network security appliances on traffic traveling along a data path may
`
`be redundant, “there is a need for a cooperative security fabric (CSF) that may
`
`coordinate operations performed on network traffic to avoid or reduce redundant
`
`operations among members of the CSF.” (Id., 1:52-56, 64-67.) To do so, a first
`
`network security appliance in a CSF receives network traffic, determines whether
`
`the traffic is from a second network security appliance in the CSF, determines the
`
`security operations executed on the traffic by the second network security appliance
`
`in the CSF, and determines local security operations. (Id., 2:5-14.) In other words,
`
`a first network security appliance in a CSF cooperates with a second network
`
`
`
`-6-
`
`Netskope Exhibit 1019
`
`

`

`
`
`security appliance in the CSF to coordinate security functions performed on network
`
`traffic received by the first network security appliance in the CSF.
`
`C. Chandra Taught a “CSF” Under Its Correct Meaning.
`
`16. As I discussed in my Opening Declaration, Chandra disclosed a “CSF.”
`
`(Franz, ¶69-70.)
`
`17. As illustrated below, Chandra disclosed a “fabric” as it illustrated the
`
`topology of the network containing the two ends, laying out the physical structure
`
`including the network devices, customer edges, provider edges, and network link.
`
`As shown by the double arrow of network link 218 in Chandra’s Figure 2, network
`
`traffic traveled in both directions between transmitting end 202 and receiving end
`
`204 through network link 218. “[T]ransmitting end 202 and receiving end 204 can
`
`be any identifiable part or region of network 102,” and any network device of
`
`network 102 “can act both as transmitting network device 206 and receiving network
`
`device 212.” (Chandra, ¶29, 56.)
`
`
`
`-7-
`
`Netskope Exhibit 1019
`
`

`

`
`
`
`
`
`
`18. Chandra’s fabric was a “cooperative security fabric” because members
`
`(e.g., receiving CE (214) and transmitting CE (208)) worked together to coordinate
`
`security operations among them. (Franz, ¶69-70.) I agree with the Board that
`
`“Chandra discloses that transmitting and receiving CEs” “participa[ed] in a CSF”
`
`“to coordinate actions.” (ID, 16.) I also agree with the Board that “transmitting and
`
`receiving CEs…authenticat[ed] themselves to one another as participants in a CSF,
`
`so receiving CE 214 can determine that network traffic was transmitted by
`
`transmitting CE 208 participating in the same CSF.” (Id.) “[CE] labels indicated to
`
`the receiving CE 214 that the network traffic was transmitted by transmitting CE
`
`
`
`-8-
`
`Netskope Exhibit 1019
`
`

`

`
`
`208 in the same CSF for distributed enforcement of rules to coordinate actions and
`
`reduce redundancy.” (Id.)
`
`D. Keohane Taught a “CSF” Under Its Correct Meaning.
`
`19. As I discussed in my Opening Declaration, Keohanea disclosed a “CSF.”
`
`(Franz, ¶163-164.)
`
`20. As illustrated below, Keohane disclosed a “fabric” as it illustrated the
`
`topology of the system network, laying out the physical structure including the
`
`security appliances, client, security database, and the interconnectivity among them.
`
`
`
`21. Keohane’s fabric was a “cooperative security fabric” because members
`
`(e.g., firewall 300, mail gateway 302, client 304) worked together to coordinate
`
`
`
`
`
`-9-
`
`Netskope Exhibit 1019
`
`

`

`
`
`security actions among them to avoid redundant actions. (Franz, ¶163-164.) I agree
`
`with the Board that “Keohane’s multilevel security system of network security
`
`appliances of firewall 300, mail gateway 302, and client 304 is configured to perform
`
`security actions as a CSF.” (ID, 30.) I also agree that “[s]ignatures are added to data
`
`packet 306 to indicate the packet is sent by a trusted [member] of the CSF [and] the
`
`action performed” so the CSF members could coordinate security actions among
`
`them. (Id., 31.) For example, “[w]hen client device 304 receives a data packet 306
`
`with signatures from firewall 300 and mail gateway 302, it recognizes, based on the
`
`signatures, that the packet is from trusted devices in the CSF [and] only performs”
`
`security actions that were not performed by the upstream devices. (Id.)
`
`IV. THE PO’S CONSTRUCTION OF “CSF” IS UNSUPPORTED BUT
`NEVERTHELESS DISCLOSED BY CHANDRA AND KEOHANE
`A. The PO’s Construction Is Riddled with Hidden Limitations.
`
`22. The PO’s construction contains several hidden limitations.
`
`23. First, the PO and Dr. Black contend the “CSF” cannot inspect internal
`
`network traffic, i.e., traffic from one part of the network to another part of the
`
`network. (POR, 20; Black Depo. Tr., 33:11-15.)
`
`24. Second, the PO and Dr. Black contend the “CSF” only processes traffic
`
`transmitted from the Internet into the network and traffic transmitted from the
`
`network to the Internet. (POR, 20; Black Depo. Tr., 70:10-13.)
`
`
`
`-10-
`
`Netskope Exhibit 1019
`
`

`

`
`
`25. Third, Dr. Black contends that a “CSF” requires three or more
`
`interconnected security appliances. (Black Depo. Tr., 19:2-7.) In addition, while in
`
`his construction “fabric” requires multiple data paths, he emphasized that these paths
`
`cannot all share a starting point and an endpoint. (Black Depo. Tr., 15: 5-21; 21:16-
`
`22.)
`
`26. Fourth, the PO and Dr. Black contend the “CSF” cannot be “a single
`
`thread.” (POR, 12.)
`
`B.
`
`The PO’s Construction Has No Support In the Intrinsic or
`Extrinsic Record.
`1.
`
`Intrinsic Evidence
`a.
`
`Claims
`
`27. As Dr. Black admits, the claims do not require the “CSF” to inspect
`
`only “incoming and outgoing traffic” or have “multiple interconnected paths.”
`
`(Black Depo. Tr., 35:11-14, 37:5-11.) As discussed above, the claims require only
`
`two appliances and traffic to go only from one appliance to the other. The claims do
`
`not require more than two CSF members or multiple data paths and do not suggest
`
`that the CSF only inspects traffic from or destined for the Internet.
`
`b.
`
`Specification
`
`28. The PO bases its assertions regarding the claimed invention on the
`
`specification’s background that does not describe or limit the invention. For
`
`example, while the PO asserts that “in a network fabric, where there are many
`
`
`
`-11-
`
`Netskope Exhibit 1019
`
`

`

`
`
`different paths of network appliances for traffic to [sic] ‘[n]etwork traffic transmitted
`
`to/from the network may go through multiple network security appliances along a
`
`path within the network (POR, 15 (quoting ’825 patent, 1:33-37)),’” the background
`
`does not even mention a “network fabric” with “many different paths.” In fact, the
`
`quoted background specifically describes “multiple network security appliances
`
`along a path.”1 Similarly, while the background only generally describes “a large
`
`network” with “network traffic transmitted to/from the network,” (’825 patent, 1:33-
`
`35), the PO unjustifiably reads processing “network traffic transmitted to/from the
`
`network” as part of the specification’s requirement of a “CSF” (POR, 15-16).
`
`29. The PO also tries to limit the claimed invention by the exemplary
`
`architecture and topology in Figs. 1 and 2. However, limiting the claimed “CSF” by
`
`the disclosures in nonlimiting exemplary embodiments fly in the face of the
`
`specification’s language. The specification makes clear that “[w]hile embodiments
`
`of the invention have been illustrated and described, it will be clear that the invention
`
`is not limited to these embodiments only.” (’825 patent, 10: 49-51.)
`
`30. The specification does not limit “CSF” to only inspecting Internet
`
`traffic and it does not exclude the inspection of internal network traffic. Neither
`
`does it limit “CSF” to a specific type of topology and structure with multiple paths.
`
`
`1 All emphases are added by me unless specified.
`
`
`
`-12-
`
`Netskope Exhibit 1019
`
`

`

`
`
`Instead, it teaches that a CSF “may coordinate operations performed on network
`
`traffic (’825 patent, 1:65-66)” without any modifier in front of “network traffic,”
`
`and that the composition of a CSF can be flexible.
`
`31. One embodiment of the patent, illustrated below and described in detail
`
`in the Petition (see Petition 11-13), explicitly provides possibility for the CSF to
`
`process internal network traffic.
`
`A POSITA would understand from this illustration that the communications received
`
`by the CSF from Internet 110 could include communications from subnet 151
`
`
`
`
`
`-13-
`
`Netskope Exhibit 1019
`
`

`

`
`
`connected to Internet 110. Subnet 151 is part of the planned “network architecture
`
`100 (’825 patent at 4:58),” it is only normal for subnet 151 to communicate to the
`
`rest of the network architecture through the VPN. The PO agrees that because subnet
`
`151 is connected to private network 120 through the Internet 110 via VPN and seen
`
`as part of private network 120, communication from subnet 151 to the CSF is internal
`
`network traffic. (POR, 19-20.) While the PO argues that such internal VPN traffic
`
`is not inspected by the CSF, the PO gives the circular reason that this is because such
`
`VPN traffic “is considered to be internal traffic.” (Id.) However, the ’825 patent
`
`does not say that VPN traffic is never processed by the CSF. The patent also does
`
`not say that the CSF never processes traffic from one subnet (such as 141a) to
`
`another (such as 141d). The patent simply does not limit the CSF to only processing
`
`network traffic to and from the Internet. In fact, it would make no sense to so limit
`
`the CSF. For example, a POSITA would understand that malware could be
`
`introduced into a corporate network not only from the Internet, but also by a user
`
`whose laptop was infected while traveling when that user reconnects the laptop to
`
`the corporate network, or by a USB drive being plugged into a stationary computer
`
`connected to the corporate network.
`
`32. Other embodiments of the patent indicate that the composition of the
`
`“CSF” can be flexible.. While Fig. 2 illustrates an exemplary topology 200 of a CSF,
`
`“[t]hose skilled in the art will appreciate that topology 200 may consist of other
`
`
`
`-14-
`
`Netskope Exhibit 1019
`
`

`

`
`
`combinations of root, branch and leaf nodes.” (’825 patent, 6:14-16.) A member
`
`network security appliance of the CSF can be “a branch node and a leaf node in the
`
`same time.” (Id., 6:26-27.) For example, “[t]opology 200 may have paths with no
`
`branch nodes, such as the network path in which a leaf node 250 is connected to root
`
`node 220 directly.” (Id., 18-20.) Figure 2 of the ’825 patent is edited to illustrate
`
`direct connection of leaf node 250 to root node 220, as contemplated by the ’825
`
`patent.
`
`
`
`
`
`-15-
`
`Netskope Exhibit 1019
`
`

`

`
`
`c.
`
`Provisional Application
`
`33. The PO’s construction squarely contradicts the provisional patent
`
`application it filed.
`
`34. First, the provisional application expressly states that a CSF can have
`
`only a single device. The provisional application describes that a network security
`
`device (NSD) “having no parent, may initially represent a CSF containing only one
`
`member” and “[] other NSDs…may join the CSF” later. (Ex. 2016, ¶26.) Thus, the
`
`provisional application contradicts the PO and Dr. Black’s requirement of three or
`
`more security appliances (Black Depo. Tr., 19:2-7) and “multiple interconnected
`
`paths.”
`
`35. Second, the provisional application expressly recites that a CSF of two
`
`or three devices can be arranged in a line.
`
`36. The provisional application teaches a CSF where “[t]unnel based
`
`communication module [] establishes tunnels between NSD [] and its parent, if any,
`
`and each of its children, if any.” “In general, when an upstream NSD queries a
`
`downstream NSD, the query is passed from…the upstream NSD…to…an
`
`intermediate NSD, if any, …and ultimately to the destination NSD.” Therefore, the
`
`CSF can have two NSDs with tunnel-based communication between them and no
`
`intermediate NSD. Such CSF does not require three or more security appliances or
`
`“multiple interconnected paths.”
`
`
`
`-16-
`
`Netskope Exhibit 1019
`
`

`

`
`
`37. The provisional application also recites a CSF “in a form of a tree,
`
`having a plurality of nodes, including a root node, one or more intermediate nodes
`
`and one or more leaf nodes.” (Id., cl. 1; see also, e.g., id., ¶ 18 (“each node of the
`
`CSF, except a root node of the CSF and leaf nodes of the CSF, has one parent node
`
`and one or more child nodes.”).) Therefore, in a CSF with one each of root node,
`
`intermediate node, and leaf node, a tunnel-based thread connects the root and
`
`intermediate node, and the intermediate and leaf node. This disclosure undermines
`
`the PO and Dr. Black’s argument that “CSF” cannot be one single thread (POR, 12).
`
`2.
`
`Extrinsic Evidence
`
`38. None of the explicit and hidden limitations required by the PO’s
`
`definition of “CSF” are disclosed in the intrinsic record. Notably, while the
`
`specification identifies various Fortinet “network appliances” (’825 patent, 4:16-42),
`
`it never even mentions Fortinet’s “cooperative security fabric” product. There is
`
`simply no indication that the plain and ordinary meaning of “CSF” as used in
`
`the ’825 patent is dictated by Fortinet’s documentation.
`
`39. That aside, the term “cooperative security” was well-known in the art
`
`around the priority date of the ’825 patent. For example, searching for “cooperative
`
`security” in Google Patents returns over one hundred hits. Unrelated to Fortinet
`
`products, Ex. 1015 used “cooperative security” to describe cooperative behavior
`
`between network nodes for security risk avoidance
`
`in device-to-device
`
`
`
`-17-
`
`Netskope Exhibit 1019
`
`

`

`
`
`communication2, and Ex. 1016 used “cooperative security” to describe cooperative
`
`behavior between wireless nodes to detect an unsecure node3. Thus, the PO’s
`
`extrinsic evidence is far from the best guide to understand the term.
`
`40. But even the PO’s public documents undermine its construction. For
`
`example, Ex. 2013 showed the possibility of inspecting internal network traffic as it
`
`disclosed “OSPF routing” between the FortiGate of the accounting network and the
`
`marketing network. This provides for the possibility for the CSF to handle internal
`
`traffic from the accounting network to the marketing network, and vice versa.
`
`(Ex. 2013, 1.)
`
`
`
`
`2 L. Wang, Cooperative Security in D2D Communications, first online on September 1, 2017 at
`https://link.springer.com/chapter/10.1007/978-3-319-61863-0_5.
`3 U.S. Patent No. 10,334,442 titled “Cooperative Security in Wireless Sensor Networks”.
`
`
`
`-18-
`
`Netskope Exhibit 1019
`
`

`

`41. Another Fortinet document, the FotiOS Administration Guide (Ex.
`
`1017), showed a typical Fortinet “Security Fabric,” which disclosed a CSF with only
`
`two nodes (two FGVMs) connected via a single path:
`
`
`
`(Ex. 1017, 117.) As one can see, there were no “multiple interconnected paths” in
`
`
`
`this CSF.
`
`42. Neither does the PO’s other extrinsic evidence offer support for its
`
`construction.
`
`43.
`
`If we adopted Ex. 2003’s definition of “fabric” as “consist[ing] of
`
`multiple, interwoven communications paths/channels…much like [] clothing (POR,
`
`26-27) (emphasis in original)”, the ’825 patent’s own exemplary tree-shaped CSF
`
`topology in Fig. 2 would not fit this definition.
`
`44. On the other hand, Ex. 2006, 2007 and 2010 all referred to the term
`
`“fabric” in fields that were not directly related to the ’825 patent’s subject matter
`
`and did not lend insight into the claim term “CSF” as claimed.
`
`45. Ex. 2006 identified a “switched fabric topology” that “works in a
`
`similar fashion to a switched telephone network.” (POR, 27.) However, Dr. Black
`
`was clear in his deposition testimony that a “switching fabric” is not a “fabric
`
`
`
`-19-
`
`Netskope Exhibit 1019
`
`

`

`
`
`topology.” “It’s a separate kind of fabric that has nothing to do with network
`
`topologies”. (Black Depo. Tr., 57)
`
`46. Ex. 2007 identified a “data center fabric” that was replacing the term
`
`“data center network.” Ex. 2007 explained the difference between the “data center
`
`fabric” and a traditional tree switch topology. The “data center fabric” referred to a
`
`specific kind of physical structure in a different context that is not directly related to
`
`the cooperative security fabric described in the ’825 patent.
`
`47. Dr. Lee, an expert unaffiliated with the current IPR, testified as to his
`
`understanding of a specific type of “fabric” in the context of U.S. Patent No.
`
`8,000,329, a patent unrelated to the ’825 patent. The ’329 patent is about integrating
`
`multiple network functions and does not recite a “CSF” or any similar term. Instead,
`
`the ’329 patent refers to a specific type of fabric that is a communication hub. (’329
`
`patent, 7:31-33 (“Fabric 208 is illustrated as a single block and serves a
`
`communication hub for all elements comprising in platform 106.”).)
`
`C. Chandra Taught A “CSF” Even Under the PO’s Incorrect
`Construction
`
`48. The PO acknowledges that Chandra disclosed receiving and inspecting
`
`traffic from the Internet. As the Response points out, “when receiving CE 214
`
`receives a data packet from the Internet, it performs actions corresponding to rules
`
`regarding such data packets.” (POR, 36 (quoting Chandra ¶53).) “[R]eceiving end
`
`
`
`-20-
`
`Netskope Exhibit 1019
`
`

`

`
`
`can identify a data packet from the Internet as insecure, and perform rigorous actions
`
`on it (id., 36-37 (quoting Chandra ¶77)).” (See also Franz, ¶96.)
`
`49. While the PO contends that this disclosure does not meet its
`
`construction (id., 37), the claims say otherwise. Claim 1 recites a first network
`
`security appliances and a second network security appliance in the same CSF
`
`coordinating security operations between them. (’825 patent, cl. 1.) Dependent
`
`claim 4 then recites a situation in which the first network security appliance receives
`
`network traffic not from the second network security appliance and proceeds to
`
`execute one or more local network security operations on the traffic. (Id., cl. 4.) In
`
`that situation, the first and second network security appliances are still in the same
`
`CSF even when only one device inspects traffic. Chandra disclosed this exact
`
`configuration.
`
`D. Keohane Taught A “CSF” Even Under the PO’s Incorrect
`Construction
`
`50. The PO contends
`
`that Keohane’s CSF
`
`lacked “a series of
`
`interconnected paths.” (POR, 50.) Dr. Black admitted his interpretation of
`
`“interconnected paths” means a “CSF” can have three appliances in a line if there
`
`are multiple paths for data to travel. For example, if network security appliances A,
`
`B, and C are arranged linearly, such topology satisfies the PO’s “multiple
`
`interconnected paths” requirement if network traffic can be received by either A or
`
`B before being passed down. (Black. Depo. Tr. 66:4-12.)
`
`
`
`-21-
`
`Netskope Exhibit 1019
`
`

`

`51. This is exactly what Keohane disclosed. Below, for example, Keohane
`
`disclosed three network security appliances (firewall 300, mail gateway 302, client
`
`304) arranged linearly.
`
`
`
`
`Firewall 300 could receive network traffic and transmit it down a data path.
`
`Separately, mail gateway 302 could also receive network traffic and transmit it down
`
`a data path. As Keohane disclosed, mail gateway 302 examined the data packet “to
`
`determine whether a signature from a trusted security element is present” in the data
`
`packet.” (Keohane ¶35.) “[A] trusted security element is a network element, such
`
`as a firewall, mail gateway, router, or some other security intermediary that performs
`
`a security action on a data packet.” (Id.) This implies that traffic to mail gateway
`
`302 could come from somewhere other than firewall 300. (Franz, ¶195.) Therefore,
`
`network traffic could enter at either firewall 300 or mail gateway 302 and be passed
`
`
`
`-22-
`
`Netskope Exhibit 1019
`
`

`

`
`
`down a data path. According to Dr. Black’s definition, Keohane’s system had
`
`“multiple interconnected paths.”
`
`52. While ack