Case 2:22-md-03042-JRG Document 256 Filed 08/04/23 Page 1 of 47 PageID #: 3594
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE EASTERN DISTRICT OF TEXAS
`MARSHALL DIVISION
`
`IN RE: TAASERA LICENSING LLC,
`PATENT LITIGATION
`
`THIS DOCUMENT RELATES TO ALL
`ACTIONS
`
`§
`§
`§
`§
`§
`§
`§
`§
`
`Case No. 2:22-md-03042-JRG
`
`JURY TRIAL DEMANDED
`
`TAASERA LICENSING LLC’S
`OPENING CLAIM CONSTRUCTION BRIEF
`
`IPR2024-00027
`CrowdStrike Exhibit 1009 Page 1
`
`

`

`Case 2:22-md-03042-JRG Document 256 Filed 08/04/23 Page 2 of 47 PageID #: 3595
`
`
`I.
`
`II.
`
`TABLE OF CONTENTS
`
`Page(s)
`
`INTRODUCTION .............................................................................................................. 1
`
`CLAIM CONSTRUCTION STANDARD OF REVIEW .................................................. 1
`
`A.
`
`B.
`
`GOVERNING LAW ............................................................................................... 1
`
`LEVEL OF ORDINARY SKILL IN THE ART .................................................... 2
`
`III.
`
`DISPUTED CLAIM TERMS ............................................................................................. 2
`
`1.
`
`2.
`
`3.
`
`4.
`
`
`
`5.
`
`6.
`
`
`
`7.
`
`8.
`
`“regularly identifiable expression” / “regular expression” (Claim
`1, ’796 Patent) ............................................................................................. 2
`
`“if the new program is validated, permitting the new program to
`continue loading and to execute in connection with the computing
`device” (Claims 6, 13, 14, and 24, ’137 Patent) ......................................... 4
`
`“an execution module coupled to the detection module and
`operable for monitoring, at the operating system kernel of the
`computing device, the program in response to the trigger
`intercepted by the detection module” (Claim 1, ’137 Patent) ..................... 5
`
`“network administration traffic” (Claims 1, 2, 9, 10, 13, 14, 17, and
`18, ’356 Patent) ........................................................................................... 7
`
`“[third/fourth] program instructions to determine if the packet is
`network administration traffic” (Claims 1, 9, 10, 13, and 17, ’356
`Patent) ......................................................................................................... 7
`
`“attestation” (Claims 1, 2, 3, 5, and 7, ’441 Patent; Claim 1, ’616
`Patent) ....................................................................................................... 11
`
`“runtime” (Claim 1, ’616 Patent) .............................................................. 13
`
`“at runtime” (Claim 1, ’616 Patent) .......................................................... 13
`
`“a computing platform comprising a network trust agent” (Claim
`1, ’616 Patent) ........................................................................................... 14
`
`“at runtime receiving … a runtime execution context indicating
`attributes of the application at runtime, wherein the attributes
`comprise one or more executable file binaries of the application
`and loaded components of the application” (Claims 1 and 4, ’441
`Patent) ....................................................................................................... 16
`
`i
`
`IPR2024-00027
`CrowdStrike Exhibit 1009 Page 2
`
`

`

`Case 2:22-md-03042-JRG Document 256 Filed 08/04/23 Page 3 of 47 PageID #: 3596
`
`9.
`
`10.
`
`11.
`
`12.
`
`13.
`
`14.
`
`
`
`15.
`
`16.
`
`17.
`
`18.
`
`“a security context providing security information about the
`application” (Claims 1, 4, and 5, ’441 Patent) .......................................... 18
`
`“an application artifact” (Claim 2, ’441 Patent) ....................................... 20
`
`“introspective security context” (Claims 4 and 5, ’441 Patent) ................ 21
`
`“the application of the restriction of the user's transaction” (Claim
`11, ’441 Patent) ......................................................................................... 22
`
`“return URL” (Claims 1, 3, 4, 6, 7, 9, 10, 12, 13, 15, 16, and 19,
`’419 Patent; Claims 1, 3, 4, 5, 6, and 8, ’634 Patent; Claims 1, 2,
`3, 4, 5, 6, 8, 9, and 10, ’251 Patent; and Claims 1, 5, 6, 10, 11, 12,
`16, 17, and 18, ’453 Patent) ...................................................................... 24
`
`“evaluating[, by the computer,] the URL to determine whether
`encryption of [none, part, or all of ]the URL is required” (Claims
`1, 4, 10, 13, and 17, ’419 Patent; Claims 1 and 4, ’634 Patent)................ 25
`
`“determining, by the computer, whether encryption is required for
`none, part, or all of a return URL” / “determining[, by the
`computer,] [whether/that] encryption of [a/the] return URL [of the
`requested resource] is required” / “determining by the computer,
`[whether/that] encryption of the contained URL [is/is not]
`required” / “determine that encryption of the URL is not required”
`(Claims 1, 4, 13, and 19, ’419 Patent; Claims 1 and 4, ’634 Patent;
`Claims 1, 2, 3, 4, 5, 6, 8, 9, and 10, ’251 Patent; Claims 1, 4, 6, 7,
`8, 9, 10, 11, 12, 13, 14, 15, 16, 17, and 18, ’453 Patent) .......................... 25
`
`“determining whether encryption of none, part, or all of a return
`URL of the requested resource that is to be returned to a location
`of the resource request” (Claim 10, ’419 Patent) ...................................... 27
`
`“determining[, by the computer,] whether the URL of the
`requested resource is required” (Claims 2 and 11, ’419 Patent;
`Claim 2, ’634 Patent) ................................................................................ 29
`
`“compliance state of the endpoint” (Claims 1, 12, and 23, ’038
`Patent; Claims 1, 11, and 21, ’997 Patent; Claims 1, 9, and 17, ’918
`Patent) ....................................................................................................... 30
`
`“compliance polic[y/ies]” (Claims 1, 12, and 23, ’038 Patent;
`Claims 1, 11, and 21, ’997 Patent; Claims 1, 9, and 17, ’918 Patent)
`................................................................................................................... 30
`
`
`
`
`
`ii
`
`IPR2024-00027
`CrowdStrike Exhibit 1009 Page 3
`
`

`

`Case 2:22-md-03042-JRG Document 256 Filed 08/04/23 Page 4 of 47 PageID #: 3597
`
`19.
`
`“real-time” / “real time” (Claims 1 and 2, ’948 Patent) ............................ 31
`
`
`
`20.
`
`21.
`
`22.
`
`23.
`
`24.
`
`25.
`
`26.
`
`27.
`
`“substantially real time”/ “substantially real-time data” (Claims 1,
`10, and 17, ’518 Patent) ............................................................................ 31
`
`“which includes a network analyzer, an integrity processor, an
`event correlation matrix, a risk correlation matrix, and a trust
`supervisor” (Claim 1, ’948 Patent) ........................................................... 35
`
`“operational integrity of the application” (Claim 1, ’948 Patent) ............. 35
`
`“an event correlation matrix” (Claim 1, ’948 Patent) ............................... 36
`
`“a risk correlation matrix” (Claim 1, ’948 Patent) .................................... 37
`
`“correlating, by the event and risk correlation matrix” (Claim 1,
`’948 Patent) ............................................................................................... 38
`
`“the event and behavior correlation engine” (Claim 3, ’948 Patent)
`................................................................................................................... 38
`
`“formatting the status information”/ “the … data is formatted”
`(Claims 1, 10, and 17, ’518 Patent) .......................................................... 38
`
`“initiating… at least one action” / “initiate an action” (Claims 1,
`10, and 17, ’518 Patent) ............................................................................ 39
`
`IV.
`
`CONCLUSION ................................................................................................................. 39
`
`
`
`iii
`
`IPR2024-00027
`CrowdStrike Exhibit 1009 Page 4
`
`

`

`Case 2:22-md-03042-JRG Document 256 Filed 08/04/23 Page 5 of 47 PageID #: 3598
`
`TABLE OF AUTHORITIES
`
`
`
`Page(s)
`
`Cases
`CAE Screenplates Inc., v. Heinrich Fiedler GmbH & Co. KG,
`224 F.3d 1308 (Fed. Cir. 2000)................................................................................................26
`
`Exxon Chem. Pats., Inc. v. Lubrizol Corp.,
`64 F.3d 1553 (Fed. Cir. 1995)..................................................................................................12
`
`Goldenberg v. Cytogen, Inc.,
`373 F.3d 1158 (Fed. Cir. 2004)..................................................................................................3
`
`Grp. One, Ltd. v. Hallmark Cards, Inc.,
`407 F.3d 1297 (Fed. Cir. 2005)..................................................................................................1
`
`Interval Licensing LLC v. AOL, Inc.,
`766 F.3d 1364 (Fed. Cir. 2014)................................................................................................35
`
`Invitrogen Corp. v. Biocrest Mfg., L.P.,
`424 F.3d 1374 (Fed. Cir. 2005)................................................................................................34
`
`Irdeto Access, Inc. v. Echostar Satellite Corp.,
`383 F. 3d 1295 (Fed. Cir. 2004).................................................................................................2
`
`Jawbone Innovations, LLC v. Samsung Elecs. Co., Ltd. et al.,
`No. 2:21-CV-00186-JRG-RSP, Dkt. 119 (E.D. Tex., Aug. 16, 2022) ......................................1
`
`Kinik Co. v. Int’l Trade Comm’n,
`362 F.3d 1359 (Fed. Cir. 2004)................................................................................................26
`
`Novo Indus., L.P. v. Micro Molds Corp.,
`350 F.3d 1348 (Fed. Cir. 2003)............................................................................................1, 22
`
`Omega Eng’g, Inc, v. Raytek Corp.,
`334 F.3d 1314 (Fed. Cir. 2003)................................................................................................18
`
`Phillips v. AWH Corp.,
`415 F.3d 1303 (Fed. Cir. 2005)............................................................................................9, 19
`
`Shire Dev., LLC v. Watson Pharms., Inc.,
`787 F.3d 1359 (Fed. Cir. 2015)................................................................................................18
`
`UltimatePointer, L.L.C. v. Nintendo Co.,
`816 F.3d 816 (Fed. Cir. 2016)..................................................................................................12
`
`iv
`
`IPR2024-00027
`CrowdStrike Exhibit 1009 Page 5
`
`

`

`Case 2:22-md-03042-JRG Document 256 Filed 08/04/23 Page 6 of 47 PageID #: 3599
`
`Ultimax Cement Mfg. Corp. v. CTS Cement Mfg. Corp.,
`587 F.3d 1339 (Fed. Cir. 2009)..................................................................................................2
`
`Ultravision Techs., LLC v. Holophane Eur. Ltd.,
`No. 2:19-cv-00291-JRG-RSP, 2020 WL 6271231 (E.D. Tex. Oct. 26, 2020) ......34, 36, 37, 38
`
`
`
`v
`
`IPR2024-00027
`CrowdStrike Exhibit 1009 Page 6
`
`

`

`Case 2:22-md-03042-JRG Document 256 Filed 08/04/23 Page 7 of 47 PageID #: 3600
`
`I.
`
`INTRODUCTION
`
`Pursuant to P.R. 4-5(a) and the Court’s Sixth Amended Docket Control Order of June 27,
`
`2023 (Dkt. 239), Plaintiff Taasera Licensing LLC (“Taasera” or “Plaintiff”) hereby submits its
`
`Opening Claim Construction Brief. The asserted patents are U.S. Patent Nos. 6,842,796 (“the ’796
`
`Patent,” Ex. A); 7,673,137 (“the ’137 Patent,” Ex. B); 8,127,356 (“the ’356 Patent,” Ex. C);
`
`8,327,441 (“the ’441 Patent,” Ex. D); 8,819,419 (“the ’419 Patent,” Ex. E); 8,850,517 (“the ’517
`
`Patent,” Ex. F); 8,955,038 (“the ’038 Patent,” Ex. G); 8,990,948 (“the ’948 Patent,” Ex. H);
`
`9,071,518 (“the ’518 Patent,” Ex. I); 9,092,616 (“the ’616 Patent,” Ex. J); 9,118,634 (“the ’634
`
`Patent,” Ex. K); 9,608,997 (“the ’997 Patent,” Ex. L); 9,628,453 (“the ’453 Patent,” Ex. M);
`
`9,860,251 (“the ’251 Patent,” Ex. N); and 9,923,918 (“the ’918 Patent,” Ex. O) (together, the
`
`“Asserted Patents”). This brief is supported by the Expert Declaration of Dr. Eric Cole Regarding
`
`Claim Construction (Ex. P).
`
`II.
`
`CLAIM CONSTRUCTION STANDARD OF REVIEW
`
`A.
`
`GOVERNING LAW
`
`The governing legal standards relating to claim construction are described in the Court’s
`
`opinion in Jawbone Innovations, LLC v. Samsung Elecs. Co., Ltd. et al., No. 2:21-CV-00186-JRG-
`
`RSP, Dkt. 119, at 1–3 (E.D. Tex., Aug. 16, 2022), and are incorporated herein by reference.
`
`“[The Federal Circuit] ha[s] assumed that courts can continue to correct obvious minor
`
`typographical and clerical errors in patents. . .A district court can correct a patent only if (1) the
`
`correction is not subject to reasonable debate based on consideration of the claim language and the
`
`specification and (2) the prosecution history does not suggest a different interpretation of the
`
`claims.” Novo Indus., L.P. v. Micro Molds Corp., 350 F.3d 1348, 1357 (Fed. Cir. 2003). The error
`
`must be “evident from the face of the patent,” Grp. One, Ltd. v. Hallmark Cards, Inc., 407 F.3d
`
`1297, 1303 (Fed. Cir. 2005), and the determination “must be made from the point of view of one
`
`
`
`IPR2024-00027
`CrowdStrike Exhibit 1009 Page 7
`
`

`

`Case 2:22-md-03042-JRG Document 256 Filed 08/04/23 Page 8 of 47 PageID #: 3601
`
`skilled in the art,” Ultimax Cement Mfg. Corp. v. CTS Cement Mfg. Corp., 587 F.3d 1339, 1353
`
`(Fed. Cir. 2009).
`
`B.
`
`LEVEL OF ORDINARY SKILL IN THE ART
`
`The “Field of the Invention” is described generally as related to the field of map-based
`
`applications executed on smartphone devices and communication among operators of the map-
`
`based applications. The detailed descriptions of the inventions and the claims of the Asserted
`
`Patents draw on a combination of skills from the computer science and engineering arts. Taasera
`
`submits that a person of ordinary skill in the art (“POSITA”) would have a bachelor’s degree in
`
`computer science or computer engineering with one to two years of experience in the field of
`
`computer programming for communications systems, or the equivalent education and work
`
`experience. Ex. P, Cole Decl., ¶¶ 43-45. Extensive experience and technical training might
`
`substitute for educational requirements, while advanced degrees might substitute for experience.
`
`Id.
`
`III. DISPUTED CLAIM TERMS
`
`1.
`
`“regularly identifiable expression” / “regular expression” (Claim 1,
`’796 Patent)
`
`Taasera’s Proposed Construction
`“matchable pattern”
`
`Defendants’ Proposed Construction
`Plain and ordinary meaning of “regular
`expression.”
`
`
`
`
`The parties disagree to the extent over which the term “regular expression” would be
`
`known to a POSITA. Taasera maintains that, because “regularly identifiable expression” or
`
`“regular expression” has no plain or established meaning to one of ordinary skill in the art, and
`
`Defendants presented no intrinsic evidence or extrinsic evidence to the contrary, a construction is
`
`required as broadly as provided for by the patent. Irdeto Access, Inc. v. Echostar Satellite Corp.,
`
`383 F. 3d 1295, 1300 (Fed. Cir. 2004) (“where a disputed term lacks an accepted meaning in the
`
`2
`
`IPR2024-00027
`CrowdStrike Exhibit 1009 Page 8
`
`

`

`Case 2:22-md-03042-JRG Document 256 Filed 08/04/23 Page 9 of 47 PageID #: 3602
`
`art …, we construe a claim term only as broadly as provided for by the patent itself. The duty thus
`
`falls on the patent applicant to provide a precise definition for the disputed term.”); Goldenberg v.
`
`Cytogen, Inc., 373 F.3d 1158, 1164 (Fed. Cir. 2004) (as claim term “has no accepted meaning to
`
`one of ordinary skill in the art, … we construe it only as broadly as is provided for by the patent
`
`itself”).
`
`These phrases are terms of art in the software field, and the jury would benefit from
`
`Taasera’s construction in order to understand the term. The ’796 Patent’s independent claims
`
`explicitly describe that regularly identifiable expressions “represent a pattern that is matchable.”
`
`The specification of the ’796 Patent is just as explicit. Ex. A, 3:22-26 (“the term ‘regular
`
`expression’ is taken to mean any form of pattern that is matchable.”).
`
`In one embodiment, “stereotypical phrases that people commonly use to convey particular
`
`information” are referred to as regular expressions. Id. at 2:1-15. “[F]or example, in a phone call,
`
`the caller is likely to identify himself in one of just a few ways, e.g., ‘Hi <recipient-name>, it’s
`
`<caller-name>’ (e.g., ‘Hi John, it’s Bob’) or ‘-recipient-name>, <caller-name> here’ (e.g., ‘John,
`
`Bob here’). Or in a cover letter, a job applicant is likely to express his interest with a phrase like
`
`‘I am looking for a job in <field>’ (e.g., ‘I am looking for a job in electrical engineering’).” Id.
`
`In other particular embodiments, a regular expression may be a trigger prefix or trigger
`
`suffix. Id. at 3:41-50 (“A trigger prefix is a characteristic phrase that typically precedes a piece of
`
`information, for example, in a voice mail message, ‘give me a call back at’ is a trigger phrase that
`
`precedes a phone number. A trigger suffix is a phrase that typically follows a key piece of
`
`information, even when a trigger prefix is not present. For example, the phrase ‘talk to you later
`
`bye’ is often a post-facto signal that a phone number has been provided, when the words
`
`immediately preceding the phrase are a sequence of numbers.”).
`
`3
`
`IPR2024-00027
`CrowdStrike Exhibit 1009 Page 9
`
`

`

`Case 2:22-md-03042-JRG Document 256 Filed 08/04/23 Page 10 of 47 PageID #: 3603
`
`Defendants provide no intrinsic or extrinsic evidence indicating that a POSITA would
`
`include the disclosed exemplary embodiments of stereotypical phrases, trigger prefixes, and trigger
`
`suffixes, among other matchable patterns from the plain and ordinary meaning of the term. Thus
`
`Plaintiff’s construction is warranted.
`
`2.
`
`“if the new program is validated, permitting the new program to continue
`loading and to execute in connection with the computing device” (Claims 6, 13,
`14, and 24, ’137 Patent)
`
`Taasera’s Proposed Construction
`Plain and ordinary meaning.
`
`
`Defendants’ Proposed Construction
`If the new program is [validated, claims 6, 13]
`/ [the same as the allowed program, claims 14,
`24], then it is not monitored while it [loads
`and executes in connection with the
`computing device, claims 6, 13] / [executes on
`the computing device, claims 14 and 24)]
`
`
`Most of Defendants’ proposed construction is duplicative of the claim language itself. For
`
`example, Claims 6 and 13 recite “if the new program is validated, permitting the new program to
`
`continue loading and to execute in connection with the computing device” while Defendants’
`
`proposed construction for this claim limitation is: “if the new program is validated, then it is not
`
`monitored while it loads and executes in connection with the computing device.”
`
`Claims 14 and 24 recite “if the new program is the same as the allowed program, permitting
`
`the new program to execute on the computing device” while Defendants’ proposed construction
`
`for this claim limitation is: “if the new program is the same as the allowed program, then it is not
`
`monitored while it executes on the computing device.”
`
`In both Defendants’ proposed constructions, the only change to the claim language that
`
`Defendants propose is “then it is not monitored…,” which is not the same as the claim language,
`
`“permitting the new program to [continue]…” and contradicts the claim language in view of the
`
`specification. The specification is explicit that a program may still be monitored (either minimally
`
`4
`
`IPR2024-00027
`CrowdStrike Exhibit 1009 Page 10
`
`

`

`Case 2:22-md-03042-JRG Document 256 Filed 08/04/23 Page 11 of 47 PageID #: 3604
`
`or not at all), as it continues loading and executes:
`
`Once a program is validated in the pre-execution phase, little or
`no additional security monitoring needs to be performed on the
`new program while it is executing. If the new program is not
`validated, the program can continue to load and execute, but other
`execution security modules are
`responsible
`for detecting,
`monitoring, and responding to suspicious activities. For example,
`the execution security modules can control access to certain files or
`registry settings, or limit network access. The execution security
`modules can also consider whether a new program was previously
`permitted to execute on the computing device.
`
`
`Ex. B, 3:49-62. The claim language is clear on its face and no construction is necessary. Thus,
`
`the plain and ordinary meaning is the proper construction of this term.
`
`3.
`
` “an execution module coupled to the detection module and operable
`for monitoring, at the operating system kernel of the computing
`device, the program in response to the trigger intercepted by the
`detection module” (Claim 1, ’137 Patent)
`
`Taasera’s Proposed Construction
`Subject to 112 ¶ 6.
`
`Structure: Software algorithm that performs
`the steps of FIG. 6.
`
`Function: monitoring, at the operating system
`kernel of the computing device, the program
`in response to the trigger intercepted by the
`detection module.
`
`Defendants’ Proposed Construction
`Means plus function.
`
`Algorithm: Indefinite.
`
`Function: monitoring, at the operating system
`kernel of the computing device, the program
`in response to the trigger intercepted by the
`detection module.
`
`Alternatively: If the program was not
`validated, then monitor the non-validated
`program in response to triggers while the
`program is executing.
`
`
`The parties agree that the term is subject to § 112 ¶ 6. The parties also agree that the
`
`function that should be accorded to this term is “monitoring, at the operating system kernel of the
`
`computing device, the program in response to the trigger intercepted by the detection module.”
`
`Ex. P, Cole Decl. at ¶¶ 47-48. The parties dispute the structure that should be accorded to this term.
`
`Id. at ¶ 49.
`
`5
`
`IPR2024-00027
`CrowdStrike Exhibit 1009 Page 11
`
`

`

`Case 2:22-md-03042-JRG Document 256 Filed 08/04/23 Page 12 of 47 PageID #: 3605
`
`A POSITA would understand that Figure 6 and its supporting text are clearly linked to the
`
`“execution module,” and that the steps of this algorithm should be construed to be the
`
`corresponding structure. Id. at ¶ 50. The execution module monitors the program while it is
`
`executing, in contrast to the pre-execution module, which monitors the program before it is
`
`installed or executed. Id. (citing Ex. B, 3:20-4:18); see also Claim 1 (“an execution module coupled
`
`to the detection module and operable for monitoring.”)
`
`Figure 6, according to the patent, discloses “a logic flow diagram illustrating a non-
`
`validated execution process using the protector system in accordance with an exemplary
`
`embodiment of the present invention. Id. at ¶ 51 (citing Ex. B, at 4:40-42). The algorithm in Figure
`
`6 occurs “after the pre-execution process and concern[s] executable files that the binary execution
`
`monitor 125 could not validate in the pre-execution phase. Referring to FIG. 6, an exemplary
`
`process 600 is illustrated for executing an executable file that has not been validated.” Id. (citing
`
`Ex. B, 9:38-43).
`
`Fig. 6, shown here, discloses the steps performed by the
`
`“execution module” when a non-validated program is running. Id.
`
`at ¶ 52 (citing Ex. B, Fig. 6).
`
`A POSITA reading the specification would understand that
`
`the execution module refers to the non-validated execution
`
`process of Fig. 6, which is implemented through the structure of a
`
`software algorithm because one of the explicit benefits of the
`
`claimed invention is performing a validation step during the pre-
`
`execution process (i.e., not the execution process) to minimize
`
`unnecessary monitoring and false positives of security alarms
`
`6
`
`IPR2024-00027
`CrowdStrike Exhibit 1009 Page 12
`
`

`

`Case 2:22-md-03042-JRG Document 256 Filed 08/04/23 Page 13 of 47 PageID #: 3606
`
`during program execution. Id. at ¶ 53 (citing Ex. B, 10:49-61 (“The pre-execution process provides
`
`an efficient method for determining whether an uncorrupted program is allowed to execute. By
`
`validating certain programs during the pre-execution process, the protector system minimizes the
`
`amount of work that must be done in monitoring and controlling programs during the execution
`
`phase. The validation step also reduces the number of false positive alarms, thereby reducing
`
`security interruptions for the user.”)).
`
`4.
`
`“network administration traffic” (Claims 1, 2, 9, 10, 13, 14, 17, and 18, ’356
`Patent)
`“[third/fourth] program instructions to determine if the packet is network
`administration traffic” (Claims 1, 9, 10, 13, and 17, ’356 Patent)
`
`Term
`
`Taasera’s Proposed
`Construction
`
`“network administration
`traffic”
`
`Plain and ordinary meaning.
`
`Defendants’ Proposed
`Construction
`Indefinite.
`
`“[third/fourth] program
`instructions to determine
`if the packet is network
`administration traffic”
`
`Subject to 112 ¶ 6.
`
`Structure: Software algorithm that
`performs the steps of FIG. 7.
`
`Function: determine if the packet
`is network administration traffic.
`
`Subject to 112(6).
`
`Structure: indefinite.
`
`Function: determine if the packet
`is network administration traffic.
`
`
`Plaintiff and Defendants agree that “[third/fourth] program instructions to determine if the
`
`packet is network administration traffic” is subject to § 112 ¶ 6 and agree that the function that
`
`should be accorded to this term is “determine if the packet is network administration traffic.”
`
`Plaintiff contends that “[third/fourth] program instructions to determine if the packet is
`
`network administration traffic” should be construed to have the following structure: “Software
`
`algorithm that performs the steps of FIG. 7.” Defendants’ expert, Dr. Black, citing to this patent’s
`
`prosecution history in his declaration (Ex. Q, Black Decl.), also acknowledges that “the Applicant
`
`and Board both agreed during prosecution that this claim referred to ‘algorithmic functions.’” Ex.
`
`7
`
`IPR2024-00027
`CrowdStrike Exhibit 1009 Page 13
`
`

`

`Case 2:22-md-03042-JRG Document 256 Filed 08/04/23 Page 14 of 47 PageID #: 3607
`
`Q, ¶ 46. However, Defendants incorrectly contend that the term lacks sufficient structure for two
`
`reasons: (1) Figure 7 “does not disclose an algorithm adequate to perform the entire recited claim
`
`function”; and (2) the term “network administration traffic” is allegedly indefinite. Id. at ¶ 47.
`
`a.
`
`Fig. 7 Adequately Discloses the Claimed Algorithm
`
`The specification of the ’356 Patent clearly and unambiguously links Fig. 7 to the
`
`determination of whether the packet is network administration traffic and, therefore, is the
`
`algorithmic structure that should be accorded to this term:
`
`FIG. 7 is a flow chart illustrating a program function within the
`honeypot packet filtering program of FIG. 2 which determines if the
`current packet is harmless network administration traffic.
`
`Ex. C, 4:1-4; Ex. P, ¶ 66.
`
`
`FIG. 7 illustrates in more detail decision 110 of FIG. 2 (i.e.
`determining if the current packet is network administration traffic
`presumed to be harmless)…If there is a match (decision 502, yes
`branch), then the current packet is deemed harmless network
`administration traffic…
`
`Ex. C, 8:21-37; Ex. P, ¶ 66.
`
`A POSITA would have understood this algorithm to adequately perform the multi-step
`
`determination of whether the packet is network administration traffic. For example, the
`
`specification clearly teaches the POSITA that the first step is to determine the IP protocol and IP
`
`address of the packet by parsing the header. Ex. P, ¶ 67 (citing Ex. C, 8:31-37). Then, the second
`
`step is to compare that information to a list. Id. Third, if there is a match between the header info
`
`and the list, the packet is deemed to be network administration traffic that is presumed to be
`
`harmless. Id.
`
`Defendants’ expert creates a false dichotomy regarding whether Fig. 7 is an algorithm for
`
`determining network administrators versus network administration traffic. Ex. Q, ¶ 49. The two
`
`are inextricably linked since network administration traffic is traffic generated by harmless
`
`8
`
`IPR2024-00027
`CrowdStrike Exhibit 1009 Page 14
`
`

`

`Case 2:22-md-03042-JRG Document 256 Filed 08/04/23 Page 15 of 47 PageID #: 3608
`
`network administration activities (i.e., traffic from network administrators). Defendants’ expert’s
`
`argument that Fig. 7 and its related text “would not identify SSH or VNC traffic, because SSH and
`
`VNC of traffic can be delivered over multiple IP protocols (such as TCP or UDP) and from
`
`multiple IP addresses” is also inapposite. Id. The main benefit of this claim limitation is efficient
`
`resource allocation by not unnecessarily analyzing traffic (including unnecessarily determining
`
`whether network administration traffic is specifically SSH or VNC) from bona fide network
`
`administrators with known IP protocols and IP addresses. Ex. P, ¶ 59 (citing Ex. C, 2:38-3:5 (“the
`
`shear [sic] number of packets received by [such a] honeypot delays the detection of new computer
`
`attacks, viruses, computer worms and exploitation code.”)).
`
`b.
`
`“Network Administration Traffic” is Not Indefinite
`
`As a preliminary matter, Plaintiff has changed its proposed construction of “network
`
`administration traffic” to its plain and ordinary meaning because the term comprises commonly
`
`understood words with widely accepted meanings. Phillips v. AWH Corp., 415 F.3d 1303, 1314
`
`(Fed. Cir. 2005) (“[T]he ordinary meaning of claim language as understood by a person of skill in
`
`the art may be readily apparent even to lay judges, and claim construction in such cases involves
`
`little more than the application of the widely accepted meaning of commonly understood words.”).
`
`The specification provides a non-limiting list of examples of traffic generated by network
`
`administrators (i.e., network administration traffic), including “secure shell (“SSH”) traffic to
`
`remotely install a patch or change configuration or virtual network computing (“VNC”) traffic
`
`or terminal services traffic to create a remote server desktop to remotely add a userID, or install a
`
`patch or change configuration (decision 110).” Ex. C, 5:54-59; Ex. P, ¶ 58. On the other hand,
`
`such traffic (e.g., SSH or VNC) is not harmless network administration traffic when it is not
`
`generated by known network administrators. See Ex. C, 1:67-2:2 (“Hacking can also be facilitated
`
`if there is an improper configuration to a server which allows unknown third parties to gain
`
`9
`
`IPR2024-00027
`CrowdStrike Exhibit 1009 Page 15
`
`

`

`Case 2:22-md-03042-JRG Document 256 Filed 08/04/23 Page 16 of 47 PageID #: 3609
`
`administrative authority to a program or data base.”). Defendants’ expert, Dr. Black, states that
`
`“simply because a command is issued by a network administrator does not mean it is ‘network
`
`administration traffic,’ such as the example of an administrator checking her personal email via
`
`SSH.” Ex. Q, ¶ 53. Not only is that understanding at odds with the patent specification, which
`
`makes a clear delineation between traffic by network administrators and traffic by hackers or
`
`unknown third parties to gain administrative authority, as noted above, but checking email is not
`
`traffic and the patent specification does not contain such an example because that would defy the
`
`basic understanding of the word, “traffic.”
`
`Dr. Black’s manufactured requirement that the specification determine whether the traffic
`
`is SSH or VNC traffic in addition to providing examples of network administration traffic (Ex. Q,
`
`¶¶ 48-51) is irrelevant to the claim language and also obfuscates the fundamental question that the
`
`claim limitation seeks to address, which is whether traffic originates from trusted network
`
`administrators (i.e., determine if the packet is network administration traffic) such that the system
`
`can avoid wasting resources and computing power by not monitoring benign network
`
`administration traffic. Ex. P, ¶ 59. It is time consuming to parse every network packet for known
`
`attacks, where each packet must have a purpose or explanation before they are discounted as
`
`known or harmless. Id. As noted above, “the shear [sic] number of packets received by [such a]
`
`honeypot delays the detection of new computer attacks, viruses, computer worms and exploitation
`
`code.” Id. (citing Ex. C, 2:38-3:5).
`
`The patent explains how it achieves that benefit through the use of a list of IP
`
`protocol/address combinations that correspond to bona fide ne