Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 1 of 35 PageID #: 7310

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF DELAWARE JUNIPER NETWORKS, INC., Plaintiff, v. PALO ALTO NETWORKS, INC., Defendant. ) ) ) ) ) ) ) ) )

C.A. No. 11-1258 (SLR) REDACTED PUBLIC VERSION

PLAINTIFF JUNIPER NETWORKS, INC.S INITIAL CLAIM CONSTRUCTION BRIEF MORRIS, NICHOLS, ARSHT & TUNNELL LLP Jack B. Blumenfeld (#1014) Jennifer Ying (#5550) 1201 North Market Street P.O. Box 1347 Wilmington, DE 19899-1347 (302) 658-9200 jblumenfeld@mnat.com jying@mnat.com OF COUNSEL: Morgan Chu Jonathan S. Kagan Lisa S. Glasser David McPhie Rebecca Clifford Talin Gordnia IRELL & MANELLA LLP 1800 Avenue of the Stars, Suite 900 Los Angeles, CA 90067-4276 (310) 277-1010 Original Filing Date: July 19, 2013 Redacted Filing Date: August 21, 2013 Attorneys for Plaintiff

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 2 of 35 PageID #: 7311

TABLE OF CONTENTS I. II. III. INTRODUCTION ........................................................................................................ 1 LEGAL FOUNDATION FOR CLAIM CONSTRUCTION .......................................... 1 BACKGROUND OF THE TECHNOLOGY AT ISSUE............................................... 2 A. B. C. IV. Fundamentals of Computer Technology ............................................................ 2 Fundamentals of Networking ............................................................................ 4 Fundamentals of Network Security ................................................................... 5

U.S. PATENT NO. 7,650,634....................................................................................... 6 A. B. two or more security devices (634 patent)..................................................... 6 receiving . . . evaluation information . . . (634 patent) ................................... 8

V.

U.S. PATENT NO. 7,107,612....................................................................................... 9 A. rule (612 patent) ........................................................................................... 9

VI.

U.S. PATENT NO. 6,772,347..................................................................................... 12 A. sorting packets into . . . initially denied packets (347 patent)....................... 12

VII.

U.S. PATENT NO. 7,734,752..................................................................................... 14 A. primary portion and secondary portion (752 patent) ................................ 14

VIII. U.S. PATENT NO. 8,077,723..................................................................................... 17 A. B. C. IX. first engine and second engine (723 patent) ............................................. 17 route a packet (723 patent) ......................................................................... 20 a tag and associate a tag (723 patent)....................................................... 23

U.S. PATENT NO. 7,779,459..................................................................................... 27 A. B. C. security screening (459 patent) ................................................................... 27 without performing the security screening (459 patent)............................... 28 security domains (459 patent) ..................................................................... 30

X.

CONCLUSION .......................................................................................................... 30

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 3 of 35 PageID #: 7312

TABLE OF AUTHORITIES Cases Bicon, Inc. v. Straumann Co., 441 F. 3d 945 (Fed. Cir. 2006) .......................................................................................28 CBT Flint Partners, LLC v. Return Path, Inc., 654 F.3d 1353 (Fed. Cir. 2011) ......................................................................................30 Elcommerce. com, Inc. v. SAP AG, 2011 WL 710487 (E.D. Pa. Mar. 1, 2011)........................................................................2 Freedom Wireless, Inc. v. Alltel Corp., 2008 WL 4647270 (E.D. Tex. Oct. 17, 2008).................................................................30 Liebel-Flarsheim Co. v. Medrad, Inc., 358 F.3d 898 (Fed. Cir. 2004) ........................................................................................26 Markman v. Westview Instruments, Inc., 52 F.3d 967 (Fed. Cir. 1995)............................................................................................1 Northeastern Univ. et al. v. Google, Inc., 2010 WL 4511010 (E.D. Tex. Nov. 9, 2010) ........................................................... 16, 20 NTP, Inc. v. Research in Motion, Ltd., 418 F. 3d 1282 (Fed. Cir. 2005) .....................................................................................28 Oatey Co. v. IPS Corp., 514 F.3d 1271 (Fed. Cir. 2008) ......................................................................................25 Phillips v. AWH Corp., 415 F.3d 1303 (Fed. Cir. 2005) ............................................................................ 1, 10, 14 Synergetics, Inc. v. Peregrine Surgical, LTD, 427 F. Supp. 2d 537 (E.D. Pa. 2006) ................................................................................2 U.S. Surgical Corp. v. Ethicon, Inc., 103 F.3d 1554 (Fed. Cir. 1997) ........................................................................................2 Ultramercial, Inc. v. Hulu LLC, __ F.3d __ (Fed. Cir. 2013)..............................................................................................3 Visto Corp. v. Seven Networks, Inc., 2005 WL 6220108 (E.D. Tex. Apr. 20, 2005) .................................................................7 Vitronics Corp. v. Conceptronic, Inc., 90 F.3d 1576 (Fed. Cir. 1996) ..........................................................................................1

ii

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 4 of 35 PageID #: 7313

Other Authorities Merriam-Websters Collegiate Dictionary 10th ed. ................................................................... 24 Websters College Dictionary 2005 ed. .....................................................................................24

iii

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 5 of 35 PageID #: 7314

I.

INTRODUCTION Faced with infringement claims on seven patents that PANs own founders invented

while employed by Juniper, PAN now seeks to re-define those patents. PANs primary approach is to ignore the technological context of the patentscomputer networkingand seek to import structural or physical limitations into computer terms that do not contain such limitations. Even PANs employees and experts do not agree with PAN on many of these issues, illustrating how far afield PANs constructions are from the patents and the relevant art of computer networking. Most of the terms presented for construction use straightforward language, and should be given their plain and ordinary meaning, consistent with how one skilled in the relevant technology would understand them. Juniper has nevertheless proposed constructions that (where appropriate) incorporate concepts from PANs proposals, while otherwise remaining faithful to the specifications of the patents-in-suit. Juniper respectfully requests that the Court adopt

Junipers claim constructions, as set forth herein. II. LEGAL FOUNDATION FOR CLAIM CONSTRUCTION It is a bedrock principle of patent law that the claims of a patent define the invention. Phillips v. AWH Corp., 415 F.3d 1303, 1312 (Fed. Cir. 2005). The words in a claim are generally given their ordinary and customary meaning, which is the meaning that the term would have to a person of ordinary skill in the art at the time of the invention. Id. 1312-13. When the meaning of a claim term is in doubt, the patents specification is appropriately consulted for guidance. Id. For example, a construction that excludes a preferred embodiment described in the specification is rarely, if ever correct and would require highly persuasive evidentiary support. Vitronics Corp. v. Conceptronic, Inc., 90 F.3d 1576, 1583 (Fed. Cir. 1996). The specification, however, cannot enlarge or diminish the claim language. Markman v. Westview Instruments, Inc., 52 F.3d 967, 980 (Fed. Cir. 1995).

-1-

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 6 of 35 PageID #: 7315

Claim construction is a matter of resolution of disputed meanings and technical scope, to clarify and when necessary to explain what the patentee covered by the claims, for use in the determination of infringement. It is not an obligatory exercise in redundancy. U.S. Surgical Corp. v. Ethicon, Inc., 103 F.3d 1554, 1568 (Fed. Cir. 1997).1 Straightforward terms should thus be given their plain meaning, not replaced with other words under the guise of construction. See, e.g., Elcommerce.com, Inc. v. SAP AG, 2011 WL 710487, at *6 (E.D. Pa. Mar. 1, 2011) (a court may resolve [claim construction disputes] by simply instructing the jury to evaluate a term in light of its plain and ordinary meaning). III. BACKGROUND OF THE TECHNOLOGY AT ISSUE The following section provides an overview of some basic technological principles of computer security and networking to facilitate claim construction analysis in this case. To minimize dispute, the materials cited are primarily PAN admissions, including from PANs cofounders (CTO Nir Zuk and Chief Architect Yuming Mao) and its own litigation experts.2 A. Fundamentals of Computer Technology

The patents-in-suit are directed to inventions for computer networks and systems using hardware, software, or combinations thereof. Physical hardware encompasses components such as circuits, wires, and computer chips (e.g., a central processing unit or CPU). Hardware components may be combined and embedded inside each other to create complex computer systems, even within just one physical chip. For example, a single CPU today may include
1 2

All emphases to quotations herein have been added, unless otherwise indicated. As in other legal contexts, party admissions are properly considered in claim construction. Moreover, although inventor and expert testimony is typically a disfavored form of extrinsic evidence because of its self-serving nature, here no such concern is implicated because the inventor and expert testimony is that of PANs principals and experts. See Synergetics, Inc. v. Peregrine Surgical, LTD, 427 F. Supp. 2d 537, 546 (E.D. Pa. 2006) (noting weight to be given opposing party admissions as contrasted with extrinsic evidence from a partys own experts).

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 7 of 35 PageID #: 7316

literally billions of electronic switches (e.g., transistors or logic gates) and other components. Computer systems may also include software comprising data or instructions that can perform computation or other actions. Programmers write software source code using programming languages that are understandable to humans, then build it into computer-executable form. Hardware and software aspects of computer systems are often interchangeable. As the Federal Circuit has recently observed: [T]he line of demarcation between a dedicated circuit and a computer algorithm accomplishing the identical task is frequently blurred and is becoming increasingly so as the technology develops. In this field, a software process is often interchangeable with a hardware circuit. Ultramercial, Inc. v. Hulu LLC, __ F.3d __, 2013 WL 3111303, at *16 (Fed. Cir. June 21, 2013).

Computer systems use memory to facilitate the storage and manipulation of software and other data. Memory comes in numerous varieties (e.g., SRAM and DRAM) and can be shared by multiple other components in a system.

Notably, in most kinds of memory, data stays retained in memory even after it is retrieved; that is, data retrieval is non-destructive.5 There are two primary ways of sending data in memory to parts of a computer system that need to use it. The first is to create a new copy of the data in a new memory location,
3

Ex. __ refers to exhibits attached to the Declaration of David McPhie, submitted herewith.
4 5

See Ex. B (Mitchell Depo. Tr.) at 25:8 27:4.

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 8 of 35 PageID #: 7317

sometimes called passing by value, and the second is to communicate a pointer to the location in memory where the data is held, sometimes called passing by reference.6 Neither method results in physical movement or removal of the original data in memory, although (of course) the original data may be later modified or overwritten via other steps. Data may be structured or organized in memory to facilitate its use. For example, data may be grouped into larger structures of multiple (often related) data values, and formatted depending on how the data entries are to be looked up and accessed. Data elements can be organized sequentially in a linked list, or for fast lookup in a hash table. Moreover, a related block of data need not be stored in a single physically connected portion of memory; there are mechanisms for storing . . . [a] meaningful collection of data in a noncontiguous way.7 B. Fundamentals of Networking

Connection of computer systems using networks (such as the Internet) allows data communication between computers, even at significant distances. To facilitate efficient

communication, data is broken down into packets, along with additional metadata for addressing and other purposes. These packets are typically structured in accordance with networking

standards that provide a well-defined framework for communication between disparate networking technologies. It is common to format data packets to include multiple layers of metadata information, each corresponding to a particular networking function. One well-known framework describing these networking layers is the seven-layer OSI model. The lowest layer of the model (layer 1) is the physical medium through which the basic bits of data are communicated (e.g., a copper wire or radiofrequency wave). At the other end of the spectrum (layer 7) is the actual application with which users can actually interact (e.g., email programs or
6 7

See Ex. B (Mitchell Depo. Tr.) at 76:22 77:6. See Ex. B (Mitchell Depo. Tr.) at 38:9 39:8.

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 9 of 35 PageID #: 7318

web browsers). The layers in between handle other aspects of network connectivity, such as the well-known Internet Protocol (IP) at layer 3. By providing conceptual separation of various aspects of networking, the OSI model allows communication at a high level independent of its underlying technical implementation. Thus (for example), when operating at the IP packet layer (layer 3), the underlying physical structure [layer 1] doesnt matter.8 As a corollary to the above, an IP packet is best understood as formatted, computerreadable datanot something tangible that humans physically handle or manipulate.9 Thus, when a packet is described as sent through the OSI model layers, it is not really physically as if something is being sent from one component to another . . . inside the computer.10 C. Fundamentals of Network Security

Permitting computers to communicate with other computers over a network exposes the risk of network attacks and security breaches. Accordingly, network security technologies have been developed for regulating communications between networked computers (e.g., by blocking attacks). One such technology is known as a firewall. Network administrators can configure firewalls and other network security products in a variety of ways to enable a security policy desired by an organization, e.g., to allow or prevent communication based on a number of rules. There are many ways in which such rules can be structured and applied. For example, in simple firewalls, each rule generally specifies some

8 9

See Ex. B (Mitchell Depo Tr.) at 29:13 34:14. See Ex. B (Mitchell Depo Tr.) at 23:14 24:12; Ex. C (Mao Depo. Tr.) at 376:3-8 ). See Ex. B (Mitchell Depo Tr.) at 17:12-19;

10

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 10 of 35 PageID #: 7319

characteristic of a packet and an action to take with any packets that match the characteristic.11 The several packets that make up an individual email message (or audiovisual stream, or web page) may collectively be considered a single flow or session. Instead of independently considering each packet belonging to such a session, a security product may be designed to perform rule matching only for the first packet in the session, and then store the results in its flow table or session table.12 Then, upon later receiving new packets, the security product may perform a lookup in the flow table to see if the new packets are related to any session that was previously set upif so, the stored flow information may be used to facilitate processing.13 IV. U.S. PATENT NO. 7,650,634 The 634 patent describes technology that improves the efficiency of packet processing in a network security device by using a single flow record for a plurality of network security devices. One of the objectives of the 634 patent was to integrate a variety of such multiple security functions in a manner that would be efficient and intelligent. Such integration combines the strengths (and mitigates the limitations) of various types of security devices, for example, a firewall or an intrusion prevention system (IPS). 634 patent at 1:152:9. A. Term two or more security devices two or more security devices (634 patent) Juniper Proposal No construction required. Alternatively, security devices may be construed as: hardware, firmware, software, or combinations thereof for performing security functions For example, this could include one or more programmable processors executing a computer program for performing security functions.
11 12 13

PAN Proposal at least two physically distinct structures each of which performs a security function

Ex. B (Mitchell Depo. Tr.) at 130:9 131:10. Ex. B (Mitchell Depo Tr.) at 80:10 81:2, 82:3 83:25. Id.

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 11 of 35 PageID #: 7320

The term two or more security devices is easily understandable and requires no construction.14 Alternatively, security devices may be construed as hardware, firmware, software or combinations thereof for performing security functions, in accordance with the 634 patent specification. For further clarity, the construction may also state that the security devices may be included on one or more programmable processors executing a computer program. Junipers proposed construction comes directly from the 634 patents description of the invention. For example, the Summary section of the patent describes plural security devices as a feature of the present invention, which may includ[e] computer program products. 634 patent at 2:14-22. The specification elaborates that [t]he invention can be implemented . . . in computer hardware, firmware, software, or in combinations of them, and further states that the invention can be performed by one or more programmable processors executing a computer program . . . . Id. at 6:1-3, 6:18-21. The specification also provides specific examples that further confirm that the claimed devices can take a variety of forms. For example, multiple security devices may be included in a single structure. See, e.g., 634 patent at 2:56-62, Figs. 1 & 9. Figure 9 shows that a single security device may itself include additional security devices such as a firewall or IPS. See, e.g., id. at 1:17-19, 2:49-50, 3:5-7, 7:3-7. A firewall operating as a security device can, in turn, be a set of computer programs, according to the priority application incorporated into the 634 patent specification. Ex. D (Pat. App. No. 10/072,683) at 3:32; see also Visto Corp. v. Seven Networks, Inc., 2005 WL 6220108, at *8 (E.D. Tex. Apr. 20, 2005) (construing firewall as comprising software and/or hardware). Moreover, as indicated above, the 634

specification expressly contemplates an embodiment wherein the claimed invention is executed

14

There is no dispute regarding the phrase two or more. Though unnecessary, Juniper does not object to PANs proposal to construe two or more as at least two.

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 12 of 35 PageID #: 7321

on just one . . . programmable processor[]. 634 patent at 6:18-21. Junipers construction of security device encompasses each of these configurations and embodiments. PANs proposed construction, in contrast, disregards the specification by limiting security devices to physically distinct structures. The specification makes no reference to physically or distinct. Moreover, the 634 patents only use of the term structure refers not to a security device, but to a flow table (a non-physical data entity). Id. at 3:33. Indeed, PANs expert, Dr. Mitchell, admitted that a device need not be a physically distinct structure. Q. A. What is a device? Device -- device is generally a thing that does something. That probably means different things in different contexts.

Ex. B (Mitchell Depo. Tr.) at 10:3-7. Dr. Mitchell further testified that although one way to think about a device was as a physical thing, that term is also used in computing to refer to a technique or method, which has nothing to do with physical devices. Id. at 45:2-9. B. Term receiving from each of the two or more security devices, evaluation information, the evaluation information being generated by a respective one of the two or more security devices receiving . . . evaluation information . . . (634 patent) Juniper Proposal No construction required. PAN Proposal receiving, from each of the two or more security devices, evaluation information generated by that device

Construction of this 28-word phrase appears unnecessary as it uses ordinary English words consistent with their plain meaning. Indeed, most of the words in the claim language (e.g., receiving from, generated, and evaluation information) also are used in PANs construction, and the included term security devices is the subject of a separate proposed construction. Nor has PAN identified any disputed merits issue to which this construction relates. Accordingly, no construction of this term is required.

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 13 of 35 PageID #: 7322

V.

U.S. PATENT NO. 7,107,612 Prior to the invention of the 612 patent, firewalls commonly used a fixed set of rules in

performing network security functions, which the patent notes can be restrictive in many practical applications. 612 patent at 3:12. Thus, there was a need in the art for a firewall engine which can generate rules dynamically, based upon information extracted from incoming packets . . . . Id. at 3:912. The 612 patent describes approaches for dynamically adding or modifying rules based on a sequence of data packets received by a network. The newly added or modified rules may (for example) be designed to respond to or mitigate a network attack identified based on analysis of data received. A. Term rule rule (612 patent) Juniper Proposal Juniper is willing to stipulate that, for purposes of the 612 patent claims, rules exist across multiple sessions. No further construction necessary. The simple term rules does not require elaborate construction. The parties have already agreed on one aspect of the term, namely that rules, in the context of the 612 patent, exist across multiple sessions. See also Ex. B (Mitchell Depo. Tr.) at 210:2-5.15 No further construction is needed for the jury to understand the basic concept of a rulea subject on which there appears to be substantial agreement. As indicated above, PAN expert Dr. Mitchell admits that, consistent with the usage . . . in the 612 patent, a rule generally specifies some characteristic of a packet[,] and an action . . .
15

PAN Proposal A rule is a policy for filtering packets across multiple sessions, as distinct from a lookup table

PAN expert Dr. Mitchell went on to identify at least one portion of the 612 patent specification as supporting this view: column 5, starting on line 25 and reading down. Ex. B (Mitchell Depo. Tr.) at 210:16 211:6 (So . . . the rules persist and . . . in that sense, they are beyond a particular session).

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 14 of 35 PageID #: 7323

to take with any packets that match the characteristic. Ex. B (Mitchell Depo. Tr.) at 130:9 131:10.16 Dr. Mitchell further testified: I think generally, a rule is an if-then statement. If the packet has some properties or in some way satisfies some conditions or is related to the processing environment in some way, then some action will or will not be taken as a result. Id. at 134:21-25. This formulation is consistent with the testimony of one of the inventors of the 612 patent, Yuming Mao. Ex. C (Mao Depo. Tr.) at 132:3 - 134:13 ( ). It also conforms with the exemplary rules disclosed in the 612 patent specification. For example, Figure 3 depicts an embodiment of a rule that provides items that may serve as a matching criterion for the rule (e.g., source IP address), along with a field to specify the action to be taken if the rule is matched. 612 patent at 4:43-44. Thus, the specification, inventor testimony, and even PANs expert agree on the relevant characteristics of a rule as used in the 612 patent. By contrast, PANs proposed construction makes no mention of any of these agreed aspects of a rule, but rather attempts to inject two new concepts into the meaning of rule that are inconsistent with the usage in the patent. First, PAN argues that a rule is a policy for filtering packets. But adoption of this construction would introduce a conflict with the surrounding claim language or (at best) confusing redundancy. For example, claim 1 recites rules . . . for incoming and outgoing data units. Because the claim already specifies that rules apply to packets (i.e., a type of data units), it is incorrect to expressly restate the notion of packets in the construction for rule. See Phillips v. AWH Corp., 415 F.3d 1303, 1314 (Fed. Cir. 2005) (en banc) (when a concept is
16

Dr. Mitchell further stated that in so testifying he was not trying to defin[e] what it means to be a rule. Ex. B (Mitchell Depo. Tr.) at 131:7-10. This is consistent with Junipers position that the term need not be construed.

10

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 15 of 35 PageID #: 7324

already included in surrounding context of a claim term, it strongly implies the term does not inherently include that concept). Similarly, claim 1 states that rules are for controlling access to and from a network device. Because the claim already specifies what the rules are for, it is improper to import other requirements by way of claim construction. Id. The second, and even more problematic, concept PAN tries to introduce into the claim involves the words as opposed to a lookup table. As an initial matter, PANs construction confuses the definitional makeup of a rule with the manner in which a particular rule is implemented or maintained. As explained in the technical overview above, data structures in memory (including rules) can be stored in a variety of formats. There is nothing in the patent or intrinsic record to suggest that any particular data format is excluded for the purpose of rules.17 Indeed, PANs own experts testified that rules can, in fact, be stored in a lookup table. For example, Dr. Mitchell testified: Q. A. [C]an you store rules in a hash table? Yeah. Hash table is another general data structure for storing data. You can treat rules as data and store them in a hash table.

Ex. B (Mitchell Depo. Tr.) at 140:24 141:5. Similarly, Dr. Mitzenmacher has stated, in his published writings and in deposition testimony, that rules can be provided in a hash table for lookup. Ex. E (Mitzenmacher Article) at 207-208 (describing hash table lookups for a hash table that will provide the packet classification rules);

17

Notably, PANs Founder and Chief Architect Yuming Mao, an inventor of the 612 patent, was unable at his deposition to identify Ex. C (Mao Depo. Tr.) at 379:16 380:19.

11

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 16 of 35 PageID #: 7325

.18 Thus, neither the intrinsic nor extrinsic record provides any support for PANs restrictive construction. VI. U.S. PATENT NO. 6,772,347 The 347 patent describes technology for efficient packet processing in a firewall. For example, after a firewall receives a packet, the packet may be sorted or processed into initially denied and initially allowed packets. Later, the initially denied packets are processed or sorted further into allowed or denied packets. See 347 patent at Abstract, 5:45-49. Denied packets are dropped, and allowed packets pass through the firewall. Id. A. Term sorting packets into initially denied packets sorting packets into . . . initially denied packets (347 patent) Juniper Proposal No construction required. PAN Proposal applying rules to make a first determination that identifies packets to be dropped

There is no need to construe the term sorting packets into . . . initially denied packets. As an initial matter, the term as phrased by PAN does not appear in any of the asserted claims. Indeed, at least one of the asserted claims (claim 24) does not use the word sorting at all. Moreover, PANs proposed construction is inconsistent with the 347 patent in at least two ways. First, PANs construction improperly requires that initially denied packets be identified as packets to be dropped. This contradicts the 347 patents teaching that a packet need not be identified to be dropped until after it is finally denied by an additional sorting or processing phase. This clear distinction between initially denied and denied packets is illustrated in Figure 6, an embodiment where the second sorting phase is a dynamic filter:
18

A lookup table can be used for many other purposes as well. For example, the 612 patent describes using a lookup table to implement a flow table. 612 patent at 5:10-42; see also Ex. B (Mitchell Depo. Tr.) at 80:10 - 84:3.

12

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 17 of 35 PageID #: 7326

Figure 6 shows that packets are not identified to be dropped when they are sorted into initially denied packets during the first phase. Rather, the initially denied packets proceed to an additional sorting phase which allows [at least] some of the initially denied packets to pass through the firewall. See 347 patent at 5:45-49. The drop action is assigned to a packet only after it has been further sorted during the second phase into a denied packet.19 PANs own experts confirmed that PANs construction does not correspond to the invention as described in the 347 patent. When asked the meaning of a first determination that identifies packets to be droppedan exact quote from PANs proposed constructionPAN expert Dr. Mitchell frankly admitted, [T]hat phrase doesnt correspond to either Figure 6 or the claim language. Ex. B (Mitchell Depo.) at 202:23 203:5.

347 patent at 6:1-3, Fig. 6. A second inconsistency between PANs construction and the 347 patent is that PAN seeks to change the word sorting into applying rules.
19

Sorting and rules are not

Figure 6 is consistent with the rest of the specification, which uses the term drop only in reference to finally denied packets, and never in reference to initially denied packets. Moreover, it makes logical sense that a packet cannot be dropped based only on an initial deny; otherwise, it would not be able to proceed through to the next step of further sorting.

13

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 18 of 35 PageID #: 7327

synonymous, and in fact, the 347 distinguishes between them. For example, some, but not all, of the claimed sorting steps require that the sorting be performed using rules. See, e.g., Claim 14 (further sorting the initially denied packets using rules). In claim elements that contain a using rules limitation, PANs construction would render the claim language using rules completely redundant; in the other claim elements that do not set forth such a requirement, PANs construction would add an extraneous limitation. Neither result is consistent with the 347 patent or the canons of claim construction. See Phillips, 415 F.3d at 1314. VII. U.S. PATENT NO. 7,734,752 The 752 patent describes an apparatus and method for sharing information between two security systems to provide protection in the event of failure. Specifically, two security systems each store information for flows that they are actively processing, as well as flow information synchronized from the other security system. 752 patent at 8:17-29. By doing so, each system can take over processing that ordinarily would be performed by the other, if the other system experiences a failure event. Id. To clarify which of the two security systems is being referenced, the 752 patent sometimes refers to them as the primary and secondary security systems. A. Terms a primary portion that stores information associated with the operation of the first deviceimplemented session module, when the primary security system is operating in a primary security mode a secondary portion that stores information associated with the operation of the first deviceimplemented session module, when the primary security system is functioning in a failover mode primary portion and secondary portion (752 patent) Juniper Proposal No construction required. Alternatively: a portion of the flow table that stores information for flows that the primary security system participates in processing when failover has not occurred No construction required. PAN Proposal the portion of the flow table that stores information for processing packets when all security devices are operational

a different portion of Alternatively: a portion of the same flow the same flow table that stores information table that stores information for flows for processing packets that the primary security system may if there is a failover process when there is a failover event event

14

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 19 of 35 PageID #: 7328

This disputed language does not require construction, as each of its words has a plain and ordinary meaning. PANs proposal, moreover, does not seek to clarify the claim language but rather to change it. Accordingly, Juniper has proposed alternative constructions that reflect the actual claimed invention. As explained above, one aspect of the 752 patent is that two systems synchronize information in their respective flow tables so that, if there is any malfunction affecting one system, the other system may use that flow information to process packets that would have been processed by the [other] security system but for the detected failure. 752 patent at 8:6-7; id. at 7:37-50. To do this, each systems flow table has a secondary portion that includes

information for flows that the session module may process in the event of a failover. Id. at 8:22-27. Junipers proposal tracks this language from the 752 patent explicitly, stating that the secondary portion stores information for flows that the primary security system may process when there is a failover event. Similarly, the specification explains that the primary portion of the flow table includes flow information used for actively participating in the processing of the packets. Id. at 8:1722. Junipers proposal also tracks this language, stating that the primary portion stores

information for flows that the primary security system participates in processing. Mirroring the construction for secondary portion, Junipers construction further states that such processing occurs when failover has not occurred in that system.20 By contrast, PANs proposals do not correspond to language in the 752 patent or to the scope of the invention. For example, for both first portion and second portion, PAN seeks to

20

Of course, even if the primary system should fail, the secondary system continues to participate in processing packets that the secondary system ordinarily would process (to the extent it was doing this before failover). See, e.g., 752 patent at 9:59-65.

15

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 20 of 35 PageID #: 7329

replace information associated with the operation of the first device-implemented session module with information for processing packets. As the preceding element of claim 1 explains, however, the claimed session module is used to maintain flow information . . . to facilitate processing of the packets. Thus, its operation comprises use of flow information. PANs use of the more generalized phrase information for processing packets is at best imprecise, as it could be read as encompassing activity having nothing to do with the use of flow information maintained by the session module. For example, as illustrated in Figure 5, if a session is not found for a packet (e.g., because it is the first packet of a flow), the packet may nevertheless undergo processing before flow information is even generated (in step 555). And Figure 5 depicts other additional steps that may occur even on existing flows before extracting information from the session modules flow table. As another example, PANs construction for secondary portion requires that the second portion be different from the first portion. The 752 patent does not use the word different in relation to any aspect of the flow table. Nor does labeling the portions as primary and secondary necessitate that these portions be distinct. See Northeastern Univ. et al. v. Google, Inc., 2010 WL 4511010, at *8 (E.D. Tex. Nov. 9, 2010) (Absent support from the intrinsic record or the language of the claims, requiring the first portion of the hashed query fragment to be distinct and separate from the second portion would be improper.). PAN has previously suggested that the basis for this aspect of its construction is an embodiment which describes the first and second portions as dedicated to store certain information (see 752 patent at 8:17-27). However, dedicated and different do not mean the same thing. Moreover, this is one embodiment, and the specification goes on to explain that the primary and secondary portions also may be integrated togetherthe opposite of distinct or different. Id. at 8:27-29.

16

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 21 of 35 PageID #: 7330

PAN also makes other unexplained changes to the claim language, such as replacing the word a with the, and introducing the term operational, a term which is not used in the claims or the specifications discussion of the claimed portions. These changes introduce further uncertainty and inaccuracy, and the Court should therefore reject them as well. VIII. U.S. PATENT NO. 8,077,723 The 723 patent describes technology that uses tags to improve the efficiency of packet processing in a system containing multiple processing engines. For example, in the 723 patent, a first engine directs a packet to a second engine. The second engine then processes the packet and associates a tag with the packet that contains information related to the processing of the packet. The information in the tag can include information that is useful to other engines when they are processing or routing the packet. See 723 patent at 5:50 6:5. Subsequently, the first engine directs the packet to a third engine, and the third engine processes the packet using the information in the tag. In one embodiment of the 723 patent, the second and third engines are included on one integrated circuit. A. Terms first engine second engine first engine and second engine (723 patent) Juniper Proposal No construction required. Alternatively, engine may be construed as: hardware, firmware, software, or combinations thereof for implementing one or more functional operations PAN Proposal software program on a first processor software program on a second processor

PANs proposal to construe the terms first engine and second engine may be best understood by first considering the context of the parties dispute regarding this element of the 723 patent.

17

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 22 of 35 PageID #: 7331

Ex. C (Mao Depo. Tr.) at 197:7 202:8. Id. at 198:4-10. PAN now seeks to change the ordinary meaning of engine in an attempt to distinguish it from the way PAN consistently uses engine in describing its products. That, of course, is not a valid reason to construe the claims. The 723 patent makes clear what an engine does (and does not) mean in the claims. As PANs Founder and Chief Architect (also a named inventor) Yuming Mao admitted, See, e.g., Ex. C (Mao Depo. Tr.) at 197:7-18. The 723 patent specification explains that the

engines of the claimed invention are a functional concept that can be implemented with hardware and/or software: the functional operations described herein can be implemented in . . . computer hardware, firmware, software, or in combinations of them, including on one or more programmable processors. 723 patent at 10:20-23, 10:38-39.21 Junipers proposed

construction accurately captures this full range of embodiments, using the exact language of the patentassuming the term engine requires construction at all. Other PAN admissions provide further support for Junipers construction. For example, PAN states in its own patent applications (authored by the 723 patents inventors, Mao and Zuk) that a processing engine can be of the form of hardware or software of combinations or both. Ex. G (Pat. App. No. 2008/0253366) 0021.

21

As shown above, this language is also used in the 634 patent specification to describe the breadth of possible architectural implementations; indeed, the 723 patent notes that a processing engine can be an example of a device. See 723 patent at 5:34-36.

18

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 23 of 35 PageID #: 7332

And PANs expert Dr. Mitchell, when asked whether he disagreed with the notion that an engine can be software that performs a function, responded, I dont see any reason to disagree with that. Ex. B (Mitchell Depo. Tr.) at 172:15-23; see also id. at 104:21-24 (Q. Have you ever heard the word engine used to describe software? A. I believe so.). These PAN admissions confirm the accuracy of Junipers proposed construction for engine: hardware, firmware, software, or combinations thereof for implementing one or more functional operations. PANs proposed constructions, by contrast, seek to artificially constrain the scope of engine to only the specific combination of a software program and a processor. As shown by the evidence cited above, the 723 patent invention may well encompass such a combination as a possible embodiment, but does not require it. For example, the patent states that the invention may be implemented using a stand-alone [software] program, but also permits use of a software module, component, subroutine, or other unit suitable for use in a computing environment. 723 patent at 10:32-34. Other disclosed implementations focus more on

hardware, e.g., special purpose logic circuitry such as an FPGA or ASIC. Id. at 10:41-45. PANs proposal improperly excludes these embodiments. Moreover, PANs constructions for the first and second engine terms are also problematic to the extent that they may be understood as improperly introducing a requirement that the first and second engines include different software programs running on different processors.22 There is no basis for introducing such a constraint into the 723 patent claims

22

PAN is not requesting construction of the term third engine, presumably because a construction suggesting that engines must be physically separated could not apply to the second and third enginein claim 1, those engines are included on one integrated circuit. However, PANs attempt to avoid this issue by construing only the first and second engines only creates an additional problem of inconsistency within the claims.

19

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 24 of 35 PageID #: 7333

through the engine terms. The claim drafters knew how to specify a difference requirement when they wanted one; in fact, claim 1 expressly requires that the second engine is different than the third engine. By contrast, claim 1 contains no such requirement as between the first and second engines, and thus there is no basis for adding one now. See Northeastern Univ., 2010 WL 4511010, at *8 (improper to read distinct and separate requirement into claims [a]bsent support from the intrinsic record).23 Requiring separate processors for multiple engines is also contrary to the 723 patent specification, which indicates that the invention may be performed on one programmable processor. 723 patent at 10:38-39. Tellingly, PANs expert Dr. Mitchell opined that, based on the understanding of engine in PANs construction, it would not be possible to perform the method of the invention on a single programmable processorthus confirming that PANs construction contradicts the specification. Ex. B (Mitchell Depo. Tr.) at 106:13 107:1. Dr. Mitchell also admitted that the 723 patent does not require separate software programs, as functionally distinct engines can be part of the same executable software file. Id. at 241:16 242:3. Indeed, claim 1 illustrates that that engines need not be physically separate, describing multiple engines as included on a single integrated circuit. B. Term route a packet route a packet (723 patent) Juniper Proposal No construction required. Alternatively, Juniper would be willing to adopt send a packet(PANs original proposed construction) as a compromise, if the parties agree to further clarify that send does not exclude routing by reference or by pointer. PAN Proposal send a packet from a source to its intended destination

23

Compare claims 9 and 17, which do expressly require a second engine that is different than the first engine. Such an express limitation would not be necessary if the terms first engine and second engine inherently included the concept of difference.

20

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 25 of 35 PageID #: 7334

PANs proposal for the term route a packet is unnecessary. It merely replaces the word route with send, then adds the concept of a source and destination. There is no indication that a jury would not understand the term route in the context of the 723 claims. Nevertheless, Juniper has agreed that it would be willing to use the word send instead of route to minimize the disputed issues for the Court, with the clarification that sending does not excludes routing by reference or pointer. As noted in the technical background section, a packet is not a tangible thing that is physically sent to a destination. A packet may be routed to a destination, as where a message is transmitted from one computer to another computer on the other end of the Internet. For example, the Background section of the 723 patent discloses the prior art use of products called routers to cause packets to be routed through specific paths in the network, such as based on the destination address. 723 patent at 1:62 2:1. However, even in that instance, no actual physical matter is moved from the place where the packet originated to the physical location of its destination. See Section III.A & III.B, supra. Moreover, the asserted claims of the 723 patent do not describe routing a packet to a destination point on the other end of a network. Rather, the claims describe routing a packet within a packet processing security system (that itself can exist on a single processor, e.g., 723 patent at 10:38) to one or more engines within it. E.g., Claim 1 (route a packet to a second engine; route the packet to a third engine). The term route when used in reference to an engine does not require transmission to a destination. The 723 patent confirms this, consistently distinguishing between routing to an engine within a system and routing to a destination. For example, an embodiment described in Figure 6 includes separate steps to: (1) Route Packet to a Processing Engine and (2) Route Packet to Destination. Similarly, independent claim 9

21

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 26 of 35 PageID #: 7335

recites routing . . . a packet to a second engine, whereas dependent claim 13 further requires routing the packet to a destination. Figure 1 of the patent provides a further illustration. The router labeled 118 is

connected to and capable of routing packets to destinations on the network such as a web server (110) or workstations (134). But no connection is shown between the router and the individual engines that are part of processing system 126, because the individual engines within one packet processing system are not discrete network destinations. Therefore, there must be some other mechanism available to route packets between engines. The 723 patent encompasses a number of methods for communication between the claimed engines. As described in the technical overview, one skilled in the computer arts would understand that a packet in memory may be passed in a system either by making a copy of the packet data in a new location, or by using a pointer to the memory location corresponding to the packet location. The 723 patent specification expressly contemplates this approach of using pointers to communicate packet data. For example, the 723 patent incorporates by reference the entirety of the 634 patent disclosure, including the following diagram:

See 723 patent at 1:11-12; 634 patent at Fig. 6. Similarly, an earlier patent application that is incorporated by reference into the 723 patent specification (723 patent at 2:66 3:3) provides extensive discussion of the use of pointers. See, e.g., Ex. D (U.S. Pat. App. No. 10/072,683) at 33-40, Figs. 8, 9, 11.24

24

Even PANs expert Dr. Mitchell concedes that [t]wo [software] processes on the same computer can use some forms of shared memory and that in such a case, some data . . .

22

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 27 of 35 PageID #: 7336

Contrary to the intrinsic record, PANs construction is misleading because the jury could interpret it to require the physical movement of a packet. For the reasons discussed above, this contradicts basic computer networking principles and the 723 patent. As a further example, the patent explains that to route the packets to processing engines is a form of communication between processing engines. 723 patent, 4:5-6 (communication between processing engines [as] discussed in greater detail below); 4:15-16 (route the packets to processing engines). One of ordinary skill in the art would understand that communication does not require physical movement. In fact, PANs expert Dr. Mitchell testified that he was not sure that send was an appropriate way to characterize the communication of data packets within a computer. See Ex. B (Mitchell Depo. Tr.) at 16:16-22. PANs expert also identified a concrete example of routing without movement, namely, the use of a well-known networking mechanism called localhost, where one can route packets to oneself. Id. at 75:12-24. And the specification notes the possibility that the claimed engines between which routing takes place can be integrated on a single integrated circuit (IC). 723 patent at 10:15-17. Thus, adopting PANs construction would be inaccurate and misleading unless, per Junipers proposed compromise, the construction clarified that it does not exclude routing by reference or by pointer. C. Term a tag associate a tag a tag and associate a tag (723 patent) Juniper Proposal No construction required. No construction required. Alternatively, associate may be construed as: to connect or bring into relationship in any of various intangible ways could reside in shared memory and, therefore, be read by the second process from the same shared memory location the first process wrote it intothat is, sending or routing the data via pointer. Ex. B (Mitchell Depo. Tr.) at 73:12 75:11. PAN Proposal a structure for holding data that is sent along with a packet form a connection with a tag

23

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 28 of 35 PageID #: 7337

The terms a tag and associate a tag do not need construction. The term tag is consistently used in the 723 to refer to the data or information used to help process packets in the multiple processing engine system of the 723 patent. For example, the 723 patent explains that a tag can provide information that a particular packet was determined to be possibly part of an attack on the system. 723 patent at 7:62-64. A tag can also comprise such information as network layer 3 and layer 4 data, a context pointer . . . and a communication action flag. Id. at 5:57-60. Additional types of information for a tag are also possible. Id. Because the information in a tag is to be used for processing a packet, the claims also provide that a tag needs to be associate[d] with the packet in some way. The word associate is used in its common English language sense; the patent does not provide any specialized definition or specify that association occur in any particular manner. Thus, it should be given its plain English language meaning, which is to connect or bring into relationship in any of various intangible ways. See Ex. J (Merriam-Websters Collegiate Dictionary 10th ed.) at 70 (to bring together or into relationship in any of various intangible ways); Ex. K (Websters College Dictionary 2005 ed.) at 76 (bring into relation). Those of skill in the art would appreciate that there are a variety of ways to associate a tag with a packet, as reflected in the 723 patent specification. For example, the 723 patent incorporates into its specification an earlier application describing association through use of memory pointers. See 723 patent at 2:66 3:3; Ex. D (U.S. Pat. App. No. 10/072,683) at 34:3-9 (this association [of packet flow and session] is done by a double pointer). Alternatively, the specification notes that a tag can be appended or prepended to the packet. 723 patent at 2:60-61. PANs expert Dr. Mitchell has further observed that often the way that a tag or other annotation is associated with a data value is through some other data structure that

24

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 29 of 35 PageID #: 7338

contains both of them or links them in some way. Ex. B (Mitchell Depo. Tr.) at 228:7-10. Junipers construction encompasses all of these valid possibilities. By contrast, PANs proposed constructions confuse, rather than clarify, the meaning of associate a packet. As with several other claim terms, PANs construction is susceptible to being misinterpreted as imposing physical limitations inapplicable to the network security context of the 723 patent. See Ex. C (Mao Depo. Tr.) at 377:3-7

For example, PANs proposal requires that a tag is sent along with a packet. The 723 patent does not use this language, and (as noted in the technical overview and in connection with other claim terms) the concept of sending is ill-suited to non-physical data structures such as packets and tags. Moreover, PANs position that tags must be sent along with packets is at odds with the patent specification, which presents two alternative scenarios: (1) tags and packets are communicated over separate paths, as illustrated in Figure 3a; or (2) [a]lternatively, packets and tags may be sent over a common path. 723 patent, 5:4-7, Fig. 3. Because the 723 patent contemplates that tags and packets may be sent over either different or common paths, it is incorrect to require that tags and packets be sent together. Because PANs construction excludes the embodiment where tags and packets are sent over different paths, it is improper. Oatey Co. v. IPS Corp., 514 F.3d 1271, 1276 (Fed. Cir. 2008) (We normally do not interpret claim terms in a way that excludes embodiments disclosed in the specification.). PANs constructions also present the risk of being misunderstood as requiring that the tag be physically appended to the packet itself. The intrinsic record rejects this notion. The 723 patent specification clearly explains that [t]ags can be appended or prepended to the packet,

25

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 30 of 35 PageID #: 7339

but also can be communicated over separate paths. 723 patent at 2:60-61; Fig. 3. PAN overlooks this discretionary language to the extent it seeks to mandate a physical connection between the tag and packet. PANs construction is also inconsistent with the meaning of associated as reflected in the prosecution history. For example, claim 17 of the original patent application included the language creating a tag associated with the packet, while original dependent claim 22 added the limitation wherein creating a tag includes one of appending the tag to the packet or prepending the tag to the packet. Appendix Ex. 8 at JA-246 (5/14/10 Patent App.). According to the doctrine of claim differentiation, this connotes that the patentee did not consider appending or prepending to be an intrinsic part of associating, because those limitations were added by a dependent claim. Liebel-Flarsheim Co. v. Medrad, Inc., 358 F.3d 898, 910 (Fed. Cir. 2004) (the presence of a dependent claim that adds a particular limitation raises a presumption that the limitation in question is not found in the independent claim). Finally, an additional problem with PANs proposed language, a structure for holding data, has recently arisen. It now appears based on expert discovery that PAN may be taking the position that a structure (a word that is not used in the 723 patent) does not include data itself.25 That position is inconsistent with the specification, which (as shown above), considers the information included in a tag an essential part of the tag itself. Put simply, a tag includes information. See, e.g., 723 patent at 2:22-23. The 723 patent does not contemplate that a tag is independent of that information. This constitutes another reason why PANs construction

25

As part of the meet-and-confer process, Juniper inquired whether PAN would accept the phrase a structure for holding data standing alone as an acceptable construction for tag, but PAN did not respond. After the parties submitted the Joint Claim Construction Statement, Juniper learned of PANs apparent position that a structure for holding data did not include the data itself. Because Juniper disagrees with that premise, it has withdrawn its prior proposal to avoid a situation where construction might generate more confusion than it would resolve.

26

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 31 of 35 PageID #: 7340

should not be adopted, and the plain meaning of the straightforward term tag should govern. IX. U.S. PATENT NO. 7,779,459 The 459 patent discusses security domains and the processing of both inter-zone and intra-zone packets, where inter-zone traffic passes between distinct security domains and intrazone traffic remains within a security domain. See 459 patent at 6:62-65; 10:42-59. For example, the 459 patent describes ways to bypass one or more types of security screening for intra-zone packets traveling within a distinct security domain, to increase processing efficiency. A. Term security screening security screening (459 patent) Juniper Proposal No construction required. Alternatively: application of one or more security policies Although the term security screening does not require construction, Juniper has alternatively proposed a modified version of PANs earlier proposed construction (the construction that PANs experts use): application of one or more security policies.26 Consistent with Junipers construction and aspects of PANs original construction, the specification of the 459 patent describes security screening as application of a security policy or policies. See, e.g., 459 patent at 7:19-21 (policies can be established for . . . screening packets as they traverse the security switch), 9:5-9 (after an appropriate policy is retrieved, then the packet is inspected . . . [which] can include screening); see also Fig. 3 (showing policies retrieved if a [p]acket [is] to be screened). The patent explains that screening can be based on one or more considerations, e.g., packets can be screened based on source,
26

PAN Proposal inspection to determine whether a packet should be dropped

PAN originally proposed applying security policies to determine whether a packet should be forwarded but changed position after expert reports.

27

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 32 of 35 PageID #: 7341

destination, or both. 459 patent at 7:31-34. Similarly, dependent claim 2 discloses that performing the security screening may comprise enforcing at least one security constraint. By contrast, PANs proposed construction inspection to determine whether a packet should be droppeddoes not have similar support in the intrinsic record. The 459 patent does not equate screening with inspection, and in fact expressly distinguishes the concepts. Id. at 7:20 (inspecting or otherwise screening), 9:8-9 (inspection can include screening). Moreover, the 459 patent never discloses or even suggests that security screening is equivalent to determin[ing] whether a packet should be dropped. Thus, PANs proposal is inconsistent with the 459 patent and should not be adopted. B. Term without performing the security screening without performing the security screening (459 patent) Juniper Proposal No construction required. Alternatively: without applying the one or more security policies that are applied to inter-zone traffic The issues presented for the term without performing the security screening are essentially the same as discussed above for security screening, with one important exception: PAN attempts an additional sleight of hand by deleting the definite article the from the claim term. This facially minor change significantly changes the meaning of the 459 patent claims. Claims must be construed with an eye toward giving effect to all terms in the claim. Bicon, Inc. v. Straumann Co., 441 F. 3d 945, 950 (Fed. Cir. 2006). In patent law, the word the has a particular, well-defined meaning: it signals that the term that follows is referring to something mentioned earlier in the claim (often referred to as its antecedent basis). See NTP, Inc. v. Research in Motion, Ltd., 418 F. 3d 1282, 1306 (Fed. Cir. 2005). Thus, in claim 1 of the PAN Proposal without performing inspection to determine whether a packet should be dropped

28

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 33 of 35 PageID #: 7342

459 patent, the term the security screening refers to the same security screening recited in the preceding elementthat is, the claimed security screening performed based on a [] determination that the packet is to pass between the two distinct security domains.27 PANs attempt to read the antecedent basis out of without the security screening is not only inaccurate, but could engender significant confusion. Particularly when coupled with

PANs (improper) proposal to define screening by reference to determin[ing] whether a packet should be dropped, the jury could be left with the erroneous impression that no packet can be dropped unless: (1) it is determined to be an inter-zone packet, and (2) an inspection is performed, based on that determination, which further determines that the packet must be dropped. Of course, a packet can be dropped for many other reasons. The 459 patent describes one example where a packet can be dropped if the MAC address is unknown. Id. at 3:60-61. The 459 patent also describes setting a period of time to attempt to locate an address for the packet and dropping the packet after the expiration of the predetermined amount of time. Id. at 3:44-60. Furthermore, the 459 patent describes embodiments in which firewall protections are applied to both inter-zone and intra-zone traffic, such as TCP stateful inspection, synattack guard, and policy-based control. Id. at 4:48-52. These scenarios could likewise result in a packet being dropped. Only Junipers proposed construction (without applying the one or more security policies that are applied to inter-zone traffic) captures the meaning of the complete claim term without the security screening. It retains the key definite article the (the one or more security policies) and makes clear that the referenced security policies are those that the claim earlier indicated are applied based on the determination that a packet is an inter-zone packet.
27

The patent uses the term inter-zone to refer to packets passed from one zone or security domain to another. See, e.g., 459 patent at 6:62-65.

29

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 34 of 35 PageID #: 7343

Thus, if the Court construes this claim term, it should adopt Junipers proposal. C. Term security domains security security domains (459 patent) Juniper Proposal security domains PAN Proposal [no response]

Finally, the Court should exercise its power to correct a typographical error in the 459 patent, where the claims recite security domains security instead of security domains. See, e.g., CBT Flint Partners, LLC v. Return Path, Inc., 654 F.3d 1353, 1358 (Fed. Cir. 2011) (It is well-settled law that, in a patent infringement suit, a district court may correct an obvious error in a patent claim.). PAN does not dispute Juniper's proposal and courts routinely correct such errors. See, e.g., Freedom Wireless, Inc. v. Alltel Corp., 2008 WL 4647270, at *13 (E.D. Tex. Oct. 17, 2008) (correcting causing a call is caused to be terminated by omitting is caused). X. CONCLUSION For the foregoing reasons, Juniper respectfully requests that its proposed constructions be adopted. MORRIS, NICHOLS, ARSHT & TUNNELL LLP

/s/ Jennifer Ying

OF COUNSEL: Morgan Chu Jonathan S. Kagan Lisa S. Glasser David McPhie Rebecca Clifford Talin Gordnia IRELL & MANELLA LLP 1800 Avenue of the Stars, Suite 900 Los Angeles, CA 90067-4276 (310) 277-1010 July 19, 2013
7376005

Jack B. Blumenfeld (#1014) Jennifer Ying (#5550) 1201 North Market Street P.O. Box 1347 Wilmington, DE 19899-1347 (302) 658-9200 jblumenfeld@mnat.com jying@mnat.com Attorneys for Plaintiff

30

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 35 of 35 PageID #: 7344

CERTIFICATE OF SERVICE I hereby certify that on August 21, 2013, I caused the foregoing to be electronically filed with the Clerk of the Court using CM/ECF, which will send notification of such filing to all registered participants. I further certify that I caused copies of the foregoing document to be served on August 21, 2013, upon the following in the manner indicated: Philip A. Rovner, Esquire Jonathan A. Choa, Esquire POTTER ANDERSON & CORROON LLP 1313 North Market Street Hercules Plaza Wilmington, DE 19801 Attorneys for Defendant Daralyn J. Durie, Esquire Ragesh K. Tangri, Esquire Ryan M. Kent, Esquire Brian C. Howard, Esquire Sonali D. Maitra, Esquire DURIE TANGRI LLP 217 Leidesdorff Street San Francisco, CA 94111 Attorneys for Defendant Harold J. McElhinny, Esquire Michael A. Jacobs, Esquire Matthew A. Chivvis, Esquire Matthew I. Kreeger, Esquire MORRISON & FOERSTER LLP 425 Market Street San Francisco, CA 94105 Attorneys for Defendant VIA ELECTRONIC MAIL

VIA ELECTRONIC MAIL

VIA ELECTRONIC MAIL

/s/ Jennifer Ying

Jennifer Ying (#5550)