`571.272.7822 Date: November 13, 2019
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`ZSCALER, INC.,
`Petitioner,
`v.
`
`SYMANTEC CORPORATION,
`Patent Owner.
`____________
`
`IPR2018-00920
`Patent 9,525,696 B2
`____________
`
`
`
`Before JEFFREY S. SMITH, BRYAN F. MOORE, and NEIL T. POWELL,
`Administrative Patent Judges.
`
`SMITH, Administrative Patent Judge.
`
`
`
`
`JUDGMENT
`Final Written Decision
`Determining All Challenged Claims Unpatentable
`35 U.S.C. § 318(a)
`
`
`I. INTRODUCTION
`Petitioner filed a Petition for inter partes review of claims 1–19 of
`U.S. Patent No. 9,525,696 B2 (Ex. 1001, “the ’696 patent”). Paper 1
`
`
`
`IPR2018-00920
`Patent 9,525,696 B2
`
`(“Pet.”). Patent Owner filed a Preliminary Response. Paper 9 (“Prelim.
`Resp.”). On November 14, 2018, we instituted an inter partes review of all
`the challenged claims. Paper 11. Patent Owner filed a Response to the
`Petition. Paper 19 (“PO Resp.”). Petitioner filed a Reply. Paper 23 (“Pet.
`Reply”). Patent Owner filed a Sur-Reply. Paper 26 (“PO Sur-Reply”). An
`oral hearing was held August 8, 2019. Paper 37.
`This Final Written Decision is entered pursuant to 35 U.S.C. § 318(a).
`For the reasons discussed below, we determine that Petitioner has shown by
`a preponderance of the evidence that claims 1–19 of the ’696 patent are
`unpatentable.
`
`A. Related Matters
`The ’696 patent, along with several other patents, is the subject of
`Symantec Corporation and Symantec Limited v. Zscaler, Inc., No. 17-cv-
`04414 (N.D. Cal.), transferred from No. 17-cv-00806 (D. Del.), which was
`filed June 22, 2017. Pet. 2–3; Paper 5 (Patent Owner’s Mandatory Notice).
`The ’696 patent shares common parent applications with U.S. Patent
`No. 8,402,540 B2 (“the ’540 patent”). The ’540 patent is the subject of
`IPR2018-00930. Pet. 4; Paper 5.
`B. The ’696 Patent
`The ’696 patent relates generally to protecting computer systems from
`viruses, attacks from hackers, spyware, spam, and other malicious activities.
`Ex. 1001, 1:59–63. A flow processing facility inspects payloads of network
`traffic packets and provides security and protection to a computer. Id. at
`Abstract. Figure 1 of the ’696 patent is reproduced below.
`
`
`
`2
`
`
`
`IPR2018-00920
`Patent 9,525,696 B2
`
`
`
`
`
`Figure 1 above shows networked computing environment 100 for data
`flow processing, including flow processing facility 102 coupled to
`internetwork 104, network-connected computing facility 112, a plurality of
`server computing facilities 108, and a number of departmental computing
`facilities 110, such as an engineering department, a marketing department,
`and another department. Ex. 1001, 19:57–65, 20:7–8. Flow processing
`facility 102 receives data flows from the computing facilities via
`internetwork 104 and processes the data flows. Id. at 20:29–35. A
`virtualization aspect of flow processing facility 102 enables the flow
`processing facility to provide features and functions tailored to users of data
`flows. Id. at 22:16–19. For example, virtualization can present server
`computing facility 108 with different policies and applications than it
`provides to network-connected computing facility 112. Id. at 22:21–25. A
`subscriber profile can relate an application to a subscriber. Id. at 37:58–59.
`
`
`
`3
`
`
`
`IPR2018-00920
`Patent 9,525,696 B2
`
`
`Figure 30 below shows a schematic of an enterprise network. Id. at
`89:27–28.
`
`
`Figure 30 above shows network participants of network 3000 include
`user1 3004, user2 3008, and server 108, and participant types of network
`3000 include engineering 3010 and sales 3012. Id. at 89:42–45. Each of the
`network participants and participant types has a physical connection to flow
`processing 102. Id. at 89:45–48. Virtualization model 3014 of flow
`processing facility 102 uniquely identifies data flows 444 from each
`participant and routes the data flow to virtual network 3018 associated with
`the relevant participant. Id. at 90:3–9. Security policy 3020 may direct all
`aspects of flow processing facility 102, including an anti-virus feature, an
`anti-spam feature, an anti-spyware feature, or anti-worm feature, to be
`applied to data flow 444 of virtual network 3018. Id. at 90:19–26.
`
`
`
`4
`
`
`
`IPR2018-00920
`Patent 9,525,696 B2
`
`
`C. Illustrative Claim
`Claims 1 and 13 of the challenged claims of the ’969 patent are
`independent. Claim 1 is illustrative of the claimed subject matter:
`1. A flow processing facility for implementing a security
`policy, comprising:
`a plurality of application processing hardware modules, each
`configured with an application for processing data packets;
`a subscriber profile for identifying data packets associated with
`the subscriber profile in a stream of data packets; and
`a network processing module for identifying one or more of the
`plurality of application processing modules for processing the
`identified data packets based on an association of the
`application configured on each application processing module
`with the subscriber profile and for transmitting the identified
`data packets in at least one of series and parallel to the
`identified application processing modules based on the security
`policy.
`Ex. 1001, 123:48–63.
`
`D. References
`Petitioner relies on the following references. Pet. 5–6.
`Name
`Reference
`Nortel
`WO 00/33204, issued June 8, 2000
`Stone
`US 5,598,410, issued Jan. 28, 1997
`Alles
`US 6,466,976 B1, issued Oct. 15, 2002, filed Dec.
`3, 1998
`US 6,633,563 B1, issued Oct. 14, 2003, filed
`Mar. 2, 1999
`
`Lin
`
`
`
`Exhibit
`1004
`1005
`1006
`
`1007
`
`
`
`5
`
`
`
`
`
`IPR2018-00920
`Patent 9,525,696 B2
`
`
`E. Asserted Grounds of Unpatentability
`Petitioner contends that claims 1–19 of the ’696 patent are
`unpatentable based on the following grounds:
`Claims Challenged
`35 U.S.C. §
`1, 9–13, 16–19
`103
`2–8, 14, 15
`103
`1, 9–13, 16–19
`103
`2–8, 14, 15
`103
`
`
`Reference(s)
`
`Nortel
`Nortel, Stone
`Alles, Lin
`Alles, Lin, Stone
`
`II. ANALYSIS
`A. Claim Construction
`In an inter partes review proceeding based on a petition filed before
`November 13, 2018, a claim in an unexpired patent is interpreted according
`to “its broadest reasonable construction in light of the specification of the
`patent in which it appears.” 37 C.F.R. § 42.100(b) (2017). 1 Under this
`standard, “the words of a claim ‘are generally given their ordinary and
`customary meaning’ . . . that the term would have to a person of ordinary
`skill in the art in question at the time of the invention.” Phillips v. AWH
`Corp., 415 F.3d 1303, 1312–13 (Fed. Cir. 2005) (en banc) (citations
`omitted). “[T]he person of ordinary skill in the art is deemed to read the
`claim term not only in the context of the particular claim in which [it]
`appears, but in the context of the entire patent, including the specification.”
`
`
`1 A recent amendment to this rule does not apply here because the Petition
`was filed before November 13, 2018. See Changes to the Claim
`Construction Standard for Interpreting Claims in Trial Proceedings Before
`the Patent Trial and Appeal Board, 83 Fed. Reg. 51,340 (Oct. 11, 2018)
`(amending 37 C.F.R. § 42.100(b) effective November 13, 2018).
`6
`
`
`
`
`
`IPR2018-00920
`Patent 9,525,696 B2
`
`Id. at 1313. For example, a “claim construction that excludes [a] preferred
`embodiment [described in the specification] ‘is rarely, if ever, correct and
`would require highly persuasive evidentiary support.’” Adams Respiratory
`Therapeutics, Inc. v. Perrigo Co., 616 F.3d 1283, 1290 (Fed. Cir. 2010)
`(citation omitted). But “a claim construction must not import limitations
`from the specification into the claims.” Douglas Dynamics, LLC v. Buyers
`Prods. Co., 717 F.3d 1336, 1342 (Fed. Cir. 2013) (citation omitted).
`Therefore, “it is improper to read limitations from a preferred embodiment
`described in the specification—even if it is the only embodiment—into the
`claims absent a clear indication in the intrinsic record that the patentee
`intended the claims to be so limited.” Dealertrack, Inc. v. Huber, 674 F.3d
`1315, 1327 (Fed. Cir. 2012) (citation omitted).
`For purposes of this decision, we determine no terms need an explicit
`construction to resolve a controversy. See Vivid Techs., Inc. v. Am. Sci. &
`Eng’g, Inc., 200 F.3d 795, 803 (Fed. Cir. 1999) (only those terms which are
`in controversy need to be construed and only to the extent necessary to
`resolve the controversy). We address claim interpretation to the extent
`necessary within the unpatentability analysis.
`B. Asserted Obviousness over Nortel: Claims 1, 9–13, and 16–19
`1. Nortel (Ex. 1004)
`Nortel relates to a method for providing desired service policies to
`subscribers accessing the Internet. Ex. 1004, 1:4–6. An internet service
`node (“ISN”) enables providing the desired service policies to each
`subscriber. Ex. 1004, Abstract. The ISN contains multiple processor
`groups, with each subscriber being assigned to a processor group. Id. The
`assigned processor group may be configured with processing rules that
`
`
`
`7
`
`
`
`IPR2018-00920
`Patent 9,525,696 B2
`
`provide the service policies desired by a subscriber. Id. A content
`addressable memory with masks for individual locations determines the
`processor group to which received data is to be assigned. Id.
`Figure 4 of Nortel illustrates details of an ISN and is reproduced
`below.
`
`
`
`
`Figure 4 above shows an ISN including access ports 410-A, 410-B; trunk
`ports 420-A, 420-B, 420-C; switch fabric 440; packet service cards 450-A,
`450-B; router/service management card 460; and configuration manager
`470. Ex. 1004, 17:17–23.
`Configuration manager 470 provides a user interface to enable
`different service policies to be specified for different subscribers. Ex. 1004,
`18:13–15. Switch fabric 440 receives bit groups from access ports 410 and
`forwards the bit groups to packet service cards 450. Id. at 19:7–8. Different
`service policy types are implemented in different packet service cards 450.
`Id. at 19:12–13. Each subscriber may be assigned to a packet service card
`8
`
`
`
`
`
`IPR2018-00920
`Patent 9,525,696 B2
`
`providing the desired service policy types. Id. at 13–14. By assigning the
`data processing for each subscriber to a specific packet service card, each
`packet service card may be configured only with the processing rules
`corresponding to the subscribers assigned to it. Id. at 20:14–18.
`Figure 5 of Nortel is reproduced below.
`
`
`Figure 5 of Nortel above is a block diagram illustrating details of packet
`service card 450. Ex. 1004, 21:14–15. Packet service card 450 includes
`processor groups 550-A through 550-D, processor interface 530, and control
`logic 520. Id. at 21:15–16. Control logic 520 determines which of the
`processors in a processor group processes a packet. Id. at 21:19–20.
`Control logic 520 operates in conjunction with configuration manager 470 to
`instantiate, or configure, processor groups 550 with processing rules related
`to assigned subscribers, to ensure processor group 550 performs operations
`specified by the processing rules. Id. at 21:21–23, 21:30–31. Several
`subscribers may be assigned to each processor group. Id. at 22:8.
`
`
`
`9
`
`
`
`IPR2018-00920
`Patent 9,525,696 B2
`
`
`2. Claims 1, 9–13, and 16–19
`Claim 1 recites “a plurality of application processing hardware
`modules, each configured with an application for processing data packets.”
`Claim 13 recites a similar limitation. Petitioner contends these limitations
`are taught by Nortel, in view of the knowledge of a person of ordinary skill
`in the art, based on Nortel’s teaching of an ISN including a plurality of
`packet service cards. Pet. 21–22 (citing Ex. 1004, Fig. 4, 3:5–7, 17:18–21,
`20:19–20), 31. According to Petitioner, each packet service card in Nortel
`has a plurality of processor groups, and each processor group processes data
`using processing rules, where the processing rules corresponding to a
`subscriber are assigned to a pre-specified processor or group of processors.
`Pet. 22–23 (citing Ex. 1004, Fig. 5, 3:5–9, 4:20–23, 9:16–19, 19:12–24,
`21:14–16, 22:14–15; Ex. 1003 ¶¶ 76–80).
`Petitioner contends that a person of ordinary skill in the art “would
`have understood Nortel’s processing rules to comprise applications.” Pet.
`25. Specifically, Petitioner contends that Nortel discloses that the
`processing rules on the packet service cards implement policies relating to
`firewalls, security, anti-spoofing, virtual private networks, encryption,
`tunneling, and traffic steering, which, according to Petitioner’s declarant Dr.
`Markus Jakobsson, were well-known in the art to be performed by
`application programs. Pet. 24 (citing Ex. 1004, 14:28–15:2; Ex. 1003 ¶¶ 80–
`83; Ex. 1012, 6). Petitioner contends that Nortel’s disclosure of an
`exemplary structure shown in Figure 6A, containing multiple processing
`rules, teaches that each processing rule is a software structure containing a
`classifier and an action, with the classifier specifying the data flows and
`
`
`
`10
`
`
`
`IPR2018-00920
`Patent 9,525,696 B2
`
`conditions under which the associated action needs to be applied. Pet. 24–
`25 (citing Ex. 1004, Fig. 6A, 15:4–6; Ex. 1003 ¶¶ 84–85).
`Figure 6A of Nortel is reproduced below.
`
`
`Figure 6A above shows table 600 illustrating exemplary processing rules
`610–660 for providing desired service policies to subscribers. Ex. 1004,
`8:24–25, 23:1. A classifier for a security policy is chosen to include data
`required for identifying flows. Id. at 23:1–3. Dr. Jakobsson testifies that
`rule 610 shown in Figure 6A of Nortel illustrates that a data flow with the
`classifier specified by a source or destination address in the SRC and DST
`columns, and transmitted using a specified service in the SVC column, is
`processed by the corresponding action in the ACTION column, which is
`shown in Figure 6A as an encryption function. Ex. 1003 ¶¶ 84–85 (citing
`Ex. 1004, Fig. 6A, 15:4–6, 23:3–6). Dr. Jakobsson testifies that security
`functions were well-known in the art to be provided by software
`applications. Ex. 1003 ¶ 83. Dr. Jakobsson further testifies that Nortel
`
`
`
`11
`
`
`
`IPR2018-00920
`Patent 9,525,696 B2
`
`discloses each processor group is configured to process data in accordance
`with the processing rules. Ex. 1003 ¶¶ 80, 85.
`Petitioner contends that “it would have been obvious to a POSA that
`Nortel’s processing rules comprise applications,” because a person of
`ordinary skill would have understood the term “application” to include any
`software or instructions, other than the operating system, used to perform
`specific functions on a computer, such as Nortel’s processing rules for
`performing desired security functions to specified data flows. Pet. 35–36
`(citing Ex. 1012, 4; Ex. 1013, 4; Ex. 1014, 4; Ex. 1003 ¶¶ 149–154). Dr.
`Jakobsson testifies that a person of ordinary skill in the art would have
`understood each processing rule in Figure 6A of Nortel comprises software
`instructions to perform specific functions, such as the corresponding
`associated action in the ACTION column for each rule, on data that matches
`the identified source, destination, and service classifiers. Ex. 1003 ¶ 154
`(citing Ex. 1004, 23:3–6. Dr. Jakobsson testifies that a person of ordinary
`skill in the art “would have had a reasonable expectation of success in
`implementing Nortel’s security-related processing rules as applications,”
`because using generic computer processors with well-known security
`applications would successfully provide the security functionalities of
`Nortel. Id. ¶ 155 (citing Ex. 1012 6). Dr. Jakobsson testifies that a person
`of ordinary skill in the art “would have had a reasonable expectation that
`security applications that were known in the art could readily and
`successfully be used to provide the security functionalities disclosed in
`Nortel.” Id.
`We credit Dr. Jakobsson’s testimony, which is supported by evidence
`cited above, and determine the Petition and supporting evidence show that a
`
`
`
`12
`
`
`
`IPR2018-00920
`Patent 9,525,696 B2
`
`person of ordinary skill in the art would have understood Nortel’s processing
`rules comprise software instructions to perform specific functions, and that a
`person of ordinary skill would have considered software instructions to
`perform specific functions to be applications. We rely on Nortel’s teaching
`of a processor group configured with processing rules to provide service
`policies such as security functions, and Dr. Jakobsson’s testimony and his
`supporting evidence that a person of ordinary skill in the art would have
`understood that security functions are provided by software applications, to
`determine that Nortel and the knowledge of a person of ordinary skill in the
`art teaches “a plurality of application processing hardware modules, each
`configured with an application for processing data packets” as recited in
`claim 1 and the corresponding limitation of 13. Ex. 1004, 3:5–9, 23:1–29,
`Fig. 6A; Ex. 1003 ¶¶ 80–85 (citing Ex. 1004, 3:5–9, 9:12–14, 9:16–19,
`14:28–15:2, 15:4–6, 23:3–6, Fig. 6A; Ex. 1012, 4, 6; Ex. 1013, 4).
`Claim 1 recites “a subscriber profile for identifying data packets
`associated with the subscriber profile in a stream of data packets.” Claim 13
`recites a similar limitation. Petitioner contends this limitation is taught by
`Nortel, in view of the knowledge of a person of ordinary skill in the art, in
`light of Nortel’s teaching of classifiers to associate incoming data packets
`with a subscriber. Pet. 25–26 (citing Ex. 1003 ¶¶ 87–88), 31–32. Petitioner,
`relying on testimony of Dr. Jakobsson, contends that Nortel’s classifiers are
`stored in a profile using a content addressable memory (“CAM”) having a
`search field to store data identifying a subscriber, and a mask field storing a
`mask specifying individual bit positions to be examined in incoming data.
`Id. at 26 (citing Ex. 1003 ¶¶ 89–91). In particular, Petitioner contends that
`Nortel discloses storing a destination address in the CAM in order to identify
`
`
`
`13
`
`
`
`IPR2018-00920
`Patent 9,525,696 B2
`
`data packets for a subscriber assigned to the destination address. Id. (citing
`Ex. 1004, 27:12–25, 28:12–32; Ex. 1003 ¶¶ 89 (“The CAM has a search
`field, which stores data identifying a subscriber.”), 90 (“For example, in the
`case of IP protocol packets . . . , Nortel discloses . . . Destination IP address
`of the received packet = IP address assigned to the specific subscriber.”)).
`Patent Owner contends that Nortel does not teach the claimed
`subscriber profile, because, according to Patent Owner, Nortel makes clear
`that its classifiers are not stored in a profile using a CAM. PO Resp. 34–37
`(citing Ex. 1004, 3:23–25, 17:28–18:4, 26:4–7, 26:10–11, 27:12–22, 28:28–
`31, 31:10–13; Ex. 2006 ¶¶ 75–77); PO Sur-Reply 7–10 (citing, inter alia,
`Ex. 1004, Fig. 6A, 23:3–5; Ex. 2006 ¶ 63). Patent Owner contends that
`Nortel’s “CAM may be used to identify incoming data packets; however,
`Nortel does not state that the CAM implements classifiers or processing
`rules.” PO Resp. 37; see id. at 37–39. According to Patent Owner, Nortel
`distinguishes between information stored in the CAM search fields and the
`classifier stored in the processing rules. Id. at 38 (citing Ex. 2006 ¶ 86).
`Patent Owner contends that Nortel describes a classifier as a specific
`collection of information, including data flows and conditions, and that the
`conditions are not stored in the CAM. Id. at 37–39.
`Nortel discloses storing source and destination IP addresses in the
`classifiers (Ex. 1004, Fig. 6A, 23:1–10) as well as in the CAM (Ex. 1004,
`28:10–11, 30:25–26, 32:13–18, 33:7). Even were we to accept Patent
`Owner’s contention that Nortel’s classifier includes conditions that are not
`stored in the CAM, we agree with Petitioner and Dr. Jakobsson that Nortel
`discloses storing an IP address assigned to a specific subscriber in the CAM
`in order to identify data packets having a matching destination IP address.
`
`
`
`14
`
`
`
`IPR2018-00920
`Patent 9,525,696 B2
`
`Pet. 26 (citing Ex. 1004, 27:12–25, 28:12–32; Ex. 1003 ¶¶ 89 (“The CAM
`has a search field, which stores data identifying a subscriber.”), 90 (“For
`example, in the case of IP protocol packets . . . , Nortel discloses . . .
`Destination IP address of the received packet = IP address assigned to the
`specific subscriber.”)). Storing an IP address assigned to a specific
`subscriber in the CAM in order to identify data packets having a matching
`destination IP address is sufficient to meet the claim language “a subscriber
`profile for identifying data packets associated with the subscriber profile in a
`stream of data packets.”
`Patent Owner contends that we should reject Dr. Jakobsson’s
`testimony because, according to Patent Owner, Dr. Jakobsson’s testimony
`that a classifier portion of a service policy would be implemented in a CAM
`is unsupported by Nortel. PO Resp. 39–42. Patent Owner relies on
`testimony from both Dr. Jakobsson and Dr. Chatterjee to support the
`contention that Nortel’s processing rules, including the classifier and service
`policy, are configured in the processor groups of Nortel’s packet service
`cards, not in the CAM. Id. at 40–41 (citing Ex. 2007 108:11–15, 119:22–
`120:6; Ex. 2006 ¶¶ 90–96). Petitioner contends that Dr. Jakobsson provides
`facts, data, and analysis to support his opinions. Pet. Reply 25–27. We
`agree with Petitioner. Dr. Jakobsson’s testimony that the CAM stores a
`destination IP address to identify a subscriber is supported by the cited
`portions of Nortel. Ex. 1003 ¶¶ 89–91 (citing Ex. 1004, 27:12–25, 28:12–
`27, 28:31–32).
`We rely on Dr. Jakobsson’s testimony and supporting evidence and
`determine that the destination address stored in the CAM of Nortel, which
`“uniquely identifies the subscriber” as taught by Nortel (Ex. 1004, 27:28–
`
`
`
`15
`
`
`
`IPR2018-00920
`Patent 9,525,696 B2
`
`29), teaches “a subscriber profile for identifying data packets associated with
`the subscriber profile in a stream of data packets” as recited in claims 1 and
`13.
`
`Claim 1 recites
`a network processing module for identifying one or more of the
`plurality of application processing modules for processing the
`identified data packets based on an association of the
`application configured on each application processing module
`with the subscriber profile and for transmitting the identified
`data packets in at least one of series and parallel to the
`identified application processing modules based on the security
`policy.
`Claim 13 recites a similar limitation. Petitioner contends these limitations
`are taught by Nortel’s teaching of a switch fabric including a CAM that
`identifies the subscriber of originating data packets as discussed above and
`also identifies processors for providing the subscriber’s desired service
`policies to the data packets, and that the switch fabric forwards the data
`packets to the identified processors. Pet. 27–29 (citing Ex. 1004, Abstract,
`3:10–14, 4:20–22, 4:32, 5:16–29, 9:9–11, 9:16–19, 9:29–31, 10:16–18,
`19:7–8, 19:12–20:3, 27:12–25, 28:5–32, Fig. 4; Ex. 1003 ¶¶ 94–95, 97–102),
`32–33.
`Patent Owner contends that Nortel discloses identifying a processor
`based on the specific subscriber to whom the received data relates, and not
`on an association between the application configured on the processor with
`the subscriber profile. PO Resp. 24 (citing Ex. 1004, 3:10–12). According
`to Patent Owner, the CAM of Nortel has no knowledge of the applications
`applied by the processors; therefore, the CAM could not identify a processor
`based on an association of the application configured on the processor with
`the subscriber profile. Id. at 24–26, 28–29 (citing Ex. 1004, 5:18–21, 26:22–
`16
`
`
`
`
`
`IPR2018-00920
`Patent 9,525,696 B2
`
`24, 27:12–15, 27:18–22, Fig. 7B; Ex. 2006 ¶¶ 75–77); PO Sur-Reply 14–15
`(citing Ex. 1018, 23:10–21; Ex. 1004, 5:18–21).
`We disagree with Patent Owner. Nortel discloses assigning each
`subscriber to a processor group. Ex. 1004, 3:5–6. Nortel discloses
`forwarding received data to a specific processor group based on the specific
`subscriber related to the data, so that the “processor group may apply the
`processing rules related to the subscriber to provide the service policies
`desired by the subscriber.” Id. at 3:13–14. Nortel discloses determining the
`specific processor group to which the data is to be forwarded by examining
`the IP destination address located in the IP header. Id. at 5:4–10. Nortel
`discloses that the
`search field of each location [in CAM] may be configured to
`store the data identifying a subscriber [such as the IP
`destination address], and the output field may be configured to
`store data identifying a processor or group of processors
`capable of providing the desired service policies to the
`subscribers related to the CAM entry.
`Id. at 5:18–21; see id. at 30:25–26 (disclosing “the assignment of IP packets
`to processors based on the source or destination IP addresses”). In other
`words, associating an IP destination address that identifies a subscriber with
`a processor group that applies processing rules capable of providing the
`subscriber’s desired service policies meets the limitation “identifying one or
`more of the plurality of application processing modules for processing the
`identified data packets based on an association of the application configured
`on each application processing module with the subscriber profile” as recited
`in claim 1 and the corresponding recitation in claim 13.
`Patent Owner contends that the CAM’s identification of a processor in
`Nortel cannot be based on an association of the service policy configured on
`
`
`
`17
`
`
`
`IPR2018-00920
`Patent 9,525,696 B2
`
`the processor with the subscriber profile, because Nortel explains that the
`service policy may not even be configured on the processor until after the
`data flow is received. PO Resp. 29. According to Patent Owner, processing
`rules may be generated dynamically when a subscriber is establishing a dial-
`up connection and an IP address is allocated to the subscriber. Id. (citing
`Ex. 1004, 15:19–31). Patent Owner contends that, in this case, when the
`CAM identifies the processor associated with the subscriber, the purported
`application to be applied by the processor may not even be configured on the
`processor. Id. at 29–30 (citing Ex. 1004, 15:32–16:2).
`Petitioner contends that Patent Owner’s argument is irrelevant,
`because Nortel discloses that some processing rules are constructed
`statically. Pet. Reply 8–9 (citing Ex. 1004, 4:2–3, 23:20–23). Petitioner
`contends that because Nortel teaches that this limitation is practiced at least
`some of the time, it is irrelevant that Nortel may also disclose other modes of
`operation. Id. at 9 (citing Unwired Planet, LLC v. Google Inc., 841 F.3d
`995, 1002 (Fed. Cir. 2016) (“[C]ombinations of prior art that sometimes
`meet the claim elements are sufficient to show obviousness.”)). We agree
`with Petitioner for the reasons given by Petitioner. In addition, contrary to
`Patent Owner’s contention, Nortel discloses that the portion of the
`processing rule that is generated dynamically when a user establishes a dial-
`up connection is allocating an IP address to the subscriber, not configuring
`an application on a processor. Ex. 1004, 15:19–25.
`Patent Owner contends that even if the identified processors provide
`the subscriber’s desired service policies, Petitioner does not contend that a
`service policy is an application. PO Resp. 25, 30–31 (citing Pet. 24). We
`disagree with Patent Owner for the reasons discussed above in our analysis
`
`
`
`18
`
`
`
`IPR2018-00920
`Patent 9,525,696 B2
`
`of the “application processing hardware module” limitation. As we
`discussed above, we credit Dr. Jakobsson’s testimony and supporting
`evidence in determining that Nortel’s disclosure of a packet service card that
`is configured to implement processing rules to perform a specific function,
`such as security or encryption, teaches an “application processing hardware
`module[]” that is configured with an “application for processing data
`packets,” such as a security application or an encryption application, as
`recited in claim 1 and similarly recited in claim 13.
`Dr. Jakobsson testifies that the identification of a processor in Nortel
`is based on an association of the application configured on the processor
`with the subscriber profile, because the processor identified by the output
`field of the CAM is “capable of providing the desired service policies related
`to the CAM entry” in the search field (such as the IP destination address).
`Ex. 1003 ¶ 95 (citing Ex. 1004, 5:16–29, 27:12–25, 28:5–32). In particular,
`Dr. Jakobsson testifies that the CAM matches the destination address of
`incoming data with a particular subscriber’s destination address and
`identifies processors capable of providing the subscriber’s desired service
`policies based on the destination address. Ex. 1003 ¶¶ 90, 94–103 (citing
`Ex. 1004, Abstract, 3:10–14, 4:20–22, 4:32, 5:16–19, 9:9–11, 9:16–19,
`9:29–31, 10:16–18, 19:7–8, 19:15–20:3, 27:12–25, 28:5–32, Fig. 4).
`We credit Dr. Jakobsson’s testimony and supporting evidence in
`determining that Nortel’s disclosure of a CAM that identifies and forwards
`IP packets to a processor or group of processors capable of providing a
`subscriber’s desired service policies based on the subscriber’s destination
`address teaches “a network processing module for identifying one or more of
`the plurality of application processing modules for processing the identified
`
`
`
`19
`
`
`
`IPR2018-00920
`Patent 9,525,696 B2
`
`data packets based on an association of the application configured on each
`application processing module with the subscriber profile” as recited in
`claim 1 and the similar limitation recited in claim 13. Ex. 1003 ¶¶ 90, 94–
`103; Ex. 1004, 3:5–14, 5:4–32, 26:4–7, 26:29–31, 27:12–31, 28:5–32,
`30:25–32, 31:14–24.
`Claim 13 recites “a security policy for determining a portion of the
`identified data packets to be processed by each of the applications.”
`Petitioner, relying on testimony of Dr. Jakobsson, contends Nortel teaches
`this limitation in teaching “a security policy (processing rule) for
`determining a portion (those matching the classifier) of the identified data
`packets (data packets identified by classifiers) to be processed by the
`applications (processor groups that apply the specified actions).” Pet. 32
`(citing Ex. 1003 ¶¶ 123–126). We credit Dr. Jakobsson’s testimony and
`supporting evidence and determine that Nortel in view of the knowledge of a
`person of ordinary skill in the art teaches this limitation.
`For the reasons given above, we determine that the Petition and
`supporting evidence show, by a preponderance of the evidence, that Nortel
`in view of the knowledge of a person of ordinary skill in the art would have
`rendered claims 1 and 13 obvious.
`Claim 9 recites “wherein transmitting the identified packets in series
`to the applications includes transmitting the identified data packets to be
`processed by a first application before being processed by a second
`application.” Claim 11 recites a similar limitation. Petitioner contends these
`limitations are taught by Nortel, in view of the knowledge of a person of
`ordinary skill in the art, based on Nortel’s teaching of forwarding data
`processed by one of the service cards to another packet service card. Pet.
`
`
`
`20
`
`
`
`IPR2018-00920
`Patent 9,525,696 B2
`
`29–31 (citing Ex. 1004, 21:1–7; Ex. 1003 ¶¶ 106–107). Petitioner also
`contends this limitation is taught by Nortel’s teaching of applying processing
`rules in an order to ensure predictable and desired service policies, where
`different processing rules are implemented by different applications. Id. at
`29–30 (citing Ex. 1004, 9:16–19, 17:6–8, 20:7–8, 22:22–25; Ex. 1003
`¶ 108). We determine that the Petition and supporting evidence show, by a
`preponderance of the evidence, that Nortel in view of the knowledge of a
`person of ordinary skill in the art teaches the additional limitations of claims
`9 and 11 and wo