Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 1 of 178 PageID# 23887
`
`
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE EASTERN DISTRICT OF VIRGINIA
`Norfolk Division
`
`
`
`CENTRIPETAL NETWORKS, INC.,
`
`
`
`
`
`
`Plaintiff,
`
`
`
`
`
`
`
`
`
`
`
`
`
`v.
`
`
`
`
`
`
`CISCO SYSTEMS, INC.,
`
`
`
`
`
`
`
`
`Defendant.
`
`
`
`
`
`
`)
`)
`)
`)
`)
`)
`)
`)
`)
`
`
`
`
`Civil Action No. 2:18cv94
`
`
`
`
`
`
`
`OPINION AND ORDER
`
`After hearing the evidence presented by the parties during the trial on this matter, and
`
`considering the entire trial record before this Court, the Court enters the following findings of fact
`
`and conclusions of law pursuant to Federal Rule of Civil Procedure 52(a). Any item marked as a
`
`finding of fact which may also be interpreted as a conclusion of law is hereby adopted as such.
`
`Any item marked as a conclusion of law which may also be interpreted as a finding of fact is
`
`hereby adopted as such.
`
`I. PROCEDURAL POSTURE1
`
`This patent trial concerns five United States patents involving complex issues in
`
`1.
`
`cybersecurity technology heard by the Court without a jury.
`
`2.
`
`The case began when Centripetal Networks, Inc. (“Centripetal”) filed a Complaint
`
`against Cisco Systems, Inc. (“Cisco”) for infringement of a number of Centripetal’s U.S. Patents
`
`on February 13, 2018. Doc. 1.
`
`
`1 All matters discussed in this Procedural Posture are procedural background and findings of fact.
`
`

`

`Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 2 of 178 PageID# 23888
`
`3.
`
` On March 29, 2018, Centripetal filed an Amended Complaint, asserting
`
`infringement of U.S. Patent Nos. 9,566,077 (“the ‘077 Patent”), 9,413,722 (“the ‘722 Patent”),
`
`9,160,713 (“the ‘713 Patent”), 9,124,552 (“the ‘552 Patent”), 9,565,213 (“the ‘213 Patent”),
`
`9,674,148 (“the ‘148 Patent”), 9,686,193 (“the ‘193 Patent”), 9,203,806 (“the ‘806 Patent”),
`
`9,137,205 (“the ‘205 Patent”), 9,917,856 (“the ‘856 Patent”), and 9,500,176 (“the ‘176 Patent”).
`
`Doc. 29.
`
`4.
`
` Cisco has filed numerous petitions for inter partes review (“IPR”), between July
`
`12, 2018 and September 18, 2018, before the Patent Trial and Appeals Board (“PTAB”) against
`
`nine (9) of the eleven (11) Centripetal patents originally asserted against Cisco and filed a Motion
`
`to Stay Pending Resolution of IPR Proceedings. The Court granted the stay request on February
`
`25, 2019. Doc. 58.
`
`5.
`
`Upon the motion of Centripetal, on September 18, 2019, the Court issued an order,
`
`lifting the stay in part with respect to patents and claims not currently subject to IPR proceedings
`
`and set the case for trial in April 2020. Doc. 68. The parties later waived a jury trial following the
`
`jury trial limitations resulting from the COVID-19 pandemic.
`
`6.
`
`At trial, Centripetal asserted that Cisco infringes Claims 63 and 77 of the ‘205
`
`Patent, Claims 9 and 17 of the ‘806 Patent, Claims 11 and 21 of the ‘176 Patent, Claims 18 and 19
`
`of the ‘193 Patent and Claims 24 and 25 of the ‘856 Patent (the ‘Asserted Claims’). Doc. 411
`
`(“Amended Final Pre-Trial Order”).
`
`7.
`
`Of the claims not at issue for trial, the PTAB granted institution of IPR of all of the
`
`claims of the ‘552 Patent, the ‘713 Patent, the ‘213 Patent, the ‘148 Patent, the ‘077 Patent, and
`
`the ‘722 Patent and granted institution of IPR of claims of the ‘205 Patent that are not the subject
`
`of this bench trial. Doc. 411.
`
`
`
`2
`
`

`

`Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 3 of 178 PageID# 23889
`
`8.
`
`The PTAB has, thus far, invalidated all of the claims of the ‘552 Patent, the ‘713
`
`Patent, the ‘213 Patent, the ‘148 Patent, and the ‘077 Patent and invalidated the unasserted claims
`
`of the ‘205 Patent. Centripetal has appealed or may be appealing the PTAB decisions regarding
`
`the ‘552 Patent, the ‘713 Patent, the ‘213 Patent, the ‘148 Patent, the ‘077 Patent, and unasserted
`
`claims of the ‘205 Patent. Doc. 411.
`
`II. WITNESSES AT TRIAL
`
`9.
`
`During the twenty-two-day bench trial, and at a later hearing on damages evidence,
`
`both parties were given the opportunity to present their evidence live through a video platform
`
`approved by the Eastern District of Virginia after Court’s staff was instructed in its operation.
`
`Cisco objected to proceeding through a video platform, and also objected to using the platform
`
`utilized in favor of its own platform. In its order of April 23, 2020, the Court overruled Cisco’s
`
`objections for the reasons stated therein. In light of the use of the video platform, the parties
`
`implemented specific trial protocols that are detailed in Appendix B. See Appendix B; Doc. 411
`
`(Amended Pre-Trial Order). At the conclusion of the 22nd day of trial, the parties joined in
`
`congratulating the Court’s staff for their handling of the trial evidence by means of the video
`
`platform.
`
`10. Due to the complex nature of the technology at issue in the case, the Court requested
`
`that each party present a technology tutorial on the first day of trial. The Court has compiled a list
`
`of the abbreviations used in the testimony and documents throughout the trial and attached it as
`
`Appendix A. For Centripetal, Dr. Nenad Medvidovic presented the technology tutorial and Dr.
`
`Kevin Almeroth presented the technology tutorial for Cisco.
`
`
`
`11.
`
`Centripetal, in its case in chief, called a variety of live fact and expert witnesses
`
`including:
`
`
`
`3
`
`

`

`Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 4 of 178 PageID# 23890
`
`• Mr. Steven Rogers – Founder and CEO of Centripetal. Tr. 228:8;
`
`• Dr. Sean Moore – Chief Technology Officer and Senior Vice President of
`
`Research at Centripetal. Tr. 301:24-25. Dr. Moore is an inventor on all of
`
`the asserted patents in this case. Tr. 314:25, 315:1-2;
`
`• Dr. Michael Mitzenmacher – an
`
`independent expert witness
`
`in
`
`cybersecurity who presented opinion testimony that the accused products
`
`infringe the ‘193 Patent, the ‘806 Patent and the ‘205 Patent. Tr. 431:16-23;
`
`• Dr. Eric Cole – an independent expert witness in cybersecurity who
`
`presented opinion testimony that the accused products infringe the ‘856
`
`Patent and the ‘176 Patent. Tr. 886:9-11, 975:19-21;
`
`• Dr. Nenad Medvidovic – an independent expert witness in cybersecurity
`
`who opined about the importance of the patent technology in relation to the
`
`accused products. Tr. 1144:22-25, 1145:1-2;
`
`• Mr. Jonathan Rogers – Chief Operating Officer at Centripetal. Tr. 1194:11;
`
`• Mr. Christopher Gibbs - Senior Vice President of Sales at Centripetal. Tr.
`
`1297:1-2;
`
`• Dr. Aaron Striegel – an independent expert witness in computer networking
`
`who opined regarding apportionment and the top-level infringing functions
`
`of the accused products. Tr. 1337:19-23;
`
`• Mr. Lance Gunderson – an independent expert witness in patent damages
`
`who opined regarding damages and a reasonable royalty. Tr. 1441:2-14;
`
`• Mr. James Malackowski – an independent expert witness in business,
`
`intellectual property valuation and patent licensing who opined regarding
`
`
`
`4
`
`

`

`Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 5 of 178 PageID# 23891
`
`the impact of the asserted infringement on Centripetal and damages going
`
`forward. Tr. 1573:14-19.
`
`12.
`
`Centripetal, additionally, presented testimony from Cisco employees by video
`
`deposition including:
`
`• Mr. Saravanan Radhakrishnan;
`
`• Mr. Rajagopal Venkatraman;
`
`• Dr. David McGrew;
`
`• Mr. Sunil Amin;
`
`• Mr. Sandeep Agrawal.
`
`13.
`
`Cisco, in its case in chief, called a variety of live fact and expert witnesses
`
`including:
`
`• Mr. Michael Scheck – Senior Director of Incident Command at Cisco. Tr.
`
`165:23-24;
`
`• Dr. David McGrew – Cisco Fellow who was responsible for leading a
`
`research and development project at Cisco that became the Encrypted
`
`Traffic Analytics solution. Tr. 1759:10-12;
`
`• Dr. Douglas Schmidt – an independent expert witness in networking and
`
`network security who opined regarding non-infringement, invalidity, and
`
`damages of the ‘856 Patent. Tr. 1813:4;
`
`• Mr. Daniel Llewallyn – Software Engineer for Cisco who previously
`
`worked at Lancope. Tr. 2141:19;
`
`
`
`5
`
`

`

`Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 6 of 178 PageID# 23892
`
`• Dr. Kevin Almeroth – an independent expert witness in computer networks
`
`and network security who opined regarding non-infringement, invalidity
`
`and damages of the ‘176 Patent. Tr. 2212:12-18;
`
`• Dr. Mark Crovella – an independent expert witness in networking and
`
`network security who opined regarding non-infringement, invalidity and
`
`damages of the ‘193 Patent. Tr. 2349:18-24;
`
`• Mr. Hari Shankar – Principal Engineer and Software Architect at Cisco who
`
`is responsible for the design of certain features of the accused products. Tr.
`
`2500:3-5;
`
`• Mr. Peter Jones – Distinguished Engineer in the Enterprise Network
`
`Hardware Group at Cisco. Tr. 2543:12-17;
`
`• Dr. Narasimha Reddy – an independent expert witness in computer
`
`networking and computer security who opined regarding non-infringement,
`
`invalidity and damages of the ‘806 Patent. Tr. 2580:6-10;
`
`• Mr. Matt Watchinski – a Cisco employee responsible for Cisco’s Talos
`
`organization, which is Cisco’s threat intelligence organization. Mr.
`
`Watchinski previously worked for Sourcefire. Tr. 2682:11-13;
`
`• Dr. Kevin Jeffay – an independent expert witness in computer networks and
`
`network security who opined regarding non-infringement and damages of
`
`the ‘205 Patent. Tr. 2727:11-19;
`
`• Mr. Timothy Keanini – Distinguished Engineer at Cisco involved with the
`
`Stealthwatch product line. Tr. 2810:4-6;
`
`
`
`6
`
`

`

`Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 7 of 178 PageID# 23893
`
`• Mr. Karthik Subramanian – Partner at a venture capital firm called
`
`Evolution Equity Partners. Mr. Subramanian previously led Cisco’s
`
`Corporate Development Team for Cybersecurity for about four to four and
`
`a half years. Tr. 2827:23, 2828:17-18;
`
`• Dr. Stephen Becker – an independent expert witness in economic damages
`
`analysis who opined regarding damages if the Court finds the Asserted
`
`Patents are infringed and valid. Tr. 2863:3-18.
`
`14.
`
`Cisco, additionally, presented testimony from current and former Centripetal
`
`employees by video deposition including:
`
`• Mr. Douglas DiSabello;
`
`• Mr. Haig Colter;
`
`• Dr. Sean Moore;
`
`• Mr. Jess Parnell;
`
`• Mr. Justin Rogers;
`
`• Mr. Christopher Gibbs;
`
`• Mr. Gregory Akers.
`
`15. Centripetal, in its rebuttal validity case, called live expert witnesses:
`
`• Dr. Alexander Orso – an independent expert witness in computer
`
`networking and security who opined regarding the validity of the ‘193
`
`Patent and the ‘806 Patent. Tr. 2989:22-25;
`
`• Dr. Trent Jaeger – an independent expert witness in computer and network
`
`security who opined regarding the validity of the ‘856 Patent and the ‘176
`
`Patent. Tr. 3102:18-23;
`
`7
`
`
`
`

`

`Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 8 of 178 PageID# 23894
`
`• Dr. Aaron Striegel – an independent expert witness in computer networking
`
`who opined regarding secondary considerations of non-obviousness for the
`
`Asserted Patents. Tr. 3196:16-18.
`
`16. Having had the opportunity to observe the demeanor and hear the live testimony of
`
`witnesses by video / audio and by deposition at trial, the Court has made certain credibility
`
`determinations, as well as determinations relating to the appropriate weight to accord the
`
`testimony. Such determinations are set forth herein where relevant.
`
`III. TECHNOLOGY TUTORIAL
`
`A. NETWORKING AND CYBERSECURITY TUTORIAL
`
`The asserted patents in this case deal with systems that engage in complex computer
`
`networking security functions. Accordingly, the Court heard detailed technological testimony
`
`regarding the structure and function of computer networks in general, as well as the specific
`
`processes employed to secure these networks. The Court begins its factual findings by reciting a
`
`review of the presented technology tutorial.
`
`i. Overview of Networking
`
`The three principal devices that comprise computer networks are switches, routers and
`
`firewalls. Tr. 20:5-10. Beginning with switches, Centripetal’s expert Dr. Medvidovic used
`
`analogies to explain these complex network devices. He compared the operation of a switch to that
`
`of a telephone switchboard operator. Tr. 20:13-22. Therefore, similar to an operator connecting
`
`people, switches in a network operate to automatically connect different devices together such as
`
`a computer with another computer or a computer to a printer. Tr. 20:24-21:2; see Fig. 1.
`
`
`
`
`
`
`
`8
`
`

`

`Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 9 of 178 PageID# 23895
`
`FIG. 1
`
`
`
`Comparatively, routers function similarly to a 911 dispatcher who sends and controls the
`
`distribution of emergency vehicles to the intended location. Tr. 22:9-19. Routers decide the most
`
`optimal way to automatically send computing data to a desired location. Tr. 22:24-23:2. They are
`
`constantly evaluating current computer traffic and sending data along the most efficient path to its
`
`intended destination. Tr. 23:8-14. The combination of routers and switches are the fundamental
`
`building blocks of computer networks. Tr. 23:17-23. Together, switches connect local devices into
`
`small networks and routers operate to transmit data between these smaller networks – thus forming
`
`larger networks. Tr. 26:1-4; see Fig. 2.
`
`FIG. 2
`
`The next and final relevant device in computer networks is the firewall. Firewalls, in the
`
`context of computer networking, are similar to that of a firewall in an office building or hotel. Tr.
`
`
`
`
`
`9
`
`

`

`Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 10 of 178 PageID# 23896
`
`24:13-19. They operate to automatically put a “wall” between valuable assets and any potential
`
`danger. Tr. 24:13-19. Therefore, data entering a network is often transmitted in through a firewall
`
`and the firewall can perform a variety of functions, such as disallowing the data to enter the
`
`network by blocking it. Tr. 25:1-4; see Fig. 3.
`
`FIG. 3
`
`
`
`Dr. Medvidovic used video access to ESPN.com from a web server as an example of the operation
`
`of a firewall. He explained that:
`
`any data you try to see or retrieve from the ESPN servers would be on that web server. And
`that data would travel to you, but before it gets to your computer, it would first go through
`this firewall, and the firewall may decide to permit that data to go through because it does
`not violate any policies or rules that you may have for the firewall. . . . So for example, it
`[the firewall] could be in a company where the company policy is you can’t watch sports
`during work hours. So in that case, that data from ESPN would be dropped at the firewall
`and never arrive to you.
`
`
`Tr. 25:8-20. Accordingly, firewalls often sit at the edge of individual networks to control the entry
`
`of data from the internet. Tr. 26:1-12. As technology develops, firewall type functionality is often
`
`now included inside of other devices such as routers and switches. These devices may be located
`
`at different locations within a network – not just at the outside barrier. Tr. 82:8-18. This inclusion
`
`of firewall functionality in other devices is in contrast with older network technology where
`
`firewalls were responsible for the security of the network, by blocking malicious packets from
`
`
`
`10
`
`

`

`Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 11 of 178 PageID# 23897
`
`entering it, while the routers and switches focused on speed and performance in the transmitting
`
`data. Tr. 26:16-22.
`
`The combination of thousands of these networking devices into larger and larger networks
`
`is responsible for the creation of nationwide networks and the global internet. Tr. 23:24-25, 24:1-
`
`3. Therefore, the global internet as we know it is a network of networks. Tr. 74:1-12. Internet
`
`providers, such as Earthlink, Verizon, AT&T, and Cox are in the business of creating large scale
`
`networks to connect users to other business networks in order to access data. Tr. 74:1-12, 76:10-
`
`19. Companies like Netflix, Facebook, Zoom, Google and Amazon operate their own independent
`
`networks that connect to the larger internet to send data across the internet to end-users. Tr. 75:23-
`
`76:9; see Fig. 4.
`
`FIG. 4
`
`
`
`The international nature of the internet requires that the sending of data between all of these
`
`providers be based on uniformly developed standards that are globally applicable. Tr. 77:5-17.
`
`One such organization, the Internet Engineering Task Force (“IETF”) is responsible for developing
`
`universal internet related standards. Tr. 77:5-17. There are many different standards that are
`
`developed to facilitate the transmission of data over the internet. Tr. 77:5-17. These standards are
`
`often in the form of protocols. Protocols are the rules of engagement for two computers that specify
`
`
`
`11
`
`

`

`Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 12 of 178 PageID# 23898
`
`how the two computers can work together to communicate back and forth. Tr. 954:5-17. For
`
`example, the Hypertext Transfer Protocol (“HTTP”) is used in web pages to transfer data over the
`
`internet from computer to computer, the Internet Protocol (“IP”) is a building block in allowing
`
`data to use interconnected networks, and the Transmission Control Protocol (“TCP”) is used to
`
`deliver information across the internet. Tr. 77:23-78:2, 89:18-21. These protocols are the methods
`
`by which data transfer is possible over nationwide and global networks. Tr. 88:19-21. This is a
`
`general “high level” overview of these networking concepts. Internet professionals and “experts”
`
`use the term “high level” to categorize these basic concepts involved in the transmission of data
`
`electronically, as well as the imposition of security upon such transmissions.
`
`Moving into the specifics, the transmission of computing data through these devices is done
`
`in the form of a network packet or packets. Tr. 26:23-25. The packet is similar to that of a package
`
`sent through the United States Postal Service. Tr. 26:24-27:3, 89:2-3. For example, when a user
`
`on their computer attempts to watch a video from ESPN.com, that video is a very large amount of
`
`information and cannot efficiently be sent in one package. It is, therefore, broken up into a number
`
`of smaller units known as packets. Tr. 27:3-14. The packet will flow from the internet and through
`
`multiple devices on the network and transmit the requested information to the end user. Tr. 88:1-
`
`14. At any time, there are trillions of packets being exchanged through global networks. Tr. 88:16-
`
`
`
`
`
`
`
`
`
`
`
`19.
`
`
`
`12
`
`

`

`Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 13 of 178 PageID# 23899
`
`Packets consist of two different parts: the header and the payload; see Fig. 5.
`
`
`
`FIG. 5
`
`
`
`The header contains information such as the source address, source port, destination address,
`
`destination port number, and the protocol being used to transmit the packets. Tr. 107:16-23. These
`
`five pieces of information are known as the “5-tuple.” Tr. 108:4. The information contained in the
`
`header is inspected by the router or switch to determine where and how to send that individual
`
`packet. Tr. 108:7-16. This information can be thought of as a mailing label on a package which
`
`contains an individual’s name and mailing address as well as a return address. Tr. 27:24-25. The
`
`payload is the portion of the packet that contains the actual content of the data. This information
`
`is similar to the content within a postal package, such as a new football or baseball glove. In the
`
`ESPN video hypothetical, this would be the actual portion of the video sent by each individual
`
`packet. Tr. 28:4-10. This data in the payload part of the packet can be encrypted, meaning the
`
`information in the payload can be transmitted in code. Tr. 28:18-25. For example, the hypothetical
`
`video from ESPN.com would not usually be encrypted, but often data sent in a packet’s payload
`
`containing sensitive information, such as banking or credit card data, will be encrypted. Encryption
`
`becomes vital so that this sensitive data is not stolen by bad actors hacking the network. Tr. 28:18-
`
`25. Encryption works to lock up the data in the payload section of the packet so it cannot be seen
`
`
`
`13
`
`

`

`Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 14 of 178 PageID# 23900
`
`without decryption. Tr. 29:1-5. Consequently, just as with a sealed package, snoopers of network
`
`traffic would be unable to see what is in the packet unless it could be unlocked and opened, which
`
`is generally known as decrypting the data. But, even when a packet is encrypted, the header
`
`information, such as the source and destination, is not encrypted and is visible. Tr. 29:10-16; see
`
`Fig. 6.
`
`FIG. 6
`
`
`
`
`
`As previously noted, the hypothetical ESPN video is set in a collection of packets that
`
`comprise the video. The collection of all the packets together that make up the transmitted video
`
`is known as a packet flow. Tr. 106:15-16. Thus, the header of each packet in this particular flow
`
`would contain identifying information that distinguishes this collection of packets from other
`
`flows. Tr. 107:16-13. This allows for routers to keep the packets in order and properly distribute
`
`the packets to the correct destination.
`
`ii. Overview of Networking Security
`
`
`
`As explained supra, the internet is a very large and complex organization of networks that
`
`utilize protocols to relay data from one network device to another resulting in the transmission of
`
`data to an end user. Tr. 112:1-6. As a result of the internet’s complexity, there are many methods
`
`employed by cyber criminals to transmit malware and gain access to encrypted, secure and
`
`confidential information. Tr. 112:7-14. Cyber criminals can use malware or other methods to infect
`
`
`
`14
`
`

`

`Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 15 of 178 PageID# 23901
`
`a network and steal data using a process known as exfiltration. Tr. 343:19-15. Exfiltration is the
`
`process by which cyber criminals “exfiltrate” data out of a network by stealing valuable
`
`confidential data. Tr. 343:19-15.2 Therefore, to prevent malware and data exfiltration, cyber
`
`defense systems often use a concept known as defense-in-depth, the deployment of a variety of
`
`network security devices at different layers of the network, to protect sensitive network data.
`
`Cisco’s expert, Dr. Almeroth, compared network defense-in-depth to that of the security used by
`
`a federal courthouse, which contains a series of secured entry points to the building, a courtroom
`
`or a judge’s chambers. Tr. 112:18-22. Consequently, just like any type of modern security system,
`
`there must be different layers of security in a network to be effective in preventing evolving
`
`methods of cyberattacks. Tr. 113:3-10, 51:17-21. Therefore, to maximize effectiveness, security
`
`measures are often placed at different devices/locations in a network, such as within a firewall, a
`
`security gateway, in routers and switches, and also within the end user’s computer. Tr. 113:11-18.
`
`Dr. Almeroth outlined that there are multiple approaches used by cybersecurity professionals to
`
`effectively develop defense-in-depth security systems. Tr. 117:22-24. Two of the relevant
`
`approaches, for purposes of this trial, are known as detect and block through “inline” analysis and
`
`“out-of-band” also known as allow and detect. Tr. 118:2-7. These approaches can be used
`
`unilaterally or combined to create different styles of network security based on the needs of
`
`network administrators.
`
`
`
`Older security technology focused on a firewall at the border of the network to detect and
`
`block malicious packets from entering a network. Tr. 118:8-119:25. The process begins when a
`
`packet is sent from the internet to another smaller network. A firewall device, usually located at
`
`the entry of the network, operates by inspecting information in the packet to determine if that
`
`
`2 Typically, this sensitive data often consists of usernames and passwords to your bank accounts, Social Security
`Numbers, credit card numbers, or confidential financial data of a business. Tr. 444:4-8.
`15
`
`
`
`

`

`Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 16 of 178 PageID# 23902
`
`packet is malicious. Tr. 119:18-25. This process is completed by matching information from the
`
`header or payload of the packet to rules that are pre-enabled in the firewall type device. Tr. 119:18-
`
`25. These rules are comprised of previously known information about sources of malicious or
`
`otherwise unauthorized traffic. Tr. 122:11. Thus, if information from a packet header is matched
`
`to a rule, then the packet is unauthorized to enter the network and is blocked / dropped.3 Tr. 120:6-
`
`12. A blocked packet is virtually thrown away or could be re-routed to another location for
`
`additional inspection. Tr. 120:15-18. If there is no rule that matches the packet, the packet is
`
`allowed to proceed into the network and to its final destination. Tr. 120:2-5.
`
`Rules are the mechanism that determines which packets are allowed in and out of the
`
`network. The collection of rules that are being applied by network devices can also be referred to
`
`as Access Control Lists (“ACLs”). Tr. 537:18-21, 2550 1-4. Threats are continually evolving, and
`
`as a result, rules can be automatically updated or swapped in switches, routers and firewalls by
`
`other management devices in the network that intake “threat intelligence” information. Tr. 126:5-
`
`11. Threat intelligence information is an everchanging collection of information from known
`
`viruses and malware that is compiled by third-party providers. Tr. 126:5-11. Devices that manage
`
`switches, routers and firewalls often operate by digesting threat intelligence, converting that
`
`intelligence into rules, and sending those rules out to intra-network devices such as firewalls,
`
`routers and switches that match rules to packets. Tr. 126:5-11. The ability to apply measures in
`
`real-time to new or different rules after the packet has cleared the gatekeeping firewall is called
`
`proactive security, which is a newer and more effective technology.
`
`This process of proactively blocking packets as they travel through the network comes with
`
`distinct challenges. The efficacy of this method rests on the ability of network devices to
`
`
`3 Dropping and blocking can be used interchangeably as they have the same definition in the context of cybersecurity.
`Tr. 466:23-467:4
`
`
`
`16
`
`

`

`Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 17 of 178 PageID# 23903
`
`continually apply new or different rules to packets. Therefore, as the volume of packets and rules
`
`increase, so must the number of devices or the processing speed of current devices to remain
`
`effective. Tr. 124:6-19. Without increased speed or adding hardware, there will be extensive
`
`delay/latency because the system will be overwhelmed trying to match new or different rules to an
`
`overwhelming number of packets. Consequently, this delay can affect user performance on the
`
`network (i.e., increase web page loading times). Tr. 126:20-24. Another issue is that a network
`
`might have different entry points or destination points for data. Tr. 127:5-8. Therefore, firewall
`
`capable devices must be placed at all possible entry and destination points or risk that data could
`
`reach an improper destination without the application of updated rules. Tr. 127:5-8.
`
`The older allow and detect model operates retroactively by monitoring the entry of packets
`
`into the network based upon prior threats to the network. Tr. 129:2-11. The flows are monitored
`
`by sensors in network devices and sent to another management device for review. Tr. 132:13-19.
`
`When malicious traffic is found, the devices can operate retrospectively, and update rules based
`
`upon information found in the forensic investigation. Tr. 133:2. Instead of blocking traffic at the
`
`gate, this method allows traffic to go through to its destination and then performs post facto
`
`analysis on the flow of the information in the packet headers to determine if there was malicious
`
`activity afoot. Tr. 133:24-134:2. The challenges of this model include the lack of the ability to be
`
`proactive. It is different than an inline intrusion prevention system because malicious packets are
`
`still allowed into the network and then passed on to the destination without blocking. Tr. 141:11-
`
`14.
`
`Both approaches may be combined in different ways to create a defense-in-depth strategy.
`
`Tr. 144:5-11. Network administrators can use different combinations of these devices and methods
`
`to achieve optimal security personalized for their network. Tr. 144:5-11.
`
`
`
`17
`
`

`

`Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 18 of 178 PageID# 23904
`
`
`
`B. OVERVIEW OF THE ACCUSED PRODUCTS
`
`
`
`In this case, Centripetal accuses various Cisco network devices of using its new solutions
`
`and infringing the Asserted Patents. The Court will provide a brief summary of these products.
`
`i. Cisco’s Switches
`
`
`
`The switches at issue in the case are the Catalyst 9000 series (“Catalyst Switches”)
`
`including the Catalyst 9300, 9400 and 9500. Tr. 53:20-23. This newer line of switches contains
`
`functionality utilized by Cisco to integrate proactive security capabilities within the network. Tr.
`
`54:1-3.
`
`ii. Cisco’s Routers
`
`
`
`There are three different types of routers at issue. These routers are the 1000 series
`
`Aggregation Services Router (“ASR”) and the 1000 / 4000 series Integrated Services Router
`
`(“ISR”). Tr. 54:22-25, 55:1-2. Their purpose in the network is to provide performance, reliability,
`
`and integrate proactive security functionality within networks. Tr. 55:7-10. Like the switches, the
`
`routers contain functionality utilized by Cisco to integrate proactive security capabilities within
`
`the network.
`
`iii. Cisco’s Digital Network Architecture
`
`
`
`Cisco’s Digital Network Architecture (“DNA”) operates as a network management device.
`
`Tr. 55:17-21. It operates to configure and troubleshoot problems in the network. Tr. 55:17-21.
`
`Therefore, the primary function is to interact and operate routers and switches. Tr. 55:17-21,
`
`147:19-21. DNA may continually provision the routers and switches so they are capable of being
`
`used effectively in the operation of the network. Tr. 56:1-7. The DNA device uses advanced
`
`artificial intelligence and machine learning to observe past traffic on the network and has the
`
`
`
`18
`
`

`

`Case 2:18-cv-00094-HCM-LRL Document 621 Filed 10/05/20 Page 19 of 178 PageID# 23905
`
`capability to change configuration in the network in real time. Tr. 57:20-25. Accordingly, DNA
`
`takes that intelligence, operationalizes it, and turns it into rules and policies that Cisco’s switches
`
`and routers use for security purposes. Tr. 451:3-24.
`
`iv. Cisco’s Stealthwatch
`
`
`
`The new and improved Stealthwatch device currently provides the ability to collect various
`
`security analytics and use it to predict network threats. Tr. 59:1-7. Stealthwatch is, now, enabled
`
`to work with other Cisco technologies, such as Cognitive Threat Analytics (“CTA”) and Encrypted
`
`Traffic Analytics (“ETA”). Tr. 59:10-15.
`
`v. Cognitive Threat Analytics
`
`
`
`Cognitive Threat Analytics (“CTA”) has various features for monitoring the network. For
`
`example, CTA monitors for security breaches within the network by using machine learning. Tr.
`
`60:17-23. CTA is embedded in the Stealthwatch device. Tr. 60:21-23
`
`vi. Identity Services Engine
`
`
`
`The Identity Services Engine (“ISE”) is a device that ensures user control over the network
`
`from any location. Tr. 61:10-16. It provides network-based security regardless of location of the
`
`user. Tr. 61:10-16. It is also responsible for tracking the identity of users and user computers on a
`
`network and for setting the limits of user and user computer access to other devices in the network.
`
`Tr. 149:20-23.
`
`vii. Encrypted Traffic Analytics
`
`
`
`Encrypted Traffic Analytics (“ETA”) is an element of the new Stealthwatch technology
`
`and also is embedded i