Opinion
Case No. 17-cv-04414-JST
04-10-2019
SYMANTEC CORPORATION, et al., Plaintiffs, v. ZSCALER, INC., Defendant.
CLAIM CONSTRUCTION ORDER
Re: ECF Nos. 145, 157, 159, 160, 161, 162, 172, 174, 175
In this patent infringement case, the parties now propose competing constructions of three terms from Symantec's patent, U.S. Patent No. 8,402,540 ("the '540 Patent"). ECF Nos. 145, 157, 160. The Court will construe the terms as set forth below.
I. BACKGROUND
This is a patent infringement case between two computer network security software companies. ECF No. 84 ¶ 20. Symantec alleges that Zscaler's cloud-based security platform, including its "ZEN" component, infringes Symantec's patents. Id. ¶ 21.
The Court previously granted Zscaler's motion to dismiss U.S. Patent No. 7,507,488 ("the '488 patent") as ineligible for patent protection, ECF No. 169, and so need not construe the disputed terms in that patent. Likewise, because the Court has dismissed all Symantec's claims pursuant to the 6,285,658 ("the '658 patent"), 7,360,249 ("the '249 patent"), and 9,525,696 ("the '696 patent") with prejudice, pursuant to the stipulation of the parties, ECF No. 151, the Court need not address the disputed terms from those patents.
Symantec's complaint describes the '540 patent's invention as "a virtualized network security system (VNSS) that provides security policies to data flows received at the VNSS, as well as methods for securing a plurality of virtual networks with a VNSS and configuring virtual network security in a VNSS." ECF No. 84 ¶ 159. According to Symantec, "the virtualized nature of the '540 Patent's security system allows the VNSS to provide a logical arrangement of security policies without having to physically separate the data flow as was required by prior art systems relying on multiple disparate components to provide security." Id. ¶ 160 (citing '540 Patent 21:49-52). The parties now ask the Court to construe three terms from the '540 patent: "virtualized network security system" ("VNSS"), "subscriber profile data," and "plurality of flow processors"/"plurality of flow processing facilities." ECF Nos. 157 at 6-16; 160 at 6-12; 175. Symantec argues that Zscaler's cloud security platform infringes at least Claim 13 of the '540 patent, ECF No. 84 ¶¶ 172-73, which contains all three terms in dispute.
II. MOTION TO SEAL
Symantec moves to seal portions of its reply claim construction brief, ECF No. 160, as well as Exhibit 16 to the declaration of Morgan E. Grissum in support of that brief, ECF No. 160-4. ECF No. 159. It does so because these documents contain information Zscaler designated as confidential under the parties' protective order. Id. at 2. In its supporting declaration, Zscaler clarifies that it does not seek to seal Exhibit 16 in its entirety, ECF No. 161-1 at 2, and instead provides proposed redactions to that exhibit, ECF No. 161-2. Zscaler also does not seek to seal any portion of Symantec's reply brief. ECF No. 161-1 at 2.
A party seeking to seal a document filed with the court generally must (1) comply with Civil Local Rule 79-5; and (2) rebut the "strong presumption in favor of access" that applies to all documents other than grand jury transcripts and pre-indictment warrant materials. Kamakana v. City & Cty. of Honolulu, 447 F.3d 1172, 1178 (9th Cir. 2006) (citation and internal quotations omitted).
With respect to the first prong, Local Rule 79-5 requires, as a threshold, a request that (1) "establishes that the document, or portions thereof, are privileged, protectable as a trade secret or otherwise entitled to protection under the law"; and (2) is "narrowly tailored to seek sealing only of sealable material." Civil L.R. 79-5(b). An administrative motion to seal must also fulfill the requirements of Civil Local Rule 79-5(d). "Reference to a stipulation or protective order that allows a party to designate certain documents as confidential is not sufficient to establish that a document, or portions thereof, are sealable." Civil L.R. 79-5(d)(1)(A).
Because the briefing here is non-dispositive, the "good cause" standard applies as to the second prong. Ctr. for Auto Safety v. Chrysler Grp., LLC, 809 F.3d 1092, 1097 (9th Cir. 2016); see also Kamakana, 447 F.3d at 1179 ("[T]he public has less of a need for access to court records attached only to non-dispositive motions because those documents are often unrelated, or only tangentially related, to the underlying cause of action."). The "good cause" standard requires a "particularized showing" that "specific prejudice or harm will result" if the information is disclosed. Phillips ex rel. Estates of Byrd v. Gen. Motors Corp., 307 F.3d 1206, 1210-11 (9th Cir. 2002) (internal quotation marks omitted); see also Fed. R. Civ. P. 26(c). "Broad allegations of harm, unsubstantiated by specific examples of articulated reasoning" will not suffice. Beckman Indus., Inc. v. Int'l Ins. Co., 966 F.2d 470, 476 (9th Cir. 1992). A district court must "articulate [the] . . . reasoning or findings underlying its decision to seal." Apple Inc. v. Psystar Corp., 658 F.3d 1150, 1162 (9th Cir. 2011), cert. denied, 132 S. Ct. 2374 (2012).
Exhibit 16 is an internal Zscaler email chain. Id. at 3. The material Zscaler seeks to have redacted is confidential information concerning "concerning the operation of Zscaler's products and services, its understanding of technical challenges facing the network security industry, and its understanding of how [a named inventor of one of the asserted patents] had addressed those problems." Id. The Court grants the motion to seal these excerpts. The sealing request is narrowly tailored and necessary to protect Zscaler's confidential business information. See Nixon v. Warner Commc'ns, Inc., 435 U.S. 589, 598 (1978) (noting with approval that courts often seal "sources of business information that might harm a litigant's competitive standing").
The Court concludes good cause exists to justify the sealing of the excerpts specified above. "[T]he document[s] filed under seal will remain under seal and the public will have access only to the redacted version, if any, accompanying the motion." Civil L.R. 79-5(f)(1). A redacted version of Exhibit 16 is available to the public at ECF No. 161-2.
III. OBJECTIONS
First, Zscaler objects to Exhibit 19 of Symantec's reply brief as untimely submitted. ECF No. 162. Symantec refers to this exhibit only in support of its preferred construction of the term "dynamically determining" in the '488 patent. ECF No. 160 at 16. Because that patent has been dismissed under section 101, ECF No. 169, the objection is overruled as moot.
Second, Symantec objects to what it characterizes as "Zscaler's eleventh-hour abandonment of its proposed constructions and intent to argue new, previously undisclosed constructions" at the hearing on this motion. ECF No. 172 at 1. In the course of an email conversation focused on the exchange of slides in preparation for the hearing, Zscaler proposed new constructions for possible stipulation. ECF No. 172-1 at 3, 5. The parties reached agreement for the terms "virtual network" and "security policy," and the Court adopts their jointly proposed constructions below. ECF Nos. 172 at 2; 174 at 1; 175. Zscaler's other proffered compromise constructions - with regard to the terms "virtualized network security system ('VNSS')" and "plurality of flow processors / plurality of flow processing facilities" - are more in line with the constructions proposed by Symantec than were the constructions advanced by Zscaler in its briefing. See ECF No. 172 at 3. Zscaler has essentially conceded in part to the Court's adoption of the constructions Symantec requests, bringing the parties' competing constructions closer together and thereby narrowing the issues in dispute. ECF No. 174 at 1.
Nonetheless, Symantec argues that it is prejudiced by Zscaler's disclosure of new constructions after the conclusion of the meet-and-confer process contemplated by Patent Local Rules 4-1 and 4-2. ECF No. 172 at 1-2. But as Symantec has itself previously argued in this case, "Patent L.R. 4-2 does not preclude . . . parties from supplementing or revising their constructions. To the contrary, . . . Patent L.R. 4-2 is explicitly titled 'Exchange of Preliminary Claim Constructions.'" ECF No. 124 at 7. Indeed, as counsel for Symantec acknowledged in conferring with Zscaler's counsel about the constructions now at issue, "compromises can [be,] and often are[,] reached at all stages." ECF No. 172-1 at 2. This is evidenced here by the parties' successful compromise as to the construction of the terms "virtual network" and "security policy." Id. at 4.
The Court further notes that while Symantec purports to object to Zscaler's actions, Symantec's letter brief fails to specify the relief it seeks. See ECF No. 172 at 1-2. Symantec does not ask the Court to hold Zscaler to its earlier constructions which, as previously observed, bear much less resemblance to Symantec's requested constructions than do the compromise constructions Zscaler now advances. Nor does Symantec move for sanctions, as permitted by Patent Local Rule 4-7 for "failure to make a good faith effort to narrow the instances of disputed terms or otherwise participate in the meet and confer process." Patent L.R. 4-7. Accordingly, the Court overrules Symantec's objection. The Court will address Zscaler's proposed compromise constructions in place of its briefed constructions.
IV. LEGAL STANDARD
The construction of terms found in patent claims is a question of law to be determined by the court. Markman v. Westview Instruments, Inc., 52 F.3d 967, 979 (Fed. Cir. 1995) (en banc), aff'd, 517 U.S. 370 (1996). "[T]he interpretation to be given a term can only be determined and confirmed with a full understanding of what the inventors actually invented and intended to envelop with the claim." Phillips v. AWH Corp., 415 F.3d 1303, 1316 (Fed. Cir. 2005) (en banc) (quoting Renishaw PLC v. Marposs Societa' per Azioni, 158 F.3d 1243, 1250 (Fed. Cir. 1998)); see also MySpace, Inc. v. GraphOn Corp., 672 F.3d 1250, 1256 (Fed. Cir. 2012) (when construing claims, courts must consider "what was invented, and what exactly was claimed"). The "correct construction," therefore, is one that "stays true to the claim language and most naturally aligns with the patent's description of the invention." Phillips, 415 F.3d at 1316. While not every claim term must be construed, "[w]hen the parties present a fundamental dispute regarding the scope of a claim term, it is the court's duty to resolve it." O2 Micro Int'l Ltd. v. Beyond Innovation Tech. Co., 521 F.3d 1351, 1362 (Fed. Cir. 2008); see also Every Penny Counts, Inc. v. Am. Express Co., 563 F.3d 1378, 1383 (Fed. Cir. 2009) ("[T]he court's obligation is to ensure that questions of the scope of the patent claims are not left to the jury." (citation omitted)).
The words of a claim are generally given their "ordinary and customary meaning," which is the "meaning that the term would have to a person of ordinary skill in the art in question at the time of the invention, i.e., as of the effective filing date of the patent application." Phillips, 415 F.3d at 1313. In some cases, the ordinary meaning of claim language is "readily apparent," and "claim construction . . . involves little more than the application of the widely accepted meaning of commonly understood words." Id. at 1314. In other cases, "determining the ordinary and customary meaning of the claim requires examination of terms that have a particular meaning in a field of art." Id. Claim construction may deviate from the ordinary and customary meaning of a disputed term only if "a patentee sets out a definition and acts as his own lexicographer" or if "the patentee disavows the full scope of a claim term either in the specification or during prosecution." Thorner v. Sony Comput. Entm't Am. LLC, 669 F.3d 1362, 1365 (Fed. Cir. 2012) (citing Vitronics Corp. v. Conceptronic, Inc., 90 F.3d 1576, 1580 (Fed. Cir. 1996)).
"[T]he claims themselves provide substantial guidance as to the meaning of particular claim terms." Phillips, 415 F.3d at 1314. The "context in which a term is used in the asserted claim," "[o]ther claims of the patent in question, both asserted and unasserted," and "[d]ifferences among claims" are all instructive. Id. "The claims, of course, do not stand alone" and instead "must be read in view of the specification," which is "the single best guide to the meaning of a disputed term." Id. at 1315 (citations omitted). Courts "normally do not interpret claim terms in a way that excludes disclosed examples in the specification." Verizon Servs. Corp. v. Vonage Holdings Corp., 503 F.3d 1295, 1305 (Fed. Cir. 2007). Additionally, the Federal Circuit has cautioned that "limitations from the specification are not to be read into the claims." Comark Commc'ns, Inc. v. Harris Corp., 156 F.3d 1182, 1186 (Fed. Cir. 1998). Even if a patent describes only a single embodiment, the Federal Circuit has "expressly rejected" the contention that the claims must be construed as being limited to that embodiment. Phillips, 415 F.3d at 1323. In addition to consulting the specification, "the court should also consider the patent's prosecution history." Markman, 52 F.3d at 980 (citing Graham v. John Deere Co., 383 U.S. 1, 33 (1966)). However, because the "prosecution history represents an ongoing negotiation between the [Patent and Trademark Office] and the applicant, rather than the final product," it "often lacks the clarity of the specification" and therefore "is less useful." Phillips, 415 F.3d at 1317.
Though intrinsic evidence - the claims, specification, and prosecution history - is more significant and reliable than extrinsic evidence, courts may also consider the extrinsic record in claim construction, including expert and inventor testimony, dictionaries, and learned treatises. Id. at 1317-18. Within the class of extrinsic evidence, dictionaries, and especially technical dictionaries, "can assist the court in determining the meaning of particular terminology to those of skill in the art" because they "endeavor to collect the accepted meanings of terms used in various fields of science and technology." Id. at 1318.
V. DISPUTED CLAIM TERMS
All three disputed terms appear in claim 1 of the '540 patent:
Each disputed term is also recited in independent claim 13, which contains similar limitations as claim 1. ECF No. 157 at 7 n.3.
1. A method of securing a plurality of virtual networks with a virtualized network security system (VNSS), comprising:
providing a plurality of flow processors, each configured as elements of the VNSS for processing a data flow, said data flow being transferred between a first port and a second port of the VNSS, the data flow comprising subscriber profile data;
establishing a first security policy for a first virtual network based at least in part on the subscriber profile data included in the data flow;
establishing a second security policy for a second virtual network based at least in part on the subscriber profile data included in the data flow;
processing the data flow received at said first port for the first and second virtual networks through at least one of the plurality of flow processors, wherein portions of the data flow that are associated with the first virtual network are processed according to the first security policy, and wherein portions of the data flow that are associated with the second virtual network are processed according to the second security policy, said processing further comprising:
making a first determination, in accordance with one of the first security policy and the second security policy, of abnormalities that are associated with the data flow, the first determination based at least in part on the subscriber identified by the subscriber profile data; and
making a second determination, in accordance with one of the first security policy and the second security policy, based at least in part on the subscriber identified by the subscriber profile data, and
transferring said data flow to said second port.
ECF No. 84-6 at 95 (emphasis added to first instance of each disputed term).
A. "virtualized network security system ('VNSS')" ('540 patent, claims 1, 13)
| Symantec's Proposed Construction | Zscaler's Proposed Construction |
|---|---|
| "a network of security devices that arelogically separate from the networks theyprotect" | Original: "system that routes data flowsamong multiple security applicationprocessing resources that are logically separatefrom the physical hardware and networks" |
| Symantec's Proposed Construction | Zscaler's Proposed Construction |
|---|---|
| Compromise: "system comprising virtualizedsecurity devices that are logically separatefrom the networks the system protects" |
The parties agree that the phrase "virtualized network security system" requires construction. ECF Nos. 145 at 7; 157 at 8. They also agree that it refers to some arrangement of "security devices that are logically separate from the networks [the VNSS] protects." ECF No. 172 at 3. The parties' proposed constructions diverge in two ways: First, is the VNSS "a network of" security devices or a "system comprising" those devices? Id. Second, Zscaler alone proposes that the security devices must be "virtualized." Id.
The parties' first disagreement is easily resolved. As reflected in the term "virtualized network security system," the VNSS is, first and foremost, a system. The '540 Patent sometimes uses a "network" as an example of a "system," but the VNSS is a system. See, e.g., ECF No. 84-6 ('540 Patent) at 85:42-45 ("A virtualized network security system, on the other hand, may support a plurality of virtual networks connected to the database, perhaps regardless of the physical arrangement of the network."); id. at 86:7-11 ("While the example network depicted in FIG. 30 is used to illustrate methods and systems of network security virtualization, many other configurations and uses of network security systems may be virtualized and all such virtualizations are within the scope of the present disclosure." (emphasis added)). In fact, the words "virtualized," "network," and "security" all modify the word "system," such that to adopt Symantec's proposal would be render the term as "virtualized network security network," a construction that clearly makes no sense.
Recognizing that the "correct construction" is the one that "stays true to the claim language and most naturally aligns with the patent's description of the invention," the Court concludes from reviewing the asserted claims that the VNSS is more naturally described as a "system" than a "network." Phillips, 415 F.3d at 1316. The Court further finds that the word "comprising" introduces unnecessary ambiguity where the simpler word "of" will suffice. Thus, the Court will combine the parties' proposals to construe the VNSS as a "system of" security devices.
The second disagreement between the parties is more complex, and centers on the extent of virtualization required by the VNSS. Symantec argues that the term "VNSS" only necessarily signifies network virtualization, i.e., logical (as opposed to physical) separation between the VNSS and the network(s). ECF No. 160 at 8-9. Meanwhile, Zscaler contends that the VNSS requires hardware virtualization as well - i.e., logical separation of the VNSS's processors from the physical hardware underlying them. ECF No. 157 at 9. Symantec has the better argument.
Zscaler relies heavily on the prosecution history to argue that, because the applicant emphasized Figure 30 of the '540 patent to support his amendment of claim 1, and that figure includes a virtualization module, hardware virtualization is a necessary component of the VNSS. ECF No. 157 at 10-11. Zscaler also asserts that because the applicant described the VNSS as a "logical construct" when amending the patent claims, hardware virtualization must be required. Id. at 9-10. Finally, Zscaler relies upon a report proferred by its expert Dr. Kevin Jeffay, see ECF No. 157-7, to argue that the very concept of virtualization signifies hardware virtualization, insofar as "virtualization" refers to "the use of computer hardware and software to create the illusion that a piece of computer hardware, or a hardware system, exists when in reality it does not exist as a physically separate or distinct resource." ECF No. 157 at 7.
First, the Court gives very little weight to the unsupported opinion of Dr. Jeffay as to what virtualization means in the context of the '540 patent. See Phillips, 415 F.3d at 1318 ("[C]onclusory, unsupported assertions by experts as to the definition of a claim term are not useful to a court."). More to the point, the Court agrees with Symantec that to read Figure 30 as restricting the scope of the term "VNSS" would be to improperly "import limitations onto the claim from the specification, which is fraught with danger." ECF No. 160 at 9 (quoting MBO Labs., Inc. v. Becton, Dickinson & Co., 474 F.3d 1323, 1333 (Fed. Cir. 2007)). As the Federal Circuit has emphasized, "patent coverage is not necessarily limited to inventions that look like the ones in the figures." MBO Labs., 474 F.3d at 1333. In addition, as Symantec points out, the specification explicitly discusses hardware virtualization as a possible component of the VNSS - not a necessary one. ECF No. 160 at 9 (citing, e.g., ECF No. 145-2 at 79-80). In other words, just because the VNSS may include a virtualization module, does not mean that it is required to do so by the terms of the claim. Keeping in mind that "limitations from the specification are not to be read into the claims," the Court does not consider Figure 30 to be dispositive of the scope of the term "VNSS." Comark Commc'ns, 156 F.3d at 1186. In the absence of any clear "disavow[al of] the full scope" of the term "VNSS" "either in the specification or during prosecution," the Court determines that the term "virtualized network security system" does not demand that the security devices making up the VNSS themselves be virtualized. Thorner, 669 F.3d at 1365.
Thus, combining the parties' proposed constructions, the Court construes the term "VNSS" to mean a "system of security devices that are logically separate from the networks they protect."
B. "subscriber profile data" ('540 patent, claims 1, 13)
| Symantec's Proposed Construction | Zscaler's Proposed Construction |
|---|---|
| Plain and ordinary meaning; or"information associating a subscriber with oneor more access control rules, privileges, and/orpreferences" | "subscriber policy data, obtained from withinthe data flow, that identifies securityapplication processes related to a subscriber" |
The parties disagree as to whether the term "subscriber profile data" requires construction at all. ECF Nos. 145 at 10; 157 at 12 n.4. Symantec argues that the Court should simply adopt the term's plain and ordinary meaning. ECF No. 145 at 10. Zscaler responds that to do so would impermissibly leave the task of determining claim scope to the jury. ECF No. 157 at 12 n.4. The Court determines that "subscriber profile data" does require construction. The meaning of "subscriber profile data" is not fully clear from the claims, and "the court's obligation is to ensure that questions of the scope of the patent claims are not left to the jury." Every Penny Counts, 563 F.3d at 1383.
Here, the claims "must be read in view of the specification," which is "the single best guide to the meaning of a disputed term." Phillips, 415 F.3d at 1315 (citations omitted). Having reviewed the claims and specification, the Court concludes that Symantec's proposed alternative construction is the most accurate construction, because it clarifies each word of the phrase "subscriber profile data:" the data is "information" which "associat[es] a subscriber" with a particular security profile, described by Symantec as "one or more access control rules, privileges, and/or preferences." See ECF No. 145 at 11 ("[T]he present invention may include a subscriber profile" that "may relate an application to a subscriber" by "specify[ing] access control rules, privileges, and preferences associated with that relation." (quoting ECF No. 145-2 at 54-55)). In contrast, Zscaler's proposal - to define "subscriber profile data" as "subscriber policy data" - simply substitutes the term to be construed, rather than clarifying its meaning. See Whatsapp Inc. v. Intercarrier Commc'ns, LLC, Case No. 13-CV-04272-JST, 2014 WL 5306078, at *7 (N.D. Cal. Oct. 16, 2014) (rejecting a construction that "merely substitutes one term in need of construction for another" with little support for its use of the replacement word); ECF No. 145 at 12 n.4.
That said, the Court further concludes that Zscaler's proposed limitation - that the data must be "obtained from within the data flow" - should be included in the Court's construction. It would be helpful to the jury to understand where the subscriber profile data can be found when considering the role that data plays in the functioning of the VNSS. ECF No. 157 at 12-13.
At the hearing, Symantec did not object to the addition of this phrase but argued that it would be redundant. Symantec is correct that redundancy during claim construction with the explicit language of a claim is best avoided. E.g., Word to Info Inc v. Google Inc., No. 15-CV-03486-WHO, 2016 WL 3692198, at *14 (N.D. Cal. July 12, 2016) ("But this point merely highlights that incorporating a natural language limitation into the meaning of 'grammar specification' would be redundant; claim 1 of the '468 patent, as well as all of the other asserted claims in which the term 'grammar specification' appears, already recite 'natural language' and, presumably, are thus limited in this way."). Here, however, Zscaler's proposed language is not an exact copy of the claim. Rather, the claim uses the phrase "subscriber profile data included in the data flow." Zscaler's proposed language is clearer about the requirement that the data flow be the source of this data. --------
Accordingly, the Court will incorporate portions of both parties' proposed constructions of the term "subscriber profile data" and construe it to mean "information, obtained from within the data flow, associating a subscriber with one or more access control rules, privileges, and/or preferences." / / / / / / / / /
C. "plurality of flow processors" / "plurality of flow processing facilities" ('540 patent, claims 1, 13)
| Symantec's Proposed Construction | Zscaler's Proposed Construction |
|---|---|
| "two or more devices that receive, process,and transmit a data flow" | Original: "virtualized resource(s) forprocessing a flow using a set of artificialneurons for pattern recognition, such as a selforganizing map"Compromise: "two or more virtualized devicesthat receive, process, and transmit a data flow" |
The parties agree that the terms "plurality of flow processors" and "plurality of flow processing facilities" require construction. ECF Nos. 145 at 12; 157 at 14. The only dispute remaining between them is whether the "two or more devices that receive, process, and transmit a data flow" must be "virtualized," as advanced by Zscaler, ECF No. 157 at 14, or if no such limitation applies, as Symantec argues, ECF No. 160 at 11. For the reasons outlined above as to the Court's construction of the term "VNSS," the Court declines to read any limitation that the devices themselves be virtualized into the terms "flow processors" or "flow processing facilities." The limitation of virtualization is found in neither the specification nor the claims. See Kara Tech. Inc. v. Stamps.com Inc., 582 F.3d 1341, 1348 (Fed. Cir. 2009) ("The patentee is entitled to the full scope of his claims, and we will not limit him to his preferred embodiment or import a limitation from the specification into the claims."). Accordingly, the Court adopts in full Symantec's proposed construction: "two or more devices that receive, process, and transmit a data flow."
D. Previously disputed terms: "virtual network" ('540 patent, claims 1, 13) and "security policy" ('540 patent, claims 1, 5, 13)
After disputing the construction of an additional two terms from the '540 patent in their claim construction briefing, the parties have since stipulated to construe the terms as follows: "Virtual network" means a "logical connection of sources and sinks of data." ECF No. 175. "Security policy" means "specification of limitation(s) or condition(s) to be applied to a data flow or application." Id. The Court will adopt the parties' stipulated constructions.
CONCLUSION
The Court construes the disputed and stipulated claim terms from the '540 patent as follows:
| Claim Term | Court's Construction |
|---|---|
| "virtualized network security system('VNSS')" ('540 patent, claims 1, 13) | "system of security devices that are logicallyseparate from the networks they protect" |
| "subscriber profile data" ('540 patent, claims1, 13) | "information, obtained from within the dataflow, associating a subscriber with one ormore access control rules, privileges, and/orpreferences" |
| "plurality of flow processors" / "plurality offlow processing facilities" ('540 patent, claims1, 13) | "two or more devices that receive, process,and transmit a data flow" |
| "virtual network" ('540 patent, claims 1, 13) | "logical connection of sources and sinks ofdata" |
| "security policy" ('540 patent, claims 1, 5, 13) | "specification of limitation(s) or condition(s)to be applied to a data flow or application" |
IT IS SO ORDERED. Dated: April 10, 2019
/s/_________
JON S. TIGAR
United States District Judge