CLAIM CONSTRUCTION ORDER

Re: ECF Nos. 167, 179

JON S. TIGAR, District Judge.

In this patent infringement case, the parties now propose competing constructions of five terms from Symantec's four patents, U.S. Patent Nos. 6,279,113 ("the '113 patent"), 7,392,543 ("the '543 patent"), 7,735,116 ("the '116 patent"), and 8,181,036 ("the '036 patent").1 ECF Nos. 167, 179, 184. The Court will construe the terms as set forth below.

I. BACKGROUND

This is a patent infringement case between two computer security software companies. Symantec alleges that Zscaler's cloud-based security product, ZEN, infringes Symantec's patents. ECF No. 139 ¶ 19. The parties now ask the Court to construe terms in four Symantec patents. Id. ¶¶ 40-111. In general terms, the '113 patent claims assigning attack signature profiles to various network objects. Id. ¶ 41. The '543 patent claims detecting and preventing the spread of malicious code. Id. ¶ 71. The '116 patent claims a hierarchical and relational system for organizing security functions on a unified threat management system ("UTM"). Id. ¶ 83. Finally, the '036 patent claims detecting outgoing confidential data that is encrypted, compressed, or otherwise obfuscated. Id. ¶ 91.

II. OBJECTION TO EXPERT DECLARATION

Zscaler objects to the testimony of Symantec expert Dr. Sandeep Chatterjee on the grounds that it was submitted untimely. ECF No. 179 at 8 n.4. Symantec identified Dr. Chatterjee "for the first time in the joint claim construction and prehearing statement." Id. Zscaler does not request exclusion of the testimony or other judicial relief. It also cites no authority.

Patent Local Rule 4-2 requires the parties to exchange their preliminary proposed constructions for disputed claim terms, as well as the evidentiary support — both intrinsic and extrinsic — for those proposed constructions. Patent L.R. 4-2(b). The parties must "provide a description of the substance of [any] expert witness' proposed testimony that includes a listing of any opinions to be rendered in connection with claim construction." Id. Although the parties have not provided the Court with Symantec's Rule 4-2 disclosures, the Court assumes Symantec did not identify Dr. Chatterjee in those disclosures because Symantec did not respond to Zscaler's objection.

The Court has previously excluded expert claim construction testimony when the sponsoring party failed to identify its expert until claim construction briefing. GoPro, Inc. v. C&A Mktg., Inc., No. 16-CV-03590-JST, 2017 WL 2335377, at *3 (N.D. Cal. May 30, 2017); Tristrata, Inc. v. Microsoft Corp., No. 11-CV-03797-JST, 2013 WL 12172909, at *2 (N.D. Cal. May 13, 2013). In this case, however, Symantec identified Dr. Chatterjee in its prehearing statement. That makes this case more like Reflex Packaging, Inc. v. Lenovo (U.S.), Inc., No. C-01002 JW, 2011 WL 7295479, at *2-3 (N.D. Cal. Apr. 7, 2011). There, the district court declined to strike an expert declaration that was served for the first time with the plaintiff's opening claim construction brief. Id. at *2. As here, the plaintiff in Reflex Packaging identified its expert by name in the joint claim construction and prehearing statement, giving the defendant some reason to think that the plaintiff would actually be relying on expert testimony. Id. The court also noted that Defendant had the opportunity to conduct expert discovery, although it chose not to do so. Id. at *3. Here, Zscaler took Dr. Chatterjee's deposition and waited to object until its claim construction opposition brief. And while it objects to the late disclosure, it identifies no harm it suffered as a result.

The Court overrules Zscaler's objection.

III. LEGAL STANDARD

The construction of terms found in patent claims is a question of law. Markman v. Westview Instruments, Inc., 52 F.3d 967, 979 (Fed. Cir. 1995) (en banc), aff'd, 517 U.S. 370 (1996). "[T]he interpretation to be given a term can only be determined and confirmed with a full understanding of what the inventors actually invented and intended to envelop with the claim." Phillips v. AWH Corp., 415 F.3d 1303, 1316 (Fed. Cir. 2005) (quoting Renishaw PLC v. Marposs Societa' per Azioni, 158 F.3d 1243, 1250 (Fed. Cir. 1998)); see also MySpace, Inc. v. GraphOn Corp., 672 F.3d 1250, 1256 (Fed. Cir. 2012) (when construing claims, courts must consider "what was invented, and what exactly was claimed"). The "correct construction," therefore, is one that "stays true to the claim language and most naturally aligns with the patent's description of the invention." Phillips, 415 F.3d at 1316. While not every claim term must be construed, "[w]hen the parties present a fundamental dispute regarding the scope of a claim term, it is the court's duty to resolve it." O2 Micro Int'l Ltd. v. Beyond Innovation Tech. Co., 521 F.3d 1351, 1362 (Fed. Cir. 2008); see also Every Penny Counts, Inc. v. Am. Express Co., 563 F.3d 1378, 1383 (Fed. Cir. 2009) ("[T]he court's obligation is to ensure that questions of the scope of the patent claims are not left to the jury.") (citation omitted).

The words of a claim are generally given their "ordinary and customary meaning," which is the "meaning that the term would have to a person of ordinary skill in the art in question at the time of the invention, i.e., as of the effective filing date of the patent application." Phillips, 415 F.3d at 1312-13. In some cases, the ordinary meaning of claim language is "readily apparent," and "claim construction . . . involves little more than the application of the widely accepted meaning of commonly understood words." Id. at 1314. In other cases, "determining the ordinary and customary meaning of the claim requires examination of terms that have a particular meaning in a field of art." Id. Claim construction may deviate from the ordinary and customary meaning of a disputed term only if "a patentee sets out a definition and acts as his own lexicographer" or if "the patentee disavows the full scope of a claim term either in the specification or during prosecution." Thorner v. Sony Computer Entm't Am. LLC, 669 F.3d 1362, 1365 (Fed. Cir. 2012) (citing Vitronics Corp v. Conceptronic, Inc., 90 F.3d 1576, 1580 (Fed. Cir. 1996)).

"[T]he claims themselves provide substantial guidance as to the meaning of particular claim terms." Phillips, 415 F.3d at 1314. The "context in which a term is used in the asserted claim," "[o]ther claims of the patent in question, both asserted and unasserted," and "[d]ifferences among claims" are all instructive. Id. "The claims, of course, do not stand alone" and instead "must be read in view of the specification," which is "the single best guide to the meaning of a disputed term." Id. at 1315. Courts "normally do not interpret claim terms in a way that excludes disclosed examples in the specification." Verizon Servs. Corp. v. Vonage Holdings Corp., 503 F.3d 1295, 1305 (Fed. Cir. 2007). Additionally, the Federal Circuit has cautioned that "limitations from the specification are not to be read into the claims." Comark Commc'ns, Inc. v. Harris Corp., 156 F.3d 1182, 1186 (Fed. Cir. 1998). Even if a patent describes only a single embodiment, the Federal Circuit has "expressly rejected" the contention that the claims must be construed as being limited to that embodiment. Phillips, 415 F.3d at 1323. In addition to consulting the specification, "the court should also consider the patent's prosecution history." Markman, 52 F.3d at 980 (citing Graham v. John Deere Co., 383 U.S. 1, 33 (1966)). However, because the "prosecution history represents an ongoing negotiation between the [Patent and Trademark Office] and the applicant, rather than the final product," it "often lacks the clarity of the specification" and therefore "is less useful." Phillips, 415 F.3d at 1317.

Though intrinsic evidence — the claims, specification, and prosecution history — is more significant and reliable than extrinsic evidence, courts may also consider the extrinsic record in claim construction, including expert and inventor testimony, dictionaries, and learned treatises. Id. at 1317-18. Within the class of extrinsic evidence, dictionaries, and especially technical dictionaries, "can assist the court in determining the meaning of particular terminology to those of skill in the art" because they "endeavor to collect the accepted meanings of terms used in various fields of science and technology." Id. at 1318.

IV. DISPUTED CLAIM TERMS

A. "obfuscation tool" ('036 Patent, all asserted claims)

The '036 patent claims techniques for detecting outgoing confidential or proprietary information even when that information is encrypted or compressed. ECF No. 1-1 at 114. The parties agree the patent's phrase "obfuscation tool" requires construction. ECF No. 179 at 5.

1. "computer module" vs. "program"

Symantec proposes that obfuscation tool refers to a "computer module," while Zscaler prefers the narrower term "program." ECF No. 167 at 5. Symantec argues Zscaler's proposal excludes embodiments, such as an algorithm and process. Id. at 6 (citing ECF No. 1-1 at 123 ("Application A may be an obfuscation tool, such as a compression and/or encryption algorithm.") and ECF No. 1-1 at 120 (referring to an "obfuscation process"). Zscaler counters that when the specification mentions an algorithm or process, it actually refers to an application or program. ECF No. 179 at 5-6. But Zscaler's arguments to this point are unpersuasive. Zscaler argues that the embodiment referencing an algorithm also references an application, which it equates to a program without further explanation or citation to authority. Id. at 6. Likewise, Zscaler explains that the patent defines "process" as "an executable file that is loaded into memory for execution," and that an executed file "is commonly referred to as a program," again without citation or further explication. Id. (quoting ECF No. 1-1 at 122). Finally, Zscaler argues that because the claim requires comparing "a signature of a program" with "a signature of a known obfuscation tool," the tool must be a program to enable comparison, but Zscaler cites nothing to support this contention. See id. ("[T]hat would be comparing apples to oranges."); see also ECF No. 184 at 5 (Symantec arguing that Zscaler's assertions are "unsupported attorney argument").

A closer examination of the claims demonstrates that, in any case, what the invention compares is not programs and tools, but rather the signatures of each. ECF No. 1-1 at 124 (claiming "comparing signatures of programs launched on a computer with signatures of known obfuscation tools"). The Court therefore concludes "computer module" is more appropriate than "program" because it more clearly preserves embodiments including applications, processes, and algorithms. See Verizon, 503 F.3d at 1305 (explaining construction should include all disclosed embodiments).

However, Zscaler points out that Symantec's proposed definition is too broad because it would not require an obfuscation tool to actually perform any obfuscation. ECF No. 179 at 7. The patent's language demonstrates that an obfuscation tool — as the name would suggest — obfuscates. For example, one embodiment describes a "resulting obfuscated file created by the obfuscation tool." ECF No. 1-1 at 121. Likewise, the claims limit "obfuscation tool" to something that does the obfuscation. See id. at 124 (claim 1 requiring that "the obfuscation tool produce[] an output file"); id. at 125 (same for claim 7); id. (same for claim 13); see also Merriam-Webster's Collegiate Dictionary, 11th ed. (2012) (defining produce as "to cause to have existence or to happen" or "to give being, form, or shape to"). Because the claims and specification each contemplate that the obfuscation tool will create obfuscated data, the Court agrees with Zscaler on this point and has modified Symantec's proposed construction accordingly. See Phillips, 415 F.3d at 1314 (instructing the Court to define the claim in light of the claim, then the specification).

The Court adopts part of each party's definition as follows: An obfuscation tool is "a computer module that outputs an encrypted, compressed, or otherwise obscured file."2

2. "on a client computer"

Zscaler's proposed construction also limits the claim to tools "on a client computer," a limitation present in the specification, but not the independent claims. ECF No. 167 at 6-7. Each embodiment locates the obfuscation tool on a computer. ECF No. 1-1 at 121 (explaining the technology "can detect when an obfuscation tool . . . is launched on the client"); id. at 123 ("[T]he file monitoring module observes the user launching programs on the client computer. . . .").3 The limitation is also captured in all three independent claims. Id. at 124 (describing in claim 1 an "obfuscation tool on the computer"); id. at 125 (describing the same in claim 7 and claim 13).

But the claim need not be construed in the manner Zscaler suggests in order to make this limitation clear. Symantec explains that defining "obfuscation tool" to mean "on a client computer" is nonsensical because it would render words in the claims redundant. ECF No. 167 at 7 (explaining claim 1 would read "detecting launching of [program[s] to encrypt, compress, or otherwise obscure a file on a client computer] on the computer"). The Court agrees, and rejects Zscaler's proposal because it is redundant of the terms of the claim surrounding it. See Asetek Holdings, Inc. v. CoolIT Sys. Inc., No. C-12-4498 EMC, 2013 WL 6327691, at *4 (N.D. Cal. Dec. 3, 2013), aff'd sub nom. Asetek Danmark A/S v. CMI USA Inc., 842 F.3d 1350 (Fed. Cir. 2016), opinion modified and superseded on reh'g, 852 F.3d 1352 (Fed. Cir. 2017), and aff'd sub nom. Asetek Danmark A/S v. CMI USA Inc., 852 F.3d 1352 (Fed. Cir. 2017) (citing Atser Research Techs., Inc. v. Raba-Kistner Consultants Inc., No. SA-07-CA-93-H, 2009 WL 691118, at *11 (W.D. Tex. Mar. 2, 2009), aff'd, 384 F. App'x 995 (Fed. Cir. 2010) (rejecting defendant's construction of the term "client computer" because it "includ[ed] the surrounding words of the claim" which was "redundant and unnecessary")); see also GoPro, Inc. v. C&A Mktg., Inc., No. 16-CV-03590-JST, 2017 WL 3131449, at *6 (N.D. Cal. July 24, 2017) (finding a construction "unnecessary in light of the surrounding claim language that already requires" the proposed construction).4 The Court declines to include "on a client computer" in its construction.

B. "dynamically defining" ('116 Patent, claim 5)

The '116 patent describes a method of controlling access to a device that organizes various security functions on a UTM hierarchically and relationally. ECF No. 1-1 at 79. Claim 5 recites dynamically defining attack defense rules along this hierarchy and applying them in the future. ECF No. 1-1 at 111.

Zscaler's proposed construction, which inserts the word "threshold," would limit the term to one embodiment in the specification. ECF No. 1-1 at 106 ("The dynamic rule may be triggered based on thresholds. . . . This feature allows for dynamic rules to be generated to prevent well know[n] DOS attacks.") (emphasis added); see also id. at 108-09 (listing different types of threshold rules). Zscaler asserts that "the specification only discusses dynamically defining a rule as premised on a threshold being met, and further stresses the importance of thresholds." ECF No. 179 at 14.

Claim 5 itself does not require thresholds as a trigger. It requires a rule to be dynamically defined "as a function of" (and therefore "in response to") "indicator parameters" of the "attacking message packets." Moreover, not all embodiments rely on thresholds. For example, one embodiment describes a dynamically defining rule in response to a single attempted access. ECF No. 1-1 at 106 ("[D]ynamic rules for IDS are applied where, instead of IDS receiving multiple traffic streams with the same signature and then dropping them [describing a threshold rule], the IDS engine applies a dynamic rule for the specified source and protocol being used for synchronous access control. In this case, IDS would only see one signature event, all other traffic from the same source, using the same protocol would be dropped.") (emphasis added).5 In other words, Zscaler's definition limits the claim to a rule for one type of attack, a DOS attack, while the patent covers a wide variety of attacks, including phishing, viruses, and spam. ECF No. 1-1 at 99. Because "limitations from the specification are not to be read into the claims," Zscaler's definition must be rejected. Comark, 156 F.3d at 1186.

Symantec argues the term "dynamically defining" need not be construed because it is clear and understandable to a jury. ECF No. 167 at 12. The Court disagrees. Because a reasonable juror may not understand the plain and ordinary meaning of "dynamically defining," the Court adopts Symantec's alternative construction of "creating in response to the attacking message packets." See Every Penny Counts, 563 F.3d at 1383 ("[T]he court's obligation is to ensure that questions of the scope of the patent claims are not left to the jury.").

C. "an attack defense processing rule" ('116 Patent, claim 5)

Symantec argues no construction is necessary because the words are clear on their face. ECF No. 167 at 13. Zscaler counters that the "parties' dispute demonstrates that the term is not clear on its face and requires construction." ECF No. 179 at 15. To the extent the Court requires a construction, Symantec proposes "a set of one or more tests" while Zscaler proposes "a set of instructions." Id. at 14. Zscaler explains that a "rule is triggered by the outcome of tests" and is not itself a series of tests.

The Court agrees with Zscaler that the specification describes a rule as a series of instructions which includes subjecting data to a test or tests. Id. at 16. For example, both parties point to the following embodiment to support their positions:

ECF No. 1-1 at 100. This embodiment makes clear that while a test or tests may make up one part of an attack defense processing rule, rules are generally comprised of a set of sequential instructions based on the results of the test or tests.6

Symantec notes that if the Court adopts Zscaler's proposed construction it should adopt "set of one or more instructions" because "attack defense processing rule" is singular. ECF No. 184 at 13 n.8. The Court agrees. Nothing in the patent bars an attack defense processing rule from constituting a single instruction of what to do in response to an attack, and at least one embodiment suggests a single instruction would be adequate. ECF No. 1-1 at 106 ("IDS would only see one signature event, all other traffic from the same source, using the same protocol would be dropped.") (suggesting a rule of dropping all data from a particular source). Accordingly, the Court adopts Zscaler's definition but with a modification suggested by Symantec: "a set of one or more instructions to defend against an attack."

D. "attack signature profile[s]" ('113 Patent, all asserted claims)

The parties first dispute whether an attack signature profile is better understood as "information" or "instructions." For several reasons, Zscaler has the better argument.

First, Zscaler's expert explains that the BNR grammar simply provides examples of different instructions that can be executed. ECF No. 179-9 at 5-6, 9 (explaining "they are instructions to a tool that builds a parser" or "how you build instructions"). Moreover, the claims discuss "executing" the attack signature profile, which suggests "instructions" are more fitting than Symantec's proposed "information." ECF No. 1-1 at 20 (reciting in claim 1 "executing at least one attack signature profile"); id. at 22 (reciting in claim 15 "utilizing a processor to execute an attack signature profile"). Finally, the specification repeatedly describes the attack signature profile as an instruction or set of instructions. Id. at 17 ("The attack signature profiles include a set of instructions which the virtual processor executes. . . ."); id. at 19 (describing a single instruction); id. at 20 (describing an instruction or instructions); id. at 5 (depicting in a figure the execution of instructions); id. at 19 (describing an "instruction cache"). The claims and specification, as well as Zscaler's extrinsic evidence, suggest that Zscaler's proposal of "instruction" hews more closely to the patent's meaning. Phillips, 415 F.3d at 1314-15 (instructing courts to look at the claim, then specification, then extrinsic evidence).

Symantec argues that by describing an attack signature profile as "instructions," Zscaler's proposed construction excludes disclosed embodiments. ECF No. 167 at 17. Symantec cites to a figure in the patent and several lines of "BNR parsing grammar" to support this argument, but does not convincingly explain how "instructions" would exclude them. Id. (citing ECF No. 1-1 at 10 & 19).

Symantec also argues that Zscaler's definition erroneously associates a signature profile with a single network object. ECF No. 167 at 17. The specification describes the relationship as follows: "The attack signature profiles are organized into sets of attack signature profiles which are assigned to network objects. . . ." ECF No. 1-1 at 16. Likewise, claim 1 describes that "each network object has a corresponding stored subset of attack signature profiles and more than one subset of attack signature profiles corresponds to network objects." Id. at 20. This text makes clear that a single attack signature profile can correspond to several network objects, an interpretation supported by the fact that attack signature profiles can be generic. Id. at 16 ("The attack signature profiles can include generic attack and/or customized attack signature profiles for particular network objects on the network"); id. at 17 ("The attack signature profiles can be generic in that they describe generic network intrusion attempts which are common to most networks. . . ."). The latter half of Zscaler's definition errs in suggesting that each profile associates with a single network object. Zscaler asserts that nothing in its definition "prevents a profile from being included in more than one subset," ECF No. 179 at 21, but the assertion runs contrary to a common-sense reading of the proposed construction. See Renishaw PLC, 158 F.3d at 1250 (explaining the "correct construction" is one that "most naturally aligns with the patent's description of the invention").

Zscaler's definition has one additional flaw. In light of the parties' stipulated construction of "network object" as "addressable network device or resource, including servers, workstations, routers, firewalls, switches and files stored in memory within those devices or resources," attack signature profiles should not be limited to access attacks. Accordingly, the Court construes the term "attack signature profile[s]" as "instructions for detecting a network security violation associated with one or more network object[s]."

E. "malicious code signature" ('543 Patent, claims 1, 4, 9, and 30)

The '543 patent claims a system for detecting attacks by malicious code. When an attack occurs, the system automatically updates a malicious code signature and shares that signature with an IDS to prevent the further spread of malicious code. ECF No. 1-1 at 60.

This dispute is narrow. The parties debate whether a malicious code signature refers to "information" broadly, or "bytes" more specifically. ECF No. 167 at 18. The specification recites that in one embodiment: "A signature is a specific sequence of information, e.g., bytes." ECF No. 1-1 at 71. In another, "the signature is extracted by processing the malicious code to extract critical malicious code information, for example information unique to the malicious code." Id.

The claims support Zscaler's definition. Claim 1 provides that a malicious code signature is created by "extracting a specific number of bytes backwards from [a] caller's address." ECF No. 1-1 at 75. Likewise, claim 5 explains "the specific number of bytes is 32 bytes." Id. Finally, claim 17 recites "extracting a specific number of bytes above and below said caller's address." Id. at 76. Zscaler also points to significant extrinsic evidence supporting its proposed construction. ECF No. 179 at 24-25.

Symantec places great weight on the patentee's use of the abbreviation "e.g." The letters are short for the Latin phrase exempli gratia, meaning "for example." Thus, Symantec suggests, "bytes" is merely one illustration of what "signature" can mean. While the argument is not frivolous, the phrase "e.g." in isolation cannot bear the weight of Symantec's construction. And given the opportunity, Symantec was unable to provide any example in the patent that did not involve bytes. See ECF No. 230 at 37-38. Moreover, because the specification does not specify any type of information other than bytes, Zscaler's construction does not exclude any embodiment.

For these reasons, the Court adopts Zscaler's proposal. Phillips, 415 F.3d at 1317 (instructing the Court to look first at the claims, then specification, then extrinsic evidence).

F. "Network object" (`113 Patent) and "caller's address" (`543 Patent)

On July 31, 2018, the Court adopted the parties' stipulated construction of the terms "network object" of the '113 Patent and "caller's address" of the '543 Patent. The parties agree that the claim term "network object" should be construed as "addressable network device or resource, including servers, workstations, routers, firewalls, switches and files stored in memory within those devices or resources," and the claim term "caller's address" should be construed as "memory location of the malicious code." The Court incorporates those constructions below.

CONCLUSION

The Court construes the parties' disputed claim terms as follows:

IT IS SO ORDERED.