Opinion Issued: March 20, 2019
from the United States District Court for the District of
Delaware in No. 1:13-cv-01534-SLR-SRF, Judge Sue L. Robinson.
Scherkenbach, Fish & Richardson, PC, Boston, MA, argued
for plaintiff-appellee. Also represented by Proshanto
Mukherji; David Michael Hoffman, Austin, TX; Howard G.
Pollack, Redwood City, CA; Francis J. Albert, John Winston
Thornburgh, San Diego, CA.
William F. Lee, Wilmer Cutler Pickering Hale and Dorr LLP,
Boston, MA, argued for defendant-appellant. Also represented
by Andrew J. Danford, Lauren B. Fletcher, Louis W. Tompros.
Lourie, O'Malley, and Stoll, Circuit Judges.
an appeal from a final judgment in a patent case. Cisco
Systems, Inc. ("Cisco") appeals the district
court's (1) denial of Cisco's motion for summary
judgment of patent ineligibility under § 101, (2)
construction of the claim term "network traffic
data," (3) grant of summary judgment of no anticipation,
and (4) denial of judgment as a matter of law of no willful
infringement. Cisco also appeals the district court's
grant of enhanced damages, attorneys' fees, and ongoing
affirm the district court's denial of summary judgment of
ineligibility, adopt its construction of "network
traffic data," and affirm its summary judgment of no
anticipation. We vacate and remand the district court's
denial of judgment as a matter of law of no willful
infringement, and therefore vacate and remand the district
court's enhancement of damages and award of
attorneys' fees. Finally, we affirm the district
court's award of ongoing royalties on post-verdict sales
of products that were actually found to infringe or are not
colorably different. Accordingly, we affirm-in-part,
vacate-in-part, and remand for further proceedings consistent
with this opinion.
the interconnectivity of computer networks facilitates access
for authorized users, it also increases a network's
susceptibility to attacks from hackers, malware, and other
security threats. Some of these security threats can only be
detected with information from multiple sources. For
instance, a hacker may try logging in to several computers or
monitors in a network. The number of login attempts for each
computer may be below the threshold to trigger an alert,
making it difficult to detect such an attack by looking at
only a single monitor location in the network. In an attempt
to solve this problem, SRI developed the inventions claimed
in U.S. Patent Nos. 6, 484, 203 and 6, 711, 615. The '615
patent (titled "Network Surveillance") is a
continuation of the '203 patent (titled
"Hierarchical Event Monitoring and Analysis").
performed considerable research and development on network
intrusion detection prior to filing the pa-tents-in-suit. In
fact, SRI's Event Monitoring Enabling Responses to
Anomalous Live Disturbances ("EMERALD") project had
attracted considerable attention in this field. The
Department of Defense's Defense Advanced Research
Projects Agency, which helped fund EMERALD, called it a
"gem in the world of cyber defense" and "a
quantum leap improvement over" previous technology. J.A.
1272-73 at 272:16-17, 273:7-9. In October 1997, SRI presented
a paper entitled "EMERALD: Event Monitoring Enabling
Responses to Anomalous Live Disturbances" ("EMERALD
1997") at the 20th National Information Systems Security
1997 is a conceptual overview of the EMERALD system. It
describes in detail SRI's early research in intrusion
detection technology and outlines the development of next
generation technology for detecting network anomalies.
SRI Int'l Inc. v. Internet Sec. Sys., Inc., 647
F.Supp.2d 323, 334 (D. Del. 2009). The parties do not dispute
that EMERALD 1997 constitutes prior art under 35 U.S.C.
§ 102(b). EMERALD 1997 is listed as a reference on the
face of the '615 patent.
patents share a nearly identical specification and a priority
date of November 9, 1998. At the summary judgment stage, SRI
asserted claims 1-4, 14-16, and 18 of the '615 patent and
claims 1-4, 12-15, and 17 of the '203 patent. By the time
of trial, SRI had narrowed the asserted claims to claims 1,
2, 12, and 13 of the '203 patent and claims 1, 2, 13, and
14 of the '615 patent. The jury considered only this
narrower set of claims.
parties identify different representative claims. Cisco
proposes claim 1 of the '203 patent, while SRI proposes
claim 1 of the '615 patent. The claims are substantially
similar, as the minor differences between them are not
material to any issue on appeal. As such, we adopt SRI's
proposal and use '615 patent claim 1 as the
representative claim. It reads:
1. A computer-automated method of hierarchical event
monitoring and analysis within an enterprise network
deploying a plurality of network monitors in the enterprise
detecting, by the network monitors, suspicious network
activity based on analysis of network traffic data selected
from one or more of the following categories: (network packet
data transfer commands, network packet data transfer errors,
network packet data volume, network connection requests,
network connection denials, error codes included in a network
packet, network connection acknowledgements, and network
packets indicative of well-known network-service protocols};
generating, by the monitors, reports of said suspicious
automatically receiving and integrating the reports of
suspicious activity, by one or more hierarchical monitors.
'615 patent col. 15 ll. 2-21.
SRI sued Cisco for infringement of the '615 patent and
the '203 patent, Cisco unsuccessfully moved for summary
judgment on several issues, including that the claims are
ineligible and that the EMERALD 1997 reference anticipates
the claims. SRI Int'l, Inc. v. Cisco
Sys., Inc., 179 F.Supp.3d 339 (D. Del. Apr. 11,
2016) ("Summary Judgment Op."). The
district court denied Cisco's motions and instead sua
sponte granted summary judgment of no anticipation in
SRI's favor. Id. at 369.
court then held a jury trial on infringement, validity, and
willful infringement of claims 1, 2, 13, and 14 of the
'615 patent and claims 1, 2, 12, and 13 of the '203
patent, as well as damages. The jury found that Cisco
intrusion protection system ("IPS") products, Cisco
remote management services, Cisco IPS services,
Sourcefire IPS products, and Sourcefire professional
services directly and indirectly infringed the asserted
claims. The jury awarded SRI a 3.5% reasonable royalty for a
total of $23, 660, 000 in compensatory damages. The jury also
found by clear and convincing evidence that Cisco's
infringement was willful.
post-trial briefing, the district court denied Cisco's
renewed motion for JMOL of no willfulness. SRI
Int'l, Inc. v. Cisco Sys., Inc., 254 F.Supp.3d
680, 717 (D. Del. 2017) ("Post-Trial Motions
Op."). Based on the willfulness verdict, the
district court determined that "some enhancement is
appropriate given Cisco's litigation conduct," the
"fact that Cisco lost on all issues during summary
judgment," and "its apparent disdain for SRI and
its business model." Id. at 723. The court then
doubled the damages award. It also granted SRI's motion
for attorneys' fees, compulsory license, and prejudgment
appeals the district court's claim construction and
denial of summary judgment of ineligibility,  as well as its
grant of summary judgment of no anticipation, enhanced
damages, attorneys' fees, and ongoing royalties. We have
jurisdiction under 28 U.S.C. § 1295(a)(1).
review de novo whether a claim is drawn to patent-eligible
subject matter. Berkheimer v. HP Inc., 881 F.3d
1360, 1365 (Fed. Cir. 2018) (citing Intellectual Ventures
I LLC v. Capital One Fin. Corp., 850 F.3d 1332, 1338
(Fed. Cir. 2017)). Section 101 defines patent-eligible
subject matter as "any new and useful process, machine,
manufacture, or composition of matter, or any new and useful
improvement thereof." 35 U.S.C. § 101. Laws of
nature, natural phenomena, and abstract ideas, however, are
not patentable. See Mayo Collaborative Servs. v.
Prometheus Labs., Inc., 566 U.S. 66, 70-71 (2012)
(citing Diamond v. Diehr, 450 U.S. 175, 185 (1981)).
determine whether a patent claims ineligible subject matter,
the Supreme Court has established a two-step framework.
First, we must determine whether the claims at issue are
directed to a patent-ineligible concept such as an abstract
idea. Alice Corp. v. CLS Bank Int'l, 573 U.S.
208, 217 (2014). Second, if the claims are directed to an
abstract idea, we must "consider the elements of each
claim both individually and 'as an ordered
combination' to determine whether the additional elements
'transform the nature of the claim' into a
patent-eligible application." Id. (quoting
Mayo, 566 U.S. at 79). To transform an abstract idea
into a patent-eligible application, the claims must do
"more than simply stat[e] the abstract idea while adding
the words 'apply it.'" Id. at 221
(quoting Mayo, 566 U.S. at 72 (internal alterations
resolve the eligibility issue at Alice step one and
conclude that claim 1 is not directed to an abstract idea.
See Enfish, LLC v. Microsoft Corp., 822 F.3d 1327,
1337 (Fed. Cir. 2016). The district court concluded that the
claims are more complex than merely reciting the performance
of a known business practice on the Internet and are better
understood as being necessarily rooted in computer technology
in order to solve a specific problem in the realm of computer
networks. Summary Judgment Op., 179 F.Supp.3d at
353-54 (citing '203 patent col. 1 ll. 37- 40; DDR
Holdings, LLC v. Hotels.com, L.P., 773 F.3d 1245, 1257
(Fed. Cir. 2014)). We agree. The claims are directed to using
a specific technique-using a plurality of network monitors
that each analyze specific types of data on the network and
integrating reports from the monitors-to solve a
technological problem arising in computer networks:
identifying hackers or potential intruders into the network.
to Cisco's assertion, the claims are not directed to just
analyzing data from multiple sources to detect suspicious
activity. Instead, the claims are directed to an improvement
in computer network technology. Indeed, representative claim
1 recites using network monitors to detect suspicious network
activity based on analysis of network traffic data,
generating reports of that suspicious activity, and
integrating those reports using hierarchical monitors.
'615 patent col. 15 ll. 2-21. The "focus of the
claims is on the specific asserted improvement in computer
capabilities"-that is, providing a network defense
system that monitors network traffic in real-time to
automatically detect large-scale attacks. Enfish,
822 F.3d at 1335-36.
specification bolsters our conclusion that the claims are
directed to a technological solution to a technological
problem. The specification explains that, while computer
networks "offer users ease and efficiency in exchanging
information," '615 patent col. 1 ll. 28-29,
"the very interoperability and sophisticated integration
of technology that make networks such valuable assets also
make them vulnerable to attack, and make dependence on
networks a potential liability." Id. at col. 1
ll. 36-39. The specification further teaches that, in
conventional networks, seemingly localized triggering events
can have globally disastrous effects on widely distributed
systems-like the 1980 ARPAnet collapse and the 1990 AT&T
collapse. See id. at col. 1 ll. 43-47. The
specification explains that the claimed invention is directed
to solving these weaknesses in conventional networks and
provides "a ...