Free Letter - District Court of Delaware - Delaware

Case 1 :04-cv-01199-SLR Document 533-2 Filed 08/29/2008 Page 1 of 4
SRI v. ISS and Symantec
Exhibit 1 to the Proposed Pre-Trial Order
STATEMENT OF FACTS WHICH ARE ADMITTED
AND REQUIRE NO PROOF L.R. 16.4gd3g3g
I. SRI International, Inc. ("SRi") is a not·for—proiit res earch institute
incorporated under the laws of California, and has a regular and established place of
business at 333 Ravenswocd Avenue, Menlo Park, California 94025.
2. Defendant internet Security Systems, Inc. of Delaware ("ISS-DE") is
incorporated under the laws of Delaware, with its principal place of business at 6303
Bariield Road, Atlanta, Georgia 30328.
3. Defendant Internet Security Systems, Inc. of Georgia ("ISS-GA") is
incorporated under the laws of Georgia, with its principal place of business at 6303 Barlield
Road, Atlanta, Georgia 30328. ISS—DE and ISS-GA are referred to collectively as ‘“ISS."
4. Defendant Symantec Corporation ("Sy1nantec") is incorporated under the
laws of Delaware, with its principal place of business at 20330 Stevens Creek Boulevard,
Cupertino, California 95014.
5. This action arises under the patent laws ofthe United States, Title 35 U.S.C.
§ 1, et seq. This Court has subject matter jurisdiction under 28 U.S.C. § 1331 and 28 U.S.C.
§ l338(a).
_ _ _ _ _ _ _ _ 6. _ This Court has personal jurisdiction over the parties. _ _ _ _ _ _
1

Case 1 :04-cv-01199-SLR Document 533-2 Filed 08/29/2008 Page 2 of 4
7. Venue is proper in this Court pursuant to 28 U.S.C. §§ l39l(b), (c) and 1400
because each ofthe defendants is subject to personal jurisdiction in this judicial district.
8. There are three patents at issue remaining to be tried in this case (“ the
Patents—in—Suit” ), Each ofthe Patents—in—Suit names as inventors Phillip Porras and
Alfonso Valdes and each is assigned to SRL The Patents·~in··St1itare:
a. United States Patent No. 6,21,338 Bl (" the ’338 patent") entitled
"Network Surveillance," issued on November 20, 2001;
b, United States Patent No. 6,484,203 Bl (" the ’203 patent") entitled
"Hierarchical Event Monitoring and Analysis," issued on November
19, 2002 , and
c. United States Patent No. 6,711,615 B2 (" the ’6l5 patent") entitled
"Network Surveillance," issued on March 23, 2004.
9. The ’338 patent was tiled on November 9, 1998. The ’203, and ’615 patents
were tiled as continuation applications and have a priority fling date of November 9, 1998.
10. SRI owns the ’203, ’338 and ’6l5 patents
ll. The Patents-in-Suit relate generally to securing computer networks by
monitoring and detecting suspicious activity.
12. ISS designs and develops in the United States, makes, uses, sells and offers
for sale and has made, used, sold or offered for sale in the United States and abroad
intrusion detection, prevention, and security management products under the RealSecure,
I I I 1’roventia, Sitelhotector names and uses, sells, and offers for sale in the_United States
and abroad managed security services, threat analysis services, and security consulting
services.
2

Case 1 :04-cv-01199-SLR Document 533-2 Filed 08/29/2008 Page 3 of 4
13. SRI asserts all three Patents-in··Suit against ISS; and asserts two of the
Patents—in-Suit, the ‘203 and ‘615 patents, against Symantec.
14. The following references constitute 102(b) prior art printed publications:
P. Porras and P. Neumann, " EMERALD: Event Monitoring Enabling
Responses to Anomalous Live Disturbances,” Proceedings ofthe 20th
National Information Systems Security Conference, pp. 35-3 65, October 9,
1997 ("EMERALD l997") (DTX-356).
" NetRanger User’ s Guide Version l.3.1," WheelGroup Corporation,
1997.
L.T. Heberlein, G.V. Dias, K. N. Levitt, B. Mukherjee, J. Wood, D. Wolber., " A
Network Security Monitor," Proc. 1990 Symposium on Research in Security and
Privacy, pp. 296-304, May 1990. (See SRI’ s Responses to Symantec’ s Third
Set of RFAs, #12)
L.T. Heberlein, B. Mukherji ee, KN. Levitt., " A Method to Detect Intmsive
Activity in a Networked Environment," Proc. 14th National Computer Security
Conference, pp. 362-371, Oct. 1991. (See SR? s Responses to Symantec’ s
Third Set of RFAs, #14)
S.R. Snapp, J. Brentano, GN`. Dias, L.T. Heberlein, C. Ho, KN. Levitt, B.
Mukherjee, (with S.E. Srnaha, T. Grance, D.M. Teal, D.L. Mansur), " DIDS --
Motivation, Architecture, and an Early Prototype" ?roc. 14th National
Computer Security Conference, Washington, DC, Oct. 1991, pp. 167-176. (See
SRF s Responses to Sy1nantec’ s Third Set ofRFAs, #19). ·
L.T. Heberiein, B. Mukhetj ee, K.N. Levitt, “ Internetwork Security Monitor,"
Proc. ofthe 15th National Computer Security Conference, October 1992, pp.
262-271. (See SRF s Responses to Symantec’ s Third Set of RFAs, #48).
Y. Frank Sou et al., “ Architecture Design of a Scalable Intrusion Detection
System for the Emerging Network Infrastructuref Technical Report CDRL
A005, Dept. of Computer Science, North Carolina State University, April 1997
(“ JiNao Report")
15. It is not disputed that the EMERALD 1997 publication described and
l nenabied-the following:
a. "method for monitoring an enterprise network"
3

Case 1 :04-cv-01199-SLR Document 533-2 Filed 08/29/2008 Page 4 of 4
b. "deploying a plurality of network monitors in the enterprise network"
c. "detecting, by the network monitors, suspicious network activity based on
mzalysis of network traffic data, wherein at least one of the network monitors
utilizes a statistical detection rncthod"
d. "generating, by the monitors, reports of said suspicious activity"
e. "auton1atica1iy receiving and integrating the reports of suspicious activity, by
one or more hierarchical 1nonitors"
f "wherein integrating comprises correlating intrusion reports reflecting
underlying commonalities"
g. “wherein the plurality of network monitors includes an application
prograrnming interface (API) for encapsulation of monitor functions and
integration of thirdparty tools”
h. "an enterprise network monitoring system"
16. The following products were in public use and/or on-sale in this country
more than one year prior to November 9, 1998 and therefore constitute 102(b) prior art: I
ISS’s Rea1Secure Software versions 1.0, 1.1, 1.2, 1.2.1, 1.2.2, and 1.0 for
Windows NT
4