Full opinion text
MEMORANDUM OPINION SUE L. ROBINSON, District Judge. I. INTRODUCTION On August 26, 2004, plaintiff SRI International, Inc. (“SRI”) brought suit against defendants Symantec Corporation (“Symantec”) and Internet Security Systems, Inc. (“ISS”) (collectively, “defendants”) charging infringement of four patents: United States Patent Nos. 6,484,203 (“the '203 patent”), 6,708,212 (“the '212 patent”), 6,321,338 (“the '338 patent”), and 6,711,615 (“the '615 patent”). On April 13, 2005, 2005 WL 851126 (D.Del.2005), the court denied defendants’ motions to dismiss, sever and transfer. (D.I. 31) Following discovery, Symantec moved for summary judgment of non-infringement (D.I. 286), ISS moved for summary judgment of non-infringement and invalidity (D.I. 282, 291, 364), and defendants jointly moved for summary judgment that each of the patents in suit is invalid pursuant to 35 U.S.C. § 102 and § 103 (D.I. 297). Plaintiff filed motions for summary judgment of validity. (D.I. 270, 276, 279) The court issued its claim construction opinion on October 17, 2006, 2006 WL 2949305 (D.Del.2006). (D.I. 468) On the same date, the court held each of the asserted patents invalid as anticipated by SRI’s prior art publication “Live Traffic Analysis of TCP/IP Gateways” (“Live Traffic”) pursuant to 35 U.S.C. § 102. The court also found the '212 patent invalid as anticipated by a paper entitled “EMERALD: Event Monitoring Enabling Responses To Anomalous Live Disturbances” (“EMERALD 1997”) pursuant to 35 U.S.C. § 102. (D.I. 471) On appeal, the Federal Circuit affirmed the court’s decision with respect to the '212 patent and vacated and remanded the court’s determination that the remaining patents were rendered invalid by Live Traffic. SRI Int’l, Inc. v. Internet Sec. Sys., Inc., 511 F.3d 1186 (Fed.Cir.2008). The court denied defendants’ renewed motion for summary judgment of invalidity (D.I. 297) on August 21, 2008, 572 F.Supp.2d 511 (D.Del.2008). (D.I. 525) A jury trial commenced September 2, 2008. Plaintiff asserted that defendants infringe claims 1 and 12 of the '203 patent and claims 1, 13, 14, and 16 of the '615 patent. Plaintiff asserted that ISS also infringes claims 1, 11, 12, 13 and 24 of the '338 patent. Defendants challenged the validity of the asserted patents. On September 18, 2008, the jury found that Symantec and ISS infringed each asserted claim of the '615 and '203 patents, that ISS did not infringe the '338 patent, and that each of the '203, '605 and '338 patents are valid. (D.I. 558) The parties filed their post-trial motions on October 14, 2008. Currently pending before the court are: (1) plaintiffs motion for post-trial relief (D.I. 564); (2) ISS’s motion for renewed judgment as a matter of law (“JMOL”) or, in the alternative, for a new trial (D.I. 565); (3) Symantec’s motion for a new trial and/or to alter or amend the judgment (D.I. 566); and (4) Symantec’s motion for JMOL (D.I. 567). II. BACKGROUND A. Patents in Suit The patents in suit relate to the monitoring and surveillance of computer networks for intrusion detection. In particular, the patents teach a computer-automated method of hierarchical event monitoring and analysis within an enterprise network that allows for real-time detection of intruders. Upon detecting any suspicious activity, the network monitors generate reports of such activity. The claims of the '203 and '615 patents focus on methods and systems for deploying a hierarchy of network monitors that can generate and receive reports of suspicious network activity. To detect attacks which do not possess deterministic signatures or to detect previously unknown (new) attacks, the patents in suit disclose the use of statistical detection methods on network data. The claims of the '338 patent are directed to a particular statistical algorithm for detecting suspicious network activity. The patents in suit share a common specification and priority date of November 9,1998. The critical date is November 9, 1997 for purposes of 35 U.S.C. § 102(b). 1. The '615 and '203 patents Plaintiff asserted that defendants infringe claims 1, 13, 14 and 16 of the '615 patent and claims 1 and 12 of the '203 patent. Independent claims 1 and 13 of the '615 patent read as follows: 1. A computer-automated method of hierarchical event monitoring and analysis within an enterprise network comprising: deploying a plurality of network monitors in the enterprise network; detecting, by the network monitors, suspicious network activity based on analysis of network traffic data selected from one or more of the following categories: {network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in a network packet, network connection acknowledgements, and network packets indicative of well-known network-service protocols}; generating, by the monitors, reports of said suspicious activity; and automatically receiving and integrating the reports of suspicious activity, by one or more hierarchical monitors. 13. An enterprise network monitoring system comprising: a plurality of network monitors deployed within an enterprise network, said plurality of network monitors detecting suspicious network activity based on analysis of network traffic data selected from one or more of the following categories: {network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in a network packet, network connection acknowledgements, and network packets indicative of well-known network-service protocols}; said network monitors generating reports of said suspicious activity; and one or more hierarchical monitors in the enterprise network, the hierarchical monitors adapted to automatically receive and integrate the reports of suspicious activity. As used in all of the claims in suit, a “network” is a “collection of software and/or hardware interconnected by communication links for sharing information.” (D.I. 468 at 2) A “packet” is a “group of data bytes which represents a specific information unit with a known beginning and end.” (Id.) “Network monitors” means “[software and/or hardware that can collect, analyze and/or respond to data.” (Id.) Asserted claims 14 and 16 are dependant on claim 13, adding the additional limitations that the “integration- comprises correlating intrusion reports reflecting underlying commonalities” (claim 14) and that the “plurality of network monitors include an application programming interface (API) for encapsulation of monitor functions and integration of third party tools” (claim 16). Claims 1 and 12 of the '203 patent are independent claims and claim similar subject matter to that of the '615 patent, with the exception that the '203 patent claims do not require “network connection acknowledgments” or “network packets indicative of well-known network-service protocols” (as in claim 13 of the '615 patent). Claims 1 and 12 read as follows: 1. A computer-automated method of hierarchical event monitoring and analysis within an enterprise network comprising: deploying a plurality of network monitors in the enterprise network; detecting, by the network monitors, suspicious network activity based on analysis of network traffic data selected from the following categories: {network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in a network packet}; generating, by the monitors, reports of said suspicious activity; and automatically receiving and integrating the reports of suspicious activity, by one or more hierarchical monitors. 12. An enterprise network monitoring system comprising: a plurality of network monitors deployed within an enterprise network, said plurality of network monitors detecting suspicious network activity based on analysis of network traffic data selected from the following categories: {network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in a network packet}; said network monitors generating reports of said suspicious activity; and one or more hierarchical monitors in the enterprise network, the hierarchical monitors adapted to automatically receive and integrate the reports of suspicious activity- 2. The '338 patent The '338 patent relates to using a statistical method to detect suspicious network activity. Plaintiff asserted that ISS infringes claims 1, 11, 12, 13 and 24 of the '338 patent. Independent claim 1 reads as follows: 1. A method of network surveillance, comprising: receiving network packets handled by a network entity; building at least one long-term and at least one short-term statistical profile from at least one measure of the network packets, the at least one measure monitoring data transfers, errors, or network connections; comparing at least one long-term and at least one short-term statistical profile; and determining whether the difference between the short-term statistical profile and the long-term statistical profile indicates suspicious network activity. The court construed “building at least one long-term and at least one short-term statistical profile from at least one measure of the network packets” to mean: Generating at least two separate data structures, one a statistical description representative of historical network activity, and one a statistical description of recent network activity, where the statistical descriptions are based on at least one measure of the network packets and are generated through the use of statistical analysis; ie., something more than simply collecting and receiving data. (D.I. 468 at 5) The phrase “determining whether the difference between the short-term statistical profile and the long-term statistical profile indicates suspicious network activity” was construed to mean “[u]sing the result of the comparison to decide whether the monitored activity is suspicious.” (Id. at 6) Claim 11 depends from claim 1 and adds the additional limitations of “responding based on the determining whether the difference between the short-term statistical profile and the long-term statistical profile indicates suspicious activity.” “Responding” was defined as “[flaking an action in response, including both passive and active response.” (Id. at 5) Claim 12 depends further from claim 11, adding the requirement that “responding comprises transmitting an event record to a network monitor.” Claim 13 depends further from claim 12, and requires “transmitting the event record to a hierarchically higher network monitor.” A “hierarchically higher network monitor” was construed to mean “[a] network monitor that receives data from at least one network monitor that is at a lower level in the analysis hierchy.” (Id. at 3) Independent claim 24 is similar to claim 1, but is written in the form of a product claim, as follows: 24. A computer program product, disposed on a computer readable medium, the product including instructions for causing a processor to: receive network packets handled by a network entity; build at least one long-term and at least one short-term statistical profile from at least one measure of the network packets, the measure monitoring data transfers, errors, or network connections; compare at least one short-term and at least one long-term statistical profile; and determine whether the difference between the short-term statistical profile and the long-term statistical profile indicates suspicious network activity. B. Accused Products 1. Symantec Plaintiff asserted that a specific combination of Symantec products infringes the '203 and '615 patents: Symantec Gateway Security 5400, 5600 and 1600 Series (the “SGS Products”) in combination with the Incident Manager 3.0 or the Security Information Manager Series 9500 appliances (the “Manager Products”). The SGS Products are lower-level network monitors and the Manager Products are hierarchical network monitors. Symantec does not dispute that, where a Manager Product is deployed with two or more SGS Products in an enterprise network, and the Manager Product is configured to automatically receive and integrate reports of suspicious network activity generated by the SGS Products, the '615 and '203 patents are infringed. (D.I. 572 at 7) Plaintiff also accused Symantec’s iForce IDS, ManHunt 3.0, Symantec Network Security 4.0, and the Symantec Network Security 7100 Series appliances (the “ManHunt” products) of infringement. The ManHunt products are not the subject of any post-trial motions. 2. ISS Plaintiff accused the following ISS products of infringing the '203 and '615 patents: RealSecure Network, Guard, Server, and Desktop series and Proventia A, G, M, Server, and Desktop series (the “ISS Sensors”) in combination with Fusion 2.0. The ISS accused products for the '338 patent are the Proventia Anomaly Detection System products (hereinafter, “ADS”). ADS, through its “rate-based anomaly detection” feature, “[d]eteets sudden shifts from baselined traffic levels overtime.” (PTX-106 at 3) This is accomplished by determining the current traffic rate, or the traffic rate in bits per second based on an observation of traffic over a two-minute time period. ADS also determines an historic traffic rate by using average traffic rate information from longer periods of time, such as a day, week, or month. The current and historic traffic rates are compared; if the current rate exceeds the historical rate, an alert is generated. (D.I. 592 at 496:2-498:6; 501:9-21; D.I. 604 at 1743:8-1744:5) The alert is forwarded to the “SiteProtector” product, a management system for ISS products. (D.I. 593 at 502:1-4; 639:1-6; PTX-106 at 2) “SiteProtector” is the general name for ISS’s management software, or software that receives and integrates reports of suspicious activity received from an ISS Sensor. Version 2.0 of ISS’s “SiteProtector Security Fusion” product, or “Fusion 2.0,” is an add-on software module. C. Asserted Prior Art 1.The JiNao Report At trial, ISS argued that the '338 patent is anticipated by a “Technical Report” entitled “Architecture Design of a Scalable Intrusion Detection System for the Emerging Network Infrastructure” by Frank R. Jou et al. (“the JiNao Report”). (DTX-51) The JiNao Report describes the architecture of an intrusion detection system that protects against attacks on network infrastructure, such as routers. To do so, the system described monitoring router activity, using statistical profiling on router audit logs. The parties disputed at trial whether the JiNao Report disclosed building statistical profiles based on network packet data as required by the patents in suit. 2. Live Traffic The Live Traffic paper was discussed in the court’s prior opinion, SRI Intern., Inc., 456 F.Supp.2d at 626. In short, the Live Traffic paper was submitted by Phillip Porras (“Porras”), one of the named inventors of the patents in suit, to the Internet Society in 1997 in response to a call for papers for a conference called the “Symposium on Network and Distributed System Security” (“SNDSS”). Matt Bishop (“Bishop”) was the program chair for the SNDSS who received Porras’s submission by email dated August 1, 1997. In addition, Porras provided a link to plaintiffs FTP site whereon a copy of the Live Traffic paper was posted for one week. The Live Traffic paper was authored by Porras and Alfonso Valdes (“Valdes”), another named inventor of the patents in suit, and it is undisputed that, if the Live Traffic paper is 35 U.S.C. § 102(b) prior art, it anticipates each patent in suit. 3. RealSecure RealSecure is a ISS software product responsible for alerting a user when an unauthorized individual breaks into an enterprise network. There are two components of the product: a sensor and a console (or user interface). (D.I. 593 at 763:3-13) The RealSecure management console displays real-time alarm data in a standard Windows NT activity tree mode, where the data in the tree can be sorted by destination address, source address, or event name. Events contain an icon that indicates the severity as well as a distinct event name. Multiple occurrences of the same event are combined into a single notification. The user can drill down into event data to find out exactly what happened, what actions RealSecure took in response to the event, and what other related events have also occurred. Event data can also be stored in an ODBC-compliant database for generalization of reports. Reports are available in text and graphic formats and the user can launch customized reports from the interface, if desired. (DTX-1801 at 3496; D.I. 594 at 819:4-820:19) There are several ways to view the activity tree window. One is the “source tab,” where network activity is sorted by the source of the system initiating the activity. (DTX-2542 at 62) The name is followed by a numerical value corresponding to the number of events for that source, e.g., “duke (2).” (Id.) This same format is used for the “events tab,” where “the most recent network activity [is] sorted by the type and priority of the event.” (Id. at 64) Finally, an alternate view is the “destination tab,” which sorts events by the numerical IP addresses of the systems targeted by the activity. (Id. at 63) Aside from reporting events to the console for the user’s viewing in these mariners, the RealSecure system can take other responsive measures, such as sending emails, killing the connection, and stopping network traffic. (D.I. 593 at 759:10-24) The parties disputed at trial whether RealSecure integrated reports of suspicious activity as required by the hierarchical monitor claim limitation. 4. DIDS 1991 In 1991, Steven R. Snapp et al. of the University of California, Davis published a paper entitled “DIDS (Distributed Intrusion Detection System) — Motivation, Architecture, and An Early Prototype” (hereinafter, the “DIDS 1991 paper”). (DTX-21) The DIDS 1991 paper described the DIDS Project, a multi-organizational intrusion detection project that was developed in 1990 and funded through the United States Air Force. (D.I. 594 at 999:22-1002:6) The components of the prototype DIDS intrusion detection system described by the DIDS 1991 paper “include[d] the DIDS director, a single host monitor per host, and a single LAN[] monitor for each LAN segment of the monitored network.” (DTX-21 at 168) In Figure 2, the DIDS 1991 paper depicts a single “LAN Monitor” connected to a “DIDS Director” containing the user interface. (Id. at 176) The DIDS 1991 paper also describes that the “LAN monitor uses several simple analysis techniques to identify significant events,” such as profiles of expected network behavior. (Id. at 171) The parties do not dispute that the DIDS 1991 paper is 35 U.S.C. § 102(b) prior art. The dispute at trial focused on whether the DIDS 1991 paper disclosed and enabled multiple lower level (or LAN) monitors as required by the “plurality of network monitors in the enterprise network” limitation. 5. EMERALD 1997 EMERALD 1997 was also discussed in the court’s prior opinion, SRI Intern., Inc., 456 F.Supp.2d at 626, and by the Federal Circuit, SRI Intern., Inc., 511 F.3d at 1188-89. In short, EMERALD 1997 is a conceptual overview of the EMERALD system, the brainchild of plaintiffs EMERALD project on intrusion detection, published by Porras and Peter G. Neumann on behalf of plaintiff in October 1997. EMERALD 1997 contains a detailed description of plaintiffs early research in Intrusion Detection Expert System (“IDES”) technology, and outlines the development of the Next Generation IDES (“NIDES”) for detecting network anomalies. The parties do not dispute that EMERALD 1997 is 35 U.S.C. § 102(b) prior art to the patents in suit. With respect to anticipation, the parties dispute only whether EMERALD 1997 discloses detection of any of the network traffic data categories listed in claim 1 of the '203 and '615 patents. With respect to obviousness, the parties dispute whether EMERALD 1997’s internal citation to a publication entitled “A Method to Detect Intrusive Activity in a Networked Environment” (hereinafter, “Intrusive Activity 1991”), one of twenty-four citations to outside references contained in that paper, provides a motivation to combine the references and a reasonable expectation of success with respect to the inventions claimed in the '203 and '615 patents. It is not disputed that Intrusive Activity 1991 discloses at least one of the claimed categories of network traffic data. D. The Verdict With respect to Symantec, the jury found that both the ManHunt Products and the asserted combination of SGS Products with the Manager Products infringe each asserted claim of the '203 and '615 patents. (D.I. 558) The jury also found that Symantec induces the infringement of each asserted claim by its customers. (Id.) The jury found that ISS infringes each asserted claim of the '203 and '615 patents and that ISS induces infringement by its customers of each of these claims. (Id.) The jury also found that ISS does not infringe the '338 patent. (Id.) Finally, the jury found that defendants did not prove that the patents in suit are invalid due to anticipation, or that the '203 or '615 patents are invalid due to obviousness or failure to disclose the best mode. (Id.) The court entered judgment for plaintiff on the '203 and '615 patents and for ISS on the '338 patent. (D.I. 560) IV. DISCUSSION A. Infringement 1. Standards A patent is infringed when a person “without authority makes, uses or sells any patented invention, within the United States ... during the term of the patent.” 35 U.S.C. § 271(a). A two-step analysis is employed in making an infringement determination. Markman v. Westview Instruments, Inc., 52 F.3d 967, 976 (Fed.Cir.1995). First, the court must construe the asserted claims to ascertain their meaning and scope. Id. Construction of the claims is a question of law subject to de novo review. See Cybor Corp. v. FAS Techs., 138 F.3d 1448, 1454 (Fed.Cir.1998). The trier of fact must then compare the properly construed claims with the accused infringing product. Markman, 52 F.3d at 976. This second step is a question of fact. See Bai v. L & L Wings, Inc., 160 F.3d 1350, 1353 (Fed.Cir.1998). “Direct infringement requires a party to perform each and every step or element of a claimed method or product.” BMC Res., Inc. v. Paymentech, L.P., 498 F.3d 1373, 1378 (Fed.Cir.2007). “If any claim limitation is absent from the accused device, there is no literal infringement as a matter of law.” Bayer AG v. Elan Pharm. Research Corp., 212 F.3d 1241, 1247 (Fed.Cir.2000). If an accused product does not infringe an independent claim, it also does not infringe any claim depending thereon. Wahpeton Canvas Co. v. Frontier, Inc., 870 F.2d 1546, 1553 (Fed.Cir.1989). The patent owner has the burden of proving infringement and must meet its burden by a preponderance of the evidence. Smith-Kline Diagnostics, Inc. v. Helena Lab. Corp., 859 F.2d 878, 889 (Fed.Cir.1988) (citations omitted). To demonstrate inducement of infringement, the patentee must establish “first that there has been direct infringement, and second that the alleged infringer knowingly induced infringement and possessed specific intent to encourage another’s infringement.” Broadcom Corp. v. Qualcomm Inc., 543 F.3d 683, 697-98 (Fed.Cir.2008) (citations omitted). That is, “inducement requires evidence of culpable conduct, directed to encouraging another’s infringement, not merely that the inducer had knowledge of the direct infringer’s activities.” DSU Medical Corp. v. JMS Co., Ltd., 471 F.3d 1293, 1306 (Fed.Cir.2006) (citation omitted). “The plaintiff has the burden of showing that the alleged infringer’s actions induced infringing acts and that he knew or should have known his actions would induce actual infringements.” Id. (quoting Manville Sales Corp. v. Paramount Sys., Inc., 917 F.2d 544, 553 (Fed.Cir.1990)). This amounts to a showing of “specific intent.” Id. at 1305 (citing Warner-Lambert Co. v. Apotex Corp., 316 F.3d 1348, 1363 (Fed.Cir.2003) and Water Techs. Corp. v. Calco, Ltd., 850 F.2d 660, 668 (Fed.Cir.1988) (patentee must prove that defendant “actively and knowingly aid[ed] and abett[ed] another’s direct infringement”)). 2. Symantec’s motion for JMOL Symantec moves for JMOL that the jury’s verdict on induced infringement was not supported by substantial evidence because plaintiff presented no direct evidence that either Symantec or its customers actually employed the infringing combination of SGS and Manager Products. At trial, only a specific configuration of SGS and Manager Products was accused of infringement: the operation of the SGS and Manager Products together in an enterprise network, where the Manager Product is configured to automatically receive and integrate reports of suspicious network activity generated by the SGS Products. There is no dispute that the SGS Products and Manager Products (independently) have non-infringing uses, or that the use of the products together in another configuration does not infringe. Plaintiff built its infringement case upon an implication that Symantec’s customers committed direct infringement. More specifically, plaintiff presented evidence that: (1) the SGS and Manager Products were designed to work together; (2) SGS Products are used to monitor enterprise networks; and (3) Symantec encouraged customers to employ both products together and provided instructions to customers on how to do so. Plaintiffs evidence in this regard was as follows. A presentation with a “Costco” logo on its cover page, entitled “Symantec Incident Manager Overview,” states that “Symantec Incident Manager is built upon SESA [Symantec Enterprise Security Architecture]” (PTX-33 at 0286105) and visually depicts the Symantec Enterprise Security Architecture as including “Incident Manager” for “correlation, analysis, and reporting” (Id. at 0286128). Symantec product manager Howard Lev and engineer Paul Agbabian testified that the SGS and Manager Products work together. (D.I. 593 at 538:12-539:7, 543:6-18 (Symantec Incident Manager and Symantec Gateway Security Advance Manager can receive events from the SGS Products); 548:11-550:9, 551:12-15 (Symantec Incident Manager can receive information from at least the SGS 5400 series product and SNS 4.0 software)) Plaintiffs expert, Dr. George Kesidis (“Kesidis”), also testified that the SGS and Manager Products are “designed] to operate with each other” and that SGS Products are used to monitor enterprise networks. (D.I. 593 at 626:4-15; 628:14-16; 743:13-15) Kesidis testified that, when customers buy the SGS and Manager Products, they receive manuals describing how they interoperate and, thus, it is reasonable to believe the customers will use the products together. (Id. at 626:4-15) Examples of materials provided to customers are: (1) the “Costco” — labeled materials noted previously (PTX-33; D.I. 593 at 629:1-23 (stating that his review of Symantec deposition testimony and other documents confirmed that the SGS Products send events to the Incident Manager, as depicted in PTX-33)); (2) a document entitled “Symantec Response for JPMorganChase Security Information and Event Management R[equest] F[or] I[nformation]” describing the use of Information Manager with network intrusion products (PTX-34 at 0286666-67 and -6678); and (3) a presentation entitled “Symantec Security Information Manager 9500 Series” containing a diagram connecting Information Manager with intrusion devices (PTX-167 at 0283912; D.I. 593 at 631:1-8 (Kesidis)). Based upon this circumstantial evidence, plaintiff asserts that it was “well within the jury’s province to conclude that, consistent with Symantec’s encouragement and instructions, these products, which were designed to be used together in an enterprise network, were in fact used together.” (D.I. 579 at 7) According to plaintiff, this would include infringement by Symantec itself (“undoubtably a large enterprise”) by using its products in-house, and infringement by customers purchasing the SGS and Manager Products. (D.I. 579 at 3-4, 6-7) The court disagrees. While it is true that circumstantial evidence may be used to demonstrate direct infringement, Moleculon Research Corp. v. CBS, Inc., 793 F.2d 1261, 1272 (Fed.Cir.1986), the evidence must still indicate that infringement actually occurred. That is, a patentee must “either point to specific instances of direct infringement or show that the accused device necessarily infringes the patent in suit.” ACCO Brands v. ABA Locks Manufacturer Co., Ltd., 501 F.3d 1307, 1313 (Fed.Cir.2007); see also Dynacore Holdings Corp. v. U.S. Philips Corp., 363 F.3d 1263, 1275-76 (Fed.Cir.2004). In ACCO, the product accused of infringement (a key lock) could be operated in either an infringing manner or a non-infringing manner. Id. at 1310-11. The distributor’s instructions provided with the product instructed customers to use the lock in the non-infringing manner. Id. Plaintiffs expert opined at trial that the infringing method was the “natural and intuitive way to employ the device.” Id. The record was, however, “devoid of evidence of actual users having operated the lock in an infringing manner,” such as witness testimony or customer surveys. Id. at 1313. Stating that “[h]ypothetical instances of direct infringement are insufficient to establish vicarious liability or indirect infringement,” the Federal Circuit found that the jury’s verdict of inducement could not stand. Id. at 1313-14 (citation omitted). Therefore, where the claim language specifies a particular configuration, as compared to being “drawn to capability,” the fact that an accused product (or combination of products) are “reasonably capable of being put into the claimed configuration is insufficient for a finding of infringement.” See Ball Aerosol and Specialty Container, Inc. v. Limited Brands, Inc., 555 F.3d 984, 994-95 (Fed.Cir.2009) (citing ACCO, 501 F.3d at 1313). Compare Intel Corp. v. U.S. Int’l Trade Comm’n, 946 F.2d 821, 832 (Fed.Cir.1991) (limitation of “programmable selection means” may be met by an accused device “capable of operating in the page mode,” regardless of actual usage in that mode) (emphasis added) (cited by plaintiff). In the case at bar, there is no dispute that the SGS and Manager Products, even where deployed in the same network, can be used together in a non-infringing manner. Symantec is correct that, because both the SGS and Manager Products have noninfringing uses (i.e., the combination does not “necessarily infringe” the patents), plaintiff was obligated to identify specific instances of direct infringement involving these products. See ACCO, 501 F.3d at 1313. In response to Symantec’s motion, however, plaintiff failed to identify any evidence adduced at trial that either Symantec or any of its customers actually combined the SGS and Manager Products in an enterprise network where the Manager Products were also configured to automatically receive and integrate reports of suspicious network activity generated by the SGS Products. The court recognizes that the Federal Circuit has previously found circumstantial evidence of direct infringement sufficient under more compelling circumstances. For example, in Golden Blount, Inc. v. Robert H. Peterson Co., 438 F.3d 1354 (Fed.Cir.2006), the Court found that the district court did not err in concluding that defendant infringed the patent at issue, which claimed a fireplace assembly comprising a primary and secondary burner. In that case, the secondary burner sold by defendant had no non-infringing use, and defendant “provided [instruction sheets] to its customers on how to configure the components” resulting in the infringing combination. Id. at 1361. There was also no dispute that each end user who purchased a secondary burner attached it to a primary burner. Id. at 1326. The Federal Circuit stated that “it matters not that the assembled device can be manipulated into a non-infringing configuration, because the instructions packaged with each device teach the infringing configuration and nothing in the record suggests that either [defendant] or any end user ignored the instructions or assembled the burners in a manner contrary to the instructions so as to form a noninfringing configuration.” Id. at 1363 (citation omitted). In Symantec Corporation v. Computer Associates International, Inc., 522 F.3d 1279 (Fed.Cir.2008), the Federal Circuit addressed the issue on review of the district court’s grant of summary judgment of non-infringement. Symantec, like plaintiff at bar, adduced only circumstantial evidence of direct infringement in opposition to defendant’s motion. Symantec demonstrated, however, that defendant encouraged customers to use the accused product in an infringing manner. Notably, Symantec “[was] not a case where the customers may [have] be[en] using the product in an infringing way or a noninfringing way; [defendant’s] customers c[ould] only use the [accused] products in an infringing way.” Id. at 1293. Under those circumstances, the Federal Circuit reversed the grant of summary judgment by the district court notwithstanding Symantec’s lack of direct infringement evidence. Id. In the present case, unlike in Golden Blount, the documents cited by plaintiff do not contain clear or affirmative instructions to employ the SGS and Manager Products together in an enterprise network, such that the Manager Products are configured to automatically receive and integrate reports of suspicious network activity generated by the SGS Products. The documents (even as characterized by plaintiff) simply depict the use of the SGS and Manager Products together. (PTX-33; PTX-34; PTX-167) As in ACCO, plaintiff at bar did not present any witness testimony of defendant’s employees or its actual customers demonstrating that direct infringement occurred. Unlike Symantec, there was no dispute in this case that the SGS and Manager Products have non-infringing uses; it is only the specific configuration of the two together that was accused of infringement. Because plaintiff at bar presented no direct evidence of infringement and relied only on circumstantial evidence, the nature of which does not compel the conclusion that infringement necessarily occurred, the court finds the jury’s verdict of infringement of the '203 and '615 patents by the asserted combination of the SGS and Manager Products was not supported by substantial evidence. Symantec’s motion is granted. Because Symantec did not challenge the jury’s finding that its ManHunt Products infringe the '203 and '615 patents, the court affirms the judgment for plaintiff in this regard. 3. Plaintiffs motion for JMOL Plaintiff moves for JMOL that the jury’s verdict that ISS does not infringe claims 1, 11, 12, 13 and 24 of the '338 patent is not supported by substantial evidence. Plaintiff accused ISS’s ADS of infringing the '338 patent, which claims are generally directed to building and comparing long-term and short-term statistical profiles in order to determine suspicious network activity. The parties debated whether the current traffic rate generated by the ADS met the “short-term statistical profile” limitation of the claims. As noted previously, the court’s construction required the “statistical descriptions” of both historical and current activity to be “based on at least one measure of the network packets and are generated through the use of statistical analysis; ie., something more than simply collecting and receiving data.” (D.I. 468 at 5) The ADS creates a current traffic rate, or a measurement of the number of packets per unit of time, based upon a two-minute interval. The parties characterized the current traffic rate as a “bit rate.” The dispute at trial centered around whether this measurement is “statistical” in nature. Kesidis testified for plaintiff that the bit rate is a mathematical “average,” and is a statistical measurement that satisfies the claims. (D.I. 593 at 674:10-11; 710:23-711:5; 713:18-25) ISS’s expert, Dr. Steve Smaha (“Smaha”), testified that the current traffic rate is not an “average.” According to Smaha, the current traffic rate is a count of the total amount of bytes that have been seen during the last two minutes, “converged] into a rate by taking [this] total number of bits and dividing it by 120. That’s not an average in any sense. It’s just a bit rate over that period. We’re not dividing it by the number of packets that we’re seeing[.]” (D.I. 604 at 1743:15-20) Smaha used a demonstrative comparing the “simple math” of averages (“average of N terms = Sum of N items / N ”) to the “bit rate” (“Bit rate: # bits moved/Length of time”). (DTX-2203) Smaha further testified that a “statistical description” requires both an average and a variance of the data. Smaha utilized a trial demonstrative showing that an “average” refers only to the center of a bell-shaped curve. The variance, or the width of that curve, would be required to have a statistical description of a particular curve. (D.I. 604 at 1744:13-25; DTX-2203) Smaha stated that the ADS does not look at “a select measure of data transfer, like the bits, find its mean [average], its variance, and create a statistical profile for it in the short-term.” (D.I. 604 at 1746:11-21) In his opinion, ADS does not infringe because “all [it’s] doing is measuring the bit rate during a two-minute window and there’s definitely no mathematics that’s more involved than computing the bit rate.” (Id. at 1747:7-10) Similarly, Dr. Stuart Stamford, a scientist involved in the field of intrusion detection, testified that both a “measure” (of what is to be monitored) and a “profile” (which must be designed to “capture the odds of you going outside some range” of activity) are present in a statistical algorithm. (D.I. 594 at 862:7-868:24) ISS points out that Kesidis agreed on cross-examination that “[statistical analysis has to deal with variations in data, variations in features and decisions under uncertainty[.]” (D.I. 593 at 710:16-25) Kesidis described a short-term statistical profile as follows: Well, it’s short. There’s a term to it, two minutes, and over that two-minute window, you could look at a select measure of data transfer, find its mean, its variance, create a statistical profile for it in the short-term. (Id. at 675:3-6) (emphasis added) Kesidis agreed that standard deviation, representing the square root of the variance, is the “most fundamental” variation in a statistical measurement. (Id. at 711:6-11) Kesidis conceded that the ADS product does not store any variance; it does not “look[ ] at variability over the short-term.” (Id.) Plaintiff argues that the “rate” discussed by Smaha is not a “mere collection and reiteration of data” because the observed bits taken from the two-minute snapshot, after collection, are divided by the number of seconds it took to observe the bits. (D.I. 569 at 10) This division renders the result “a calculated figure obtained by applying mathematical analysis.” (Id.) Smaha did not dispute that the bit rate was the result of simple mathematics, but stated that a “statistical profile” requires at least a mean, variance, or standard deviation, none of which are not calculated by ADS. (D.I. 604 at 1747:2-10) The court finds that substantial evidence supports the jury’s verdict of noninfringement. The jury could properly accept Smaha’s testimony (over Kesidis’s) and find that the bit rate is not an “average,” and/or that the simple division resulting in the bit rate (or current traffic rate) is not “statistical” in nature because no variance or standard deviation is calculated. Finally, and contrary to plaintiffs assertion, ISS’s stipulation that a historical traffic rate is a long-term statistical profile is not necessarily inconsistent with its position regarding the short-term statistical profile. (D.I. 569 at 11) Plaintiffs witnesses testified that the long-term statistical profile is a set of historical averages. (D.I. 592 at 497:1-24; D.I. 593 at 712:13-16) Smaha distinguished a “bit rate” from an “average,” and the jury was free to accept that characterization. Plaintiffs motion is denied. The court declines plaintiffs request to award a new trial. 4. ISS’s motion for JMOL ISS moves for JMOL that it does not infringe or induce the infringement of the '615 and '203 patents. The asserted claims require that network monitors (e.g., the ISS Sensors) and an adapted hierarchical monitor (e.g., SiteProtector with Fusion 2.0) be deployed in an “enterprise network.” ISS admits that the patents are infringed where ISS Sensors, SiteProtector, and Fusion 2.0 are deployed in an enterprise network and Fusion 2.0’s “Attack Pattern Component” (“APC”) is enabled and used. (D.I. 570 at 10) Fusion 2.0 also has another functionality, the Impact Analysis Component (“IAC”), which undisputably does not infringe. (D.I. 593 at 702:7-14) The IAC and APC each require separate installation by a customer prior to use. (Id. at 702:23-25) a. Direct infringement by ISS ISS asserts that plaintiff presented no evidence that ISS itself actually deployed or used the accused products in an infringing mariner. (D.I. 570 at 12) Kesidis admitted at trial that he did not recall “seeing any evidence that ISS itself runs” at least two ISS Sensors with Fusion 2.0. (D.I. 593 at 689:20-690:4) Kesidis described the evidence he saw as “a deployment [by] one of ISS’s customers,” not ISS. (Id. at 645:5-10) In its post-trial papers, plaintiff argues that ISS directly infringes because the evidence shows that: (1) ISS demonstrated Fusion 2.0’s APC during training courses; and (2) ISS video presentations, introduced into evidence via computer screenshots, evidence ISS’s use of Fusion 2.0’s APC. Plaintiff points to the testimony of Jim Pruss (“Pruss”), ISS’s courseware development manager, who designs courses and course materials used to train customers regarding ISS’s products. Pruss testified that the APC feature is discussed in ISS’s “Advanced SiteProteetor” course: “We teach them how to turn that on from a configuration standpoint, and we show them a demonstration. We also describe, at a very high level, types of attack patterns that the product is capable of recognizing.” (D.I. 592 at 464:6-13) Plaintiff asserts that “[i]t was reasonable for the jury to infer that to perform [its customer] demonstrations ISS installs SiteProteetor and ISS Sensors” because the SiteProteetor is a prerequisite to the use of Fusion 2.0, and the APC only analyzes events generated by ISS Sensors. (D.I. 580 at 3) ISS does not contest the latter points. (D.I. 587 at 2-3) Plaintiff also argues that, “during any demonstration of the APC’s operation, the APC must actually receive and integrate events, as that is its sole purpose.” (D.I. 580 at 3, citing D.I. 570 at 10 (“The APC module combines different reports from the ISS [S]ensors into certain preprogrammed attack types called ‘incidents’.”)) ISS argues that Pruss testified that ISS instructors use “artificially created traffic” in their demonstrations. (D.I. 592 at 466:22-467:1) ISS also asserts that there is no evidence that the classroom environment satisfied Kesidis’ description of an “enterprise network.” (D.I. 587 at 2) Plaintiff also introduced screenshots of Fusion 2.0’s APC showing attack patterns generated by Fusion 2.0. (PTX-158; D.I. 592 at 445:15-446:21) Plaintiff asserts that it would be reasonable to assume that ISS deployed SiteProteetor and the APC to create the screen images because the screen shots came from the SiteProteetor console and show images generated by the APC. (D.I. 580 at 4) Plaintiff also asserts that the jury could have reasonably inferred that ISS deployed ISS Sensors because the APC creates incidents based on receipt of analysis of events generated by deployed ISS Sensors. (Id. at 4, citing D.I. 592 at 433:12-16 (generally describing the APC); 436:17-437:4 (the APC cannot analyze events originating from a third party); 445:15-446:21 (PTX-158 shows attack patterns generated by Fusion 2.0)) The above identified documents, however, do not specifically indicate the source of the events. Mr. Paul Griswold, an ISS engineer, testified that incidents can either be based off the attack patterns that are recognized by Fusion 2.0 or “[t]hey can be manually created,” consistent with Pruss’s testimony that artificial traffic may be used for demonstrative purposes. (D.I. 592 at 446:4-8; 466:22-467:1) Plaintiff points to no testimony affirmatively demonstrating that ISS employed an infringing system during its demonstrations. More specifically, the record is devoid of any indication that, during ISS’s classroom demonstrations, an infringing system (multiple ISS Sensors, SiteProtector with Fusion 2.0 and an enabled APC) was actually deployed in an enterprise network. Certainly, Kesidis did not see any evidence of such an occurrence. (D.I. 593 at 689:20-690:4) There is no debate that the APC must receive and integrate events to be functional (and demonstrable), however, there is no indication that, during the customer demonstrations relied upon by plaintiff, the APC necessarily received events from ISS Sensors as compared to an artificial source. On this record, a reasonable jury could not have found direct infringement by ISS by a preponderance of the evidence. b. Inducement of infringement Plaintiff avers that it met its burden to show direct infringement at trial in two manners. Plaintiff argues that the system claims (claim 12 of the '203 patent and claims 13, 14 and 16 of the '615 patent) require only that the hierarchical monitors are “adapted to” automatically receive and integrate the reports of suspicious activity, therefore, this limitation is met by merely the deployment of ISS Sensors, SiteProtector, and Fusion 2.0 in an enterprise network. That is, plaintiff need not show “evidence of any particular use by a customer of the APC.” (D.I. 580 at 6) With respect to the method claims (claim 1 of the '203 patent and claim 1 of the '615 patent), plaintiff asserts that circumstantial evidence such as ISS’s training classes and marketing materials demonstrate use of Fusion 2.0 by customers, providing “ample support” for the jury’s conclusion that ISS’s customers directly infringe. (Id. at 8) The court addresses each argument in turn. i. System claims As discussed previously, the APC is a component of Fusion 2.0 that has to be installed separately.' (D.I. 593 at 702:23-25) Kesidis conceded at trial that a customer who purchases Fusion 2.0 does not necessarily have to install or use the accused APC feature. (Id. at 703:1-17 (“I’m assuming that if the APC was purchased with Fusion, I made an argument that it’s likely that the APC is being used.”)) Kesidis did not know for sure whether the APC was actually used by any particular customers. (Id. at 703:13-17) Plaintiff generally asserts that, “[biased on the fact that Fusion 2.0 must be deployed with SiteProtector and ISS Sensors to be used at all and that ISS instructs its customers to do so, it was reasonable for the jury to conclude that ISS customers do deploy this combination of products as ISS has encouraged them to do.” (D.I. 580 at 7-8) In support, plaintiff cites the following evidence: (1) the APC “[i]nterfaces with SiteProtector to report attack patterns” (PTX-93 at 535790, -793); (2) a “prerequisite” to running Fusion is that “SiteProtector must already be installed” and be directly accessible (id. at 535796); (3) “SiteProtector is required” in order to use Fusion (PTX-148 at 5996); (4) “Attack Pattern detection” of Fusion analyzes vulnerability data and intrusion events collected by SiteProtector (id. at 5992); (5) the Fusion module correlates and analyzes events detected by “an intrusion detection agent,” or an ISS Sensor (DTX-2501 at 4); (6) Mr. Griswold testified that the APC “will look at multiple [intrusion prevention] events from our sensors,” which are received from the “EventCollector,” a preprocessor for sensor events that is part of SiteProtector (D.I. 592 at 433:1-16; 434:15-436:21); (7) the APC cannot receive “events that have been generated by third party products” (id. at 436:17-21); and (8) Kesidis testified that Fusion 2.0 automatically receives its reports “[f]rom the sensors of the lower level monitors” (D.I. 593 at 654:13-15). (D.I. 580 at 7-8) ISS does not specifically refute plaintiffs cited evidence that Fusion 2.0 was designed for deployment with SiteProtector and ISS Sensors. (D.I. 587 at 7) ISS instead argues that “a customer’s purchase of Fusion 2.0 does not necessarily mean they installed the APC component” (as compared to the IAC component), nor does it mean that Fusion 2.0 with the APC component was installed in an enterprise network where two or more (a plurality of) ISS Sensors were installed. (Id.) ISS documentation belies this assertion, however, stating that, “[w]hile it consists of two components [IAC and APC], Fusion is presented as a single homogeneous system to the user.” (PTX-93 at 535787) Nonetheless, plaintiff points to only one example of a customer that used multiple ISS Sensors, SiteProtector and Fusion 2.0 in its network: HealthSouth. (D.I. 580 at 7) Robert Ferrill (“Ferrill”), Director of Information Security for HealthSouth, testified that HealthSouth uses ISS Sensors, SiteProtector and Fusion 2.0 in its network. (D.I. 592 at 471:17-23) Despite plaintiffs citation to evidence that ISS sold more than $173 million of ISS Sensors to its Fusion 2.0 customers in the United States (D.I. 580 at 8, citing PTX-614), plaintiff points to no testimony, by Ferrill or otherwise, affirmatively indicating that the APC component of Fusion 2.0 was installed by HealthSouth or any other customer. Fusion 2.0 may have been presented “as a single homogenous system” to HealthSouth, but this is not a substitute for evidence of what any ISS customer(s) actually did. Because it was not disputed that a Fusion 2.0 customer does not necessarily have to install and run the APC feature, plaintiff was required to identify at least one specific instance of infringement by customers, ie., a customer’s use of the APC feature of Fusion 2.0 in an infringing system (multiple ISS Sensors, SiteProtector with Fusion 2.0 and an enabled APC). See ACCO, 501 F.3d at 1313. Having failed to do so, the jury’s verdict with respect to the system claims must be reversed. ii. Method claims With respect to the method claims, and as discussed previously, plaintiff points to evidence that ISS teaches customers how to use the APC feature in ISS’s customer training course, specifically, “how to configure the product and to recognize that type of event when it appears in the management consult.” (D.I. 592 at 464:3-465:5) Additionally, ISS’s marketing materials discuss attack pattern recognition. (PTX-148; PTX-157; PTX-314) Because there is a non-infringing use of Fusion 2.0 (the IAC), under ACCO, plaintiff was required to demonstrate that a customer installed the accused APC feature and operated it in an infringing manner. See ACCO, 501 F.3d at 1313. There is no affirmative evidence that customers who purchased Fusion 2.0 necessarily ran the infringing combination of software. Compare Golden Blount, 438 F.3d at 1361. Nor is there evidence that ISS provided a specific instruction to customers to utilize the APC in this manner. Compare Moleculon, 793 F.2d at 1272 (upholding district court finding that plaintiff met its burden of showing infringement under section 271(b) with “circumstantial evidence of extensive puzzle sales, dissemination of an instruction sheet teaching the method of restoring the preselected pattern with each puzzle, and the availability of a solution booklet on how to solve the puzzle”). The jury’s verdict was not supported by substantial evidence, therefore, the court grants ISS’s motion. c. Validity of the '338 patent Claims 1 and 24 of the '338 patent require building “at least one long-term and at least one short-term statistical profile from at least one measure of the network packets,” which the court construed to mean “[gjenerating at least two separate data structures ... where the statistical descriptions are based on at least one measure of the network packets and are generated through the use of statistical analysis[.]” (D.I. 468 at 5) At trial, plaintiff asserted that the JiNao Report disclosed building statistical profiles based on router audit logs, and not network packets, thus failing to satisfy this limitation, i. The law of anticipation An anticipation inquiry involves two steps. First, the court must construe the claims of the patent in suit as a matter of law. See Key Phar. v. Hercon Labs. Corp., 161 F.3d 709, 714 (Fed.Cir.1998). Second, the finder of fact must compare the construed claims against the prior art. See id. Proving a patent invalid by anticipation “requires that the four corners of a single, prior art document describe every element of the claimed invention, either expressly or inherently, such that a person of ordinary skill in the art could practice the invention without undue experimentation.” Advanced Display Sys. Inc. v. Kent State Univ., 212 F.3d 1272, 1282 (Fed.Cir.2000) (citations omitted). The Federal Circuit has stated that “[t]here must be no difference between the claimed invention and the referenced disclosure, as viewed by a person of ordinary skill in the field of the invention.” Scripps Clinic & Research Found, v. Genentech, Inc., 927 F.2d 1565, 1576 (Fed.Cir.1991). The elements of the prior art must be arranged or combined in the same manner as in the claim at issue, but the reference need not satisfy an ipsissimis verbis test. In re Gleave, 560 F.3d 1331, 1334 (Fed.Cir.2009) (citations omitted). “In determining whether a patented invention is [explicitly] anticipated, the claims are read in the context of the patent specification in which they arise and in which the invention is described.” Glaverbel Societe Anonyme v. Northlake Mktg. & Supply, Inc., 45 F.3d 1550, 1554 (Fed.Cir.1995). The prosecution history and the prior art may be consulted “[i]f needed to impart clarity or avoid ambiguity” in ascertaining whether the invention is novel or was previously known in the art. Id. (internal citations omitted). “A claimed invention cannot be anticipated by a prior art reference if the allegedly anticipatory disclosures cited as prior art are not enabled.” Amgen, Inc. v. Hoechst Manon Roussel, Inc., 314 F.3d 1313, 1354 (Fed.Cir.2003). Additionally, the reference must “enable one of ordinary skill in the art to make the invention without undue experimentation.” In re Gleave, 560 F.3d at 1334 (citing Impax Labs., Inc. v. Aventis Pharms. Inc., 545 F.3d 1312, 1314 (Fed.Cir.2008)). “As long as the reference discloses all of the claim limitations and enables the ‘subject matter that falls within the scope of the claims at issue,’ the reference anticipates — no ‘actual creation or reduction to practice’ is required.” In re Gleave, 560 F.3d at 1334 (quoting Schering Corp. v. Geneva Pharms., Inc., 339 F.3d 1373, 1380-81 (Fed.Cir.2003) and In re Donohue, 766 F.2d 531, 533 (Fed.Cir.1985)). ii. Discussion The parties do not dispute that the information being measured in the JiNao system is not “raw” packet data, but is data that comes from, or is derived from, network packets. Kesidis testified that the JiNao system was designed to protect the routing protocol and runs in a router; it “uses statistical profiling to [protect the router] based on audit logs of that process as it’s running inside the router.” (D.I. 605 at 1884:15-23) Kesidis explained that the JiNao Report discloses that the raw packet data is transformed into a router-log format. (Id. at 1829:18-1830:16; 1888:8-1889:2) The data used by JiNao to perform its statistical analysis is “router logs or audit log information that pertain[s] to information inside the router.” (Id. at 1884:23-1885:2) Using a demonstrative from a presentation given by the JiNao authors, Kesidis detailed for the jury how a router can receive a message (or network packet) sent directly to it, in its capacity as a “host,” and that the network packet is converted to an audit log when it goes through the prevention module. (Id. at 1886:2-1887:3) Kesidis supported his opinion with specific references to the JiNao Report. (Id. at 1887:17-1894:2) Valdes also testified that the JiNao Report discussed building profiles based on measures of router table data, as compared to network data. (D.I. 592 at 283:5-8; D.I. 597 at 1523:6-17) (“[W]hat’s being analyzed is the [internal router] table, not the [network] packet itself’) Valdes was collaborating with the researchers on the JiNao project at the time, as his project and the JiNao project had a common sponsor (DARPA). (D.I. 597 at 1503:14-1504:11; 1516:15) Kesidis testified that DARPA simultaneously funded the EMERALD project focusing on network packets, and DARPA did not typically duplicate funding in the same research area. (D.I. 605 at 1854:16-24) There is no dispute that the JiNao Report discussed both audit records and network packets. According to Kesidis, the Report used the two terms distinctly: “audit record” was used in connection with the algorithms that were being implemented; while references to “packets” appear when “high level ... information and where it may be coming from” was discussed. (Id. at 1894:17-1895:10; D.I. 598 at 2029:1-9) Smaha, by contrast, testified for ISS that the authors of the JiNao Report interchangeably used the terms “audit record” and “packets,” therefore disclosing a comparison of profiles from at least one measure of network packets. (D.I. 605 at 1727:2-1728:1) ISS argues, alternatively, that because audit records are undeniably derived from network packets, they are “measure[s] of network packets” as required by the '338 patent claims. (D.I. 570 at 25) It was ultimately within the jury’s purview to credit the testimony of Kesidis and Valdes over that of Smaha, find router or audit data distinguishable from the “network packets” from which they are derived in the JiNao system, and conclude that clear and convincing evidence did not demonstrate that JiNao Report disclosed building long-term and short-term profiles from at least one measure of network packets. ISS’s motion is denied on this ground, and the court declines to award a new trial. 5. Defendants’ motions for JMOL or a new trial regarding validity a. Anticipation by Live Traffic The Live Traffic paper discloses all of the limitations in all three patents in suit. (JTX-1 at ¶ 17) The parties dispute, however, whether the Live Traffic paper was publicly available prior to the critical date of November 9, 1997. As discussed supra, on August 1, 1997, Porras published the Live Traffic paper to a FTP site maintained by plaintiff, at the following address: ftp.esl.sri.com/pub/emeraldAidss98.ps. (DTX-572) The FTP site could be accessed by the public; it was not password-protected or encrypted. (D.I. 597 at 1365:5-1366:2) The court previously found in favor of defendants on summary judgment, noting that the record demonstrated that Porras provided to colleagues specific links to documents regarding EMERALD on the FTP site (ftp://ftp.csl.sri.com) as early as January 1997, and the FTP site was interchanged as a source of information on an online newsgroup. (D.I. 471 at 13-14) The court was persuaded that a person of ordinary skill in the art of complex computer software technology, upon entering the main FTP site, could readily navigate the two subfolders to access the Live Traffic paper, especially given that the names of the folders (“/pub/”) and (“