DCT

3:17-cv-05659

Finjan Inc v. Juniper Network Inc

Log In
Key Events
Amended Complaint

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 3:17-cv-05659, N.D. Cal., 07/27/2018
  • Venue Allegations: Venue is alleged to be proper in the Northern District of California because Defendant is headquartered and has its principal place of business in Sunnyvale, California, and regularly conducts business in the district.
  • Core Dispute: Plaintiff alleges that Defendant’s network security products, including its SRX Series Gateways and Sky ATP cloud services, infringe seven patents related to proactive malware detection and security for downloadable content.
  • Technical Context: The technology domain is proactive cybersecurity, where network traffic and downloadable files are analyzed for malicious behavior before they can reach and harm an end-user's computer or network.
  • Key Procedural History: The complaint alleges a history of pre-suit communications between Finjan and Juniper beginning in June 2014, including meetings, letters, and the provision of an exemplary claim chart, which may be presented as evidence of pre-suit knowledge for potential willfulness allegations.

Case Timeline

Date Event
1996-11-08 Priority Date for ’844, ’780, ’633, ’926, ’494, and ’731 Patents
2000-11-28 U.S. Patent No. 6,154,844 Issues
2004-10-12 U.S. Patent No. 6,804,780 Issues
2008-08-26 U.S. Patent No. 7,418,731 Issues
2009-11-03 U.S. Patent No. 7,613,926 Issues
2010-01-12 U.S. Patent No. 7,647,633 Issues
2010-06-14 Priority Date for ’154 Patent
2012-03-20 U.S. Patent No. 8,141,154 Issues
2014-03-18 U.S. Patent No. 8,677,494 Issues
2014-06-10 Finjan allegedly contacts Juniper regarding a potential patent license
2014-07-02 Finjan allegedly provides Juniper with an exemplary claim chart
2015-01-12 Finjan and Juniper allegedly meet to discuss Finjan's patents
2015-02-13 Juniper allegedly sends a letter to Finjan listing potential prior art
2015-09-30 Finjan allegedly sends a letter to Juniper distinguishing prior art
2015-11-24 Finjan and Juniper allegedly hold a telephone call to discuss patents
2016-02-02 Finjan allegedly contacts Juniper's Deputy General Counsel
2018-07-27 Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 6,154,844 - "System and Method for Attaching a Downloadable Security Profile to a Downloadable"

  • Patent Identification: U.S. Patent No. 6,154,844, "System and Method for Attaching a Downloadable Security Profile to a Downloadable," issued November 28, 2000. (Compl. ¶9).

The Invention Explained

  • Problem Addressed: The patent addresses the problem that conventional computer security systems were not configured to recognize viruses attached to or configured as "Downloadables," such as Java applets or ActiveX controls, which are downloaded from a source computer and run on a destination computer. (’844 Patent, col. 1:40-59).
  • The Patented Solution: The invention proposes a system with an "inspector" that analyzes a downloadable file before it reaches the end-user. This inspector generates a "Downloadable security profile" based on a set of rules, such as a list of suspicious operations the file might perform (e.g., writing to a system file). (’844 Patent, col. 2:3-8; col. 4:21-27). This security profile is then linked to the downloadable, allowing a protection engine at a network gateway or on the client computer to compare the profile against local security policies to decide whether to allow or block the file. (’844 Patent, Abstract; Fig. 1).
  • Technical Importance: This method represented a shift toward proactive, behavior-based security, allowing for the identification of previously unknown threats by analyzing their potential actions rather than relying solely on known virus signatures. (Compl. ¶11).

Key Claims at a Glance

  • The complaint asserts independent claims 1, 15, and 41. (Compl. ¶52).
  • The essential elements of independent method claim 1 include:
    • Receiving by an inspector a Downloadable.
    • Generating by the inspector a first Downloadable security profile that identifies suspicious code in the received Downloadable.
    • Linking by the inspector the first Downloadable security profile to the Downloadable before a web server makes the Downloadable available to web clients. (’844 Patent, col. 11:15-22).

U.S. Patent No. 6,804,780 - "System and Method for Protecting a Computer and a Network from Hostile Downloadables"

  • Patent Identification: U.S. Patent No. 6,804,780, "System and Method for Protecting a Computer and a Network from Hostile Downloadables," issued October 12, 2004. (Compl. ¶12).

The Invention Explained

  • Problem Addressed: The patent addresses the need to protect computer networks from hostile downloadables and, more specifically, the inefficiency of repeatedly re-evaluating the same downloadable file. (Compl. ¶14; ’780 Patent, col. 1:29-37).
  • The Patented Solution: The invention describes a method for generating a unique "Downloadable ID" for a file. This ID is created by performing a hashing function not only on the downloadable itself but also on any external software components it references and requires for execution. (’780 Patent, Abstract). This persistent ID allows a security system to recognize a file it has analyzed before, retrieve the stored security verdict from a cache, and avoid the computational cost of a full re-analysis. (’780 Patent, Fig. 8).
  • Technical Importance: The use of hash-based identifiers for security analysis allows for efficient caching, which increases the performance of security systems by saving computational resources that would otherwise be spent re-analyzing known files. (Compl. ¶14).

Key Claims at a Glance

  • The complaint asserts independent claims 1 and 9. (Compl. ¶67).
  • The essential elements of independent method claim 1 include:
    • Obtaining a Downloadable that includes one or more references to software components required to be executed by the Downloadable.
    • Fetching at least one software component identified by the one or more references.
    • Performing a hashing function on the Downloadable and the fetched software components to generate a Downloadable ID. (’780 Patent, col. 9:60-67).

U.S. Patent No. 7,647,633 - "Malicious Mobile Code Runtime Monitoring System and Methods"

  • Patent Identification: U.S. Patent No. 7,647,633, "Malicious Mobile Code Runtime Monitoring System and Methods," issued January 12, 2010. (Compl. ¶15).
  • Technology Synopsis: The patent is directed to protecting devices from undesirable operations by web-based content. (Compl. ¶17). The described method involves receiving downloadable information, determining if it contains executable code, and if so, transmitting "mobile protection code" to an information destination, such as a sandbox, to trap and neutralize possible harmful effects. (Compl. ¶¶17, 82).
  • Asserted Claims: Independent claims 1, 8, 14, and 19. (Compl. ¶78).
  • Accused Features: The complaint alleges that the Sky ATP cloud platform and ATP Appliance infringe by analyzing executable code in a sandbox and using mobile protection code to quarantine infected files or hosts. (Compl. ¶¶83-84).

U.S. Patent No. 7,613,926 - "Method and System for Protecting a Computer and a Network from Hostile Downloadables"

  • Patent Identification: U.S. Patent No. 7,613,926, "Method and System for Protecting a Computer and a Network from Hostile Downloadables," issued November 3, 2009. (Compl. ¶18).
  • Technology Synopsis: The patent describes methods for protecting against hostile downloadables by performing a hashing function on a downloadable to generate an ID. (Compl. ¶¶20, 94). This ID is used to retrieve security profile data, and the system then transmits either the downloadable appended with the profile data or the downloadable along with a separate representation of that data. (Compl. ¶¶20, 94).
  • Asserted Claims: Claim 22. (Compl. ¶90).
  • Accused Features: The accused products are alleged to infringe by using a hash lookup (specifically SHA256) to retrieve a downloadable's security profile data from a database and then transmitting the downloadable and a representation of the profile data (e.g., a "full scanning report") to a destination computer like a sandbox for further analysis. (Compl. ¶¶95-97).

U.S. Patent No. 8,141,154 - "System and Method for Inspecting Dynamically Generated Executable Code"

  • Patent Identification: U.S. Patent No. 8,141,154, "System and Method for Inspecting Dynamically Generated Executable Code," issued March 20, 2012. (Compl. ¶21).
  • Technology Synopsis: The patent is directed to a system where a gateway computer protects a client computer from dynamically generated malicious content. (Compl. ¶23). The system processes content that includes a call to a first function with an input, transmits that input to a separate security computer for inspection, and only invokes a second function with the input if the security computer indicates it is safe to do so. (Compl. ¶106).
  • Asserted Claims: Claim 1. (Compl. ¶102).
  • Accused Features: The accused products allegedly infringe by acting as a content processor for content like obfuscated JavaScript. The products are alleged to extract malicious objects, transmit them as input to Sky ATP (the security computer) for a safety determination, and then proceed based on the result. (Compl. ¶¶107-108).

U.S. Patent No. 8,677,494 - "Malicious Mobile Code Runtime Monitoring System and Methods"

  • Patent Identification: U.S. Patent No. 8,677,494, "Malicious Mobile Code Runtime Monitoring System and Methods," issued March 18, 2014. (Compl. ¶24).
  • Technology Synopsis: The patent describes a method for deriving and storing security profiles. (Compl. ¶26). The method involves receiving an incoming downloadable, deriving security profile data for it that includes a list of suspicious computer operations it may attempt, and storing this profile data in a database. (Compl. ¶¶26, 117).
  • Asserted Claims: Claims 10, 14, and 18. (Compl. ¶113).
  • Accused Features: The complaint alleges that Sky ATP derives security profile data, including a list of suspicious operations, for downloadables. This data is then allegedly stored in databases by Sky ATP and the Junos Space Security Director product. (Compl. ¶¶117-119).

U.S. Patent No. 7,418,731 - "Method and System for Caching at Secure Gateways"

  • Patent Identification: U.S. Patent No. 7,418,731, "Method and System for Caching at Secure Gateways," issued August 26, 2008. (Compl. ¶27).
  • Technology Synopsis: The patent is directed to providing an efficient security system by implementing a variety of caches. (Compl. ¶29). The system involves a scanner for incoming files, a file cache, a security profile cache, and a security policy cache, with stored files and profiles indexed by a file identifier to increase performance. (Compl. ¶131).
  • Asserted Claims: Claims 1 and 17. (Compl. ¶127).
  • Accused Features: The complaint does not provide sufficient detail for analysis of this patent's infringement allegations, as the relevant paragraphs are redacted. (Compl. ¶¶132-136).

III. The Accused Instrumentality

Product Identification

  • The accused instrumentalities are Juniper’s SRX Series Services Gateways, Sky Advanced Threat Prevention (“Sky ATP”) cloud service, ATP Appliance, and Junos Space Security Director products. (Compl. ¶40).

Functionality and Market Context

  • The complaint alleges that the accused products form an integrated, "next-generation" malware detection system for enterprise customers. (Compl. ¶41). The SRX Gateways act as network firewalls that process traffic. (Compl. ¶41). They integrate with the Sky ATP cloud service, which performs advanced malware analysis using a multi-stage pipeline approach. (Compl. ¶42). This pipeline, illustrated in the complaint's Figure 5, includes cache lookups, antivirus scanning, static analysis of the file's structure, and dynamic analysis via execution in a sandbox environment. (Compl. ¶43; p. 12). The analysis generates a security profile and a "threat level" for the file. (Compl. ¶¶46-47). The Junos Space Security Director product acts as a centralized management console, using this threat information to update and deploy network-wide security policies, such as quarantining infected hosts. (Compl. ¶48). The ATP Appliance is a hardware device that provides similar analysis functions. (Compl. ¶49).

IV. Analysis of Infringement Allegations

’844 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
receiving by an inspector a Downloadable The SRX Gateways receive incoming downloadables (e.g., PDFs, EXE files) from the internet. These files are then inspected by Sky ATP or the ATP Appliance, which act as the "inspector." ¶56 col. 11:16-17
generating by the inspector a first Downloadable security profile that identifies suspicious code in the received Downloadable Sky ATP's static and dynamic analyzers generate a security profile that captures a list of suspicious computer operations performed by the downloadable, such as modifying the Windows registry or executing unusual instructions. A visual in the complaint shows the sandboxing environment used for dynamic analysis. ¶¶57-58; p. 19 col. 11:18-20
linking by the inspector the first Downloadable security profile to the Downloadable before a web server makes the Downloadable available to web clients Sky ATP uses the generated profile to determine a "verdict" and links this verdict to the downloadable via a blocking mechanism, preventing access if the content is deemed malicious, thereby controlling its availability to the client. The complaint includes a diagram showing this inbound file inspection process. ¶59; p. 17 col. 11:20-22
  • Identified Points of Contention:
    • Scope Questions: A central question may be whether the accused system’s generation of a "verdict" or a "threat level" (Compl. ¶47) meets the claim requirement of generating a "Downloadable security profile that identifies suspicious code." The analysis will likely focus on whether the underlying data for the verdict contains the specific information required by the claim.
    • Technical Questions: The claim requires "linking" the profile to the downloadable "before a web server makes the downloadable available." The court will need to determine if the alleged "blocking mechanism" (Compl. ¶59) and denial of the network session constitutes the claimed "linking" and control of availability.

’780 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
obtaining a Downloadable that includes one or more references to software components required to be executed by the Downloadable The accused products receive downloadables such as .exe and .pdf files, which inherently include or reference other executable software components required for their operation. The system is also alleged to detect "obfuscated, multi-part threats." ¶¶71, 74 col. 9:60-63
fetching at least one software component identified by the one or more references The ATP Appliance is alleged to track "multi-part attacks" and can "replay" an interaction to "retrieve the same payload that would detonate on an endpoint," which the complaint alleges constitutes fetching a required software component. ¶¶71, 74 col. 9:64-65
performing a hashing function on the Downloadable and the fetched software components to generate a Downloadable ID The accused products are alleged to perform a hashing function (e.g., SHA256) on files and their components to generate a unique ID, which is then used for cache lookups to determine if the file has been analyzed previously. ¶¶72, 73 col. 9:65-67
  • Identified Points of Contention:
    • Technical Questions: A key evidentiary question may be whether the accused products' analysis of "multi-part attacks" (Compl. ¶74) involves "fetching" a component in the manner required by the claim, versus merely analyzing components already contained within a single downloaded file.
    • Scope Questions: The analysis will likely turn on whether the accused products' generation of a SHA256 hash on a file constitutes performing a hash "on the Downloadable and the fetched software components," which suggests the hash must be performed on a composite object.

V. Key Claim Terms for Construction

Term from ’844 Patent: "Downloadable security profile"

  • The Term: "Downloadable security profile"
  • Context and Importance: This is a central term of the ’844 Patent. The outcome of the infringement analysis may depend on whether the "verdict" or "threat level" generated by the accused products can be characterized as a "Downloadable security profile." Practitioners may focus on this term because its definition dictates the type and format of security information the accused system must generate to infringe.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The specification defines the profile broadly as including "a list of all potentially hostile or suspicious computer operations that may be attempted by the Downloadable." (’844 Patent, col. 3:5-8). This language could support an argument that any data structure derived from analyzing such operations, including a summary score, meets the definition.
    • Evidence for a Narrower Interpretation: The specification provides concrete examples of operations, such as "READ a file, WRITE a file" and "LISTEN on a socket." (’844 Patent, col. 4:21-27). This could support a narrower construction requiring the profile to be an explicit list of such potential operations, not merely a derivative score.

Term from ’780 Patent: "fetching at least one software component"

  • The Term: "fetching at least one software component"
  • Context and Importance: Infringement of the asserted claims of the ’780 Patent requires this step, as the generated "Downloadable ID" must be based on both the original downloadable and the fetched component. The dispute may turn on what actions by the accused system constitute "fetching."
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The related ’844 Patent, incorporated by reference into the family, describes a process to "prefetch all components embodied in or identified by the code for Downloadable ID generation." (’844 Patent, col. 4:42-44). This suggests "fetching" could encompass any retrieval of related code, including components dynamically retrieved during a sandbox analysis.
    • Evidence for a Narrower Interpretation: The common technical meaning of "fetching" often implies a network request to retrieve a distinct resource. An argument could be made that the term requires retrieving a separate, externally referenced file (e.g., a DLL from a server) rather than just de-obfuscating or activating code already present within the primary downloadable during analysis.

VI. Other Allegations

  • Willful Infringement: The complaint does not explicitly plead a count for "willful infringement." However, it alleges a detailed history of pre-suit notice to Juniper, beginning on June 10, 2014, and continuing through February 2, 2016. (Compl. ¶¶31-39). These allegations, which include meetings, correspondence, and the provision of an exemplary claim chart, establish a factual basis for a claim of pre-suit knowledge of the patents and the alleged infringement, which is a predicate for enhanced damages under 35 U.S.C. § 284.

VII. Analyst’s Conclusion: Key Questions for the Case

  • A core issue will be one of definitional scope: can the "verdict" and "threat level" generated by Juniper's Sky ATP system be construed as the "Downloadable security profile" required by the '844 patent, which the patent describes as identifying suspicious code and listing potential operations?
  • A key evidentiary question will be one of technical operation: does the accused system's analysis of "multi-part threats," which may involve retrieving additional payloads during sandboxing, constitute "fetching...software components" as required by the '780 patent, or is this activity confined to the analysis of a single, self-contained file?
  • A central question for damages will be knowledge and intent: based on the extensive pre-suit communications alleged in the complaint, did the defendant have knowledge of the asserted patents and its alleged infringement sufficient to support a finding of willfulness?