DCT
3:18-cv-06555
Finjan LLC v. Fortinet Inc
Key Events
Complaint
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Finjan, Inc. (Delaware)
- Defendant: Fortinet Inc. (Delaware)
- Plaintiff’s Counsel: Kramer Levin Naftalis & Frankel LLP
- Case Identification: 3:18-cv-06555, N.D. Cal., 10/26/2018
- Venue Allegations: Venue is based on Defendant maintaining a regular and established place of business in Sunnyvale, California, within the Northern District of California.
- Core Dispute: Plaintiff alleges that Defendant’s suite of network security products infringes nine patents related to proactive online security, malicious code analysis, and policy-based content filtering.
- Technical Context: The technology domain is network and endpoint security, focusing on methods for identifying and neutralizing threats from downloadable content before they can harm computer systems.
- Key Procedural History: The complaint alleges that Plaintiff provided Defendant with written notice of infringement on December 8, 2016, which included identification of the asserted patents, accused products, and an exemplary claim chart. Plaintiff also alleges it gave in-person presentations to Defendant detailing the alleged infringement on or about September 20, 2017, and April 5, 2018. This history is cited as the basis for allegations of willful infringement.
Case Timeline
| Date | Event |
|---|---|
| 1996-11-08 | Earliest Priority Date for '844 Patent |
| 2000-05-17 | Earliest Priority Date for '494, '086, '633, '822 Patents |
| 2000-11-28 | Issue Date: '844 Patent |
| 2003-02-27 | Earliest Priority Date for '305, '408, '968, '731 Patents |
| 2005-11-15 | Issue Date: '968 Patent |
| 2006-06-06 | Issue Date: '822 Patent |
| 2008-08-26 | Issue Date: '731 Patent |
| 2010-01-12 | Issue Date: '633 Patent |
| 2011-07-05 | Issue Date: '305 Patent |
| 2011-12-13 | Issue Date: '086 Patent |
| 2012-07-17 | Issue Date: '408 Patent |
| 2014-03-18 | Issue Date: '494 Patent |
| 2016-12-08 | Finjan sends written notice of infringement to Fortinet |
| 2017-09-20 | Finjan gives in-person presentation to Fortinet |
| 2018-04-05 | Finjan gives second in-person presentation to Fortinet |
| 2018-10-26 | Complaint Filing Date |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 6,154,844 - *"SYSTEM AND METHOD FOR ATTACHING A DOWNLOADABLE SECURITY PROFILE TO A DOWNLOADABLE,"* issued November 28, 2000
The Invention Explained
- Problem Addressed: The patent’s background section describes the risk posed by "Downloadables" such as Java applets and ActiveX controls, which are executable programs downloaded and run on a destination computer, often bypassing traditional file-based virus scanners (
’844 Patent, col. 1:40-58). - The Patented Solution: The invention proposes a system with an "inspector" that preemptively analyzes a downloadable for suspicious code or behavior before it is made available on a web server. This analysis generates a "Downloadable security profile" (DSP) that is then linked to the downloadable. A "protection engine" at the client or gateway can then verify this linked profile to determine if the downloadable is trustworthy before allowing it to run (
’844 Patent, Abstract; Fig. 1). - Technical Importance: The technology represents a proactive, behavior-centric security model that inspects content at the gateway or server level, contrasting with the reactive, signature-based scanning common at the endpoint at the time (
’844 Patent, col. 1:11-21).
Key Claims at a Glance
- The complaint asserts claims 1-44 (Compl. ¶54). The lead independent claims appear to be 1 (method) and 15 (system).
- Independent Claim 1 includes the essential elements of:
- Receiving a downloadable by an inspector.
- Generating, by the inspector, a downloadable security profile identifying suspicious code.
- Linking the security profile to the downloadable before a web server makes it available to web clients.
- Independent Claim 15 includes the essential elements of:
- A memory storing a first rule set.
- A content inspection engine for using the rule set to generate a security profile and link it to the downloadable before a web server makes it available.
- The complaint reserves the right to assert dependent claims.
U.S. Patent No. 8,677,494 - *"MALICIOUS MOBILE CODE RUNTIME MONITORING SYSTEM AND METHODS,"* issued March 18, 2014
The Invention Explained
- Problem Addressed: The patent background acknowledges that traditional signature-based antivirus solutions are ineffective against new, or "zero-day," threats and that behavior-based alternatives can be complex and difficult to manage (
’494 Patent, col. 1:21-43). - The Patented Solution: The invention describes a system for creating and storing behavioral security profiles. A "downloadable scanner" derives a security profile for a piece of content, where the profile includes a list of suspicious computer operations it may attempt to perform. A "database manager" then stores this security profile in a database, making it available for future use, such as comparing new downloadables against the stored profiles (
’494 Patent, Abstract; col. 3:56-61). - Technical Importance: This approach institutionalizes behavioral analysis by creating a reusable, database-driven system of threat profiles, which may allow for faster and more efficient identification of new malware that exhibits previously identified suspicious behaviors (
’494 Patent, col. 2:1-10).
Key Claims at a Glance
The complaint asserts claims 3-5 and 7-18 (Compl. ¶72). The lead independent claims are 3 (method) and 10 (system).
Independent Claim 3 includes the essential elements of:
- Deriving a security profile for a downloadable, which includes a list of suspicious computer operations it may attempt.
- Storing the security profile in a database.
Independent Claim 10 includes the essential elements of:
- A downloadable scanner for deriving a security profile for a downloadable that includes a list of suspicious computer operations.
- A database manager coupled with the scanner for storing the security profile in a database.
The complaint reserves the right to assert dependent claims.
The following patents are also asserted in the complaint and are summarized in capsule format.Patent Identification: U.S. Patent No. 8,079,086,
"MALICIOUS MOBILE CODE RUNTIME MONITORING SYSTEM AND METHODS,"issued December 13, 2011 (Compl. ¶15).- Technology Synopsis: The patent describes a system that protects devices by creating a profile of web-based content and sending these profiles and the corresponding content to another computer for appropriate action (Compl. ¶17).
- Asserted Claims: Claims 1-42 (Compl. ¶93).
- Accused Features: The complaint alleges the Accused Products create profiles of web-based content and send representations of these profiles to other computers for security actions (Compl. ¶97).
Patent Identification: U.S. Patent No. 7,647,633,
"MALICIOUS MOBILE CODE RUNTIME MONITORING SYSTEM AND METHODS,"issued January 12, 2010 (Compl. ¶18).- Technology Synopsis: The patent is directed to a system that protects devices by determining if web-based content is executable, and if so, "trapping" the content and neutralizing its potentially harmful effects using mobile protection code (Compl. ¶20).
- Asserted Claims: Claims 1-41 (Compl. ¶112).
- Accused Features: The complaint alleges the Accused Products determine if web content is executable and then trap and neutralize harmful effects using mobile protection code (Compl. ¶116).
Patent Identification: U.S. Patent No. 7,058,822,
"MALICIOUS MOBILE CODE RUNTIME MONITORING SYSTEM AND METHODS,"issued June 6, 2006 (Compl. ¶21).- Technology Synopsis: This patent describes a system that protects devices by determining if web-based content can be executed, trapping it, and neutralizing harmful effects. It additionally provides for analyzing the content to determine if it can be executed (Compl. ¶23).
- Asserted Claims: Claims 1-35 (Compl. ¶129).
- Accused Features: The complaint alleges the Accused Products determine if web-based content can be executed and then trap and neutralize possible harmful effects using mobile protection code (Compl. ¶133).
Patent Identification: U.S. Patent No. 7,975,305,
"METHOD AND SYSTEM FOR ADAPTIVE RULE-BASED CONTENT SCANNERS FOR DESKTOP COMPUTERS,"issued July 5, 2011 (Compl. ¶24).- Technology Synopsis: The technology involves rule-based scanning of web content for exploits by using parser and analyzer rules to describe exploits as patterns of different types of tokens, with a mechanism for keeping the rules updated (Compl. ¶26).
- Asserted Claims: Claims 3-4, 6-12, and 14-25 (Compl. ¶155).
- Accused Features: The complaint alleges the Accused Products use parser and analyzer rules to describe and scan for computer exploits defined as patterns of tokens (Compl. ¶159).
Patent Identification: U.S. Patent No. 8,225,408,
"METHOD AND SYSTEM FOR ADAPTIVE RULE-BASED CONTENT SCANNERS,"issued July 17, 2012 (Compl. ¶27).- Technology Synopsis: This patent describes rule-based scanning of web content written in various programming languages by expressing exploits as patterns of tokens and analyzing them using a parse tree (Compl. ¶29).
- Asserted Claims: Claims 1-35 (Compl. ¶180).
- Accused Features: The complaint alleges the Accused Products perform rule-based scanning by expressing exploits as patterns of tokens and using a parse tree (Compl. ¶184).
Patent Identification: U.S. Patent No. 6,965,968,
"POLICY-BASED CACHING,"issued November 15, 2005 (Compl. ¶30).- Technology Synopsis: The technology relates to policy-based cache management. It involves scanning digital content to derive a content profile and then determining if that content is allowable based on a policy applied to the profile (Compl. ¶32).
- Asserted Claims: Claims 1-38 (Compl. ¶208).
- Accused Features: The complaint alleges the Accused Products use a memory/cache and a content scanner to derive a content profile and determine allowability relative to a policy (Compl. ¶214, ¶220, ¶223).
Patent Identification: U.S. Patent No. 7,418,731,
"METHOD AND SYSTEM FOR CACHING AT SECURE GATEWAYS,"issued August 26, 2008 (Compl. ¶33).- Technology Synopsis: The patent describes an efficient security system that implements a variety of caches to increase performance (Compl. ¶35).
- Asserted Claims: Claims 1-22 (Compl. ¶235).
- Accused Features: The complaint alleges the Accused Products are computer gateways that provide various caches for storing files and security profiles to improve performance (Compl. ¶242, ¶249-250, ¶252).
III. The Accused Instrumentality
- Product Identification: The accused instrumentalities are Defendant’s FortiGate, FortiManager, FortiAnalyzer, FortiSiem, FortiSandbox, FortiMail, FortiWeb, FortiCache, and FortiClient products and technologies, collectively referred to as the "Accused Products" (Compl. ¶41).
- Functionality and Market Context: The complaint alleges these products form an integrated "Fortinet Security Fabric Platform" that provides comprehensive threat protection against known and unknown attacks (Compl. ¶42, ¶43). A central component of the alleged infringement is the FortiSandbox technology, which subjects suspicious files to analysis in a contained virtual environment to "uncover the full attack lifecycle" (Compl. ¶17). It generates detailed reports, including logs and screenshots, which can be shared with other Fortinet products like FortiGate firewalls to block threats (Compl. ¶17, ¶43). The overall system is presented as an enterprise-grade security architecture that inspects, analyzes, and blocks malicious content across various vectors including web, email, and network traffic (Compl. ¶42-45). A diagram in the complaint illustrates how FortiSandbox integrates with FortiGate and FortiClient to query, mitigate, and update threat intelligence (Compl. p. 12, Ex. 13).
IV. Analysis of Infringement Allegations
'844 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| receiving by an inspector a Downloadable; | Fortinet's products, such as FortiSandbox, receive incoming downloadable files and web applications from network devices for analysis. | ¶61 | col. 10:21-23 |
| generating by the inspector a first Downloadable security profile that identifies suspicious code in the received Downloadable; | FortiSandbox analyzes the downloadables by creating sandbox tracer logs and utilizing indicators to detect threats and vulnerabilities, thereby deriving security profile data that specifies suspicious behaviors. | ¶61-62 | col. 11:5-9 |
| and linking, by the inspector, the first Downloadable security profile to the Downloadable before a web server makes the Downloadable available to web clients. | The products link analysis outputs, such as PCAP logs, tracer logs, and VM screenshots that form the security profile, to the downloadable before it is delivered to the end user. | ¶63-64 | col. 11:65-67 |
- Identified Points of Contention:
- Scope Questions: A central question may be whether the analysis reports, logs, and screenshots generated by FortiSandbox (Compl. p. 17, Ex. 14) constitute a "Downloadable security profile" as that term is used in the patent. The defense could argue that the patent contemplates a specific, structured data object (a "DSP") rather than a collection of general analysis outputs.
- Technical Questions: Claim 1 requires "linking... before a web server makes the Downloadable available to web clients." The infringement theory depends on the accused architecture performing this inspection at the gateway, prior to delivery. A factual dispute may arise over whether the accused products are always configured and operated in this specific pre-delivery inspection mode, as suggested by a configuration screen showing an option to "Wait for FortiSandbox results" (Compl. p. 20, Ex. 16).
'494 Patent Infringement Allegations
| Claim Element (from Independent Claim 3) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| deriving a security profile for a downloadable, the security profile including a list of one or more suspicious computer operations that may be attempted by the downloadable; | The accused products include a scanner that derives a security profile for downloadables, including a list of "suspicious computer operations," such as those shown in malware reports as "Suspicious Indicators." | ¶76, ¶80 | col. 10:48-52 |
| and storing the security profile in a database. | The accused products include a database manager to store the security profile data in a database, which can expand and adapt to allow for rapid protection against malware threats. | ¶76, ¶82-83 | col. 10:53-55 |
- Identified Points of Contention:
- Scope Questions: The dispute may focus on the definitions of "security profile" and "storing...in a database." The question will be whether a malware analysis report listing observed behaviors (Compl. p. 28, Ex. 13) qualifies as the claimed "security profile" and whether the system for managing these reports constitutes the claimed "storing...in a database."
- Technical Questions: The patent specification suggests that storing profiles in a database enables future comparison to speed up analysis (
’494 Patent, col. 11:54-59). An evidentiary question will be whether the accused products use the stored profiles in this comparative manner, as alleged by the complaint (Compl. ¶101), or if they primarily function as an archival system for discrete, non-compared reports.
V. Key Claim Terms for Construction
For the ’844 Patent:
- The Term: "Downloadable security profile"
- Context and Importance: This term is the central object created and linked by the claimed invention. The scope of this term will be critical to determining whether the analysis outputs (logs, reports, screenshots) generated by the Accused Products meet the claim limitation.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification describes the profile as including "a list of all potentially hostile or suspicious computer operations that may be attempted by the Downloadable" (
’844 Patent, col. 11:5-8). This language could support an interpretation that any data structure or collection of files detailing such operations qualifies. - Evidence for a Narrower Interpretation: The patent frequently refers to this entity with the specific acronym "DSP" (
’844 Patent, col. 11:4) and describes its generation as being "based on a rules base" (’844 Patent, col. 11:4-5). This may support a narrower construction requiring a specific data object generated through a formal rules-based process, not just a collection of logs.
- Evidence for a Broader Interpretation: The specification describes the profile as including "a list of all potentially hostile or suspicious computer operations that may be attempted by the Downloadable" (
For the ’494 Patent:
- The Term: "deriving a security profile"
- Context and Importance: This is the core active step of the asserted claims. Whether Fortinet's sandboxing analysis constitutes "deriving" a profile will be a central point of contention. Practitioners may focus on this term because it sits at the intersection of the patent's description and the accused product's real-world functionality.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification states the "downloadable scanner" is for "monitoring the downloadable's behavior to generate a security profile" (
’494 Patent, col. 10:48-50). This suggests that the act of observing and recording behavior could be considered "deriving." - Evidence for a Narrower Interpretation: The abstract describes the profile as including a "list of suspicious computer operations." This may support a narrower interpretation where "deriving" requires not just observation, but an analytical step of identifying and listing specific, predefined "suspicious" operations from all observed behaviors.
- Evidence for a Broader Interpretation: The specification states the "downloadable scanner" is for "monitoring the downloadable's behavior to generate a security profile" (
VI. Other Allegations
- Indirect Infringement: The complaint alleges inducement of infringement under 35 U.S.C. § 271(b), asserting that Defendant instructs and encourages its customers and developers to use the Accused Products in an infringing manner through mechanisms such as advertising, user guides, and product documentation (Compl. ¶69-70, ¶89-91).
- Willful Infringement: The complaint alleges willful infringement based on Defendant's alleged pre-suit knowledge of the Asserted Patents. The allegations are supported by reference to a December 8, 2016 notice letter that included an exemplary infringement claim chart, as well as in-person presentations in 2017 and 2018 where the alleged infringement was detailed (Compl. ¶37-38, ¶66). The complaint includes a chart from one such presentation mapping Finjan's patent families to Fortinet's products (Compl. p. 9).
VII. Analyst’s Conclusion: Key Questions for the Case
- Definitional Scope: A core issue will be one of definitional scope: can the term “Downloadable security profile,” as described in the ’844 Patent, be construed to read on the collection of analysis reports, tracer logs, and screenshots generated by Fortinet’s sandboxing products?
- Functional Operation: A key evidentiary question will be one of functional operation: do the accused products’ systems for managing analysis results perform the specific function of "storing the security profile in a database" for future comparative analysis as required by the ’494 Patent, or is this functionality a simple archival of discrete reports?
- Willfulness: Given the complaint’s detailed allegations of pre-suit notice, including the provision of claim charts and technical presentations, a central question will be what actions, if any, Defendant took to assess the merits of Plaintiff's infringement allegations, which will be critical to the determination of willfulness.