Finjan Inc v. Symantec Corp

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Finjan, Inc. (Delaware)
  • Defendant: Symantec Corp. (Delaware)
  • Plaintiff’s Counsel: Kramer Levin Naftalis & Frankel LLP
• Case Identification: 4:14-cv-02998, N.D. Cal., 06/30/2014
• Venue Allegations: Venue is alleged to be proper as Defendant’s corporate headquarters are located in the Northern District of California, and Defendant conducts business within the district.
• Core Dispute: Plaintiff alleges that Defendant’s suite of cybersecurity products, including its Norton and Symantec-branded endpoint protection, messaging gateway, and web security services, infringes five patents related to proactive malware detection and secure network communication.
• Technical Context: The technologies at issue address methods for identifying and neutralizing online security threats, including dynamically generated malware and malicious websites, and for optimizing secure network communications.
• Key Procedural History: The complaint alleges that the parties met on at least two prior occasions to discuss Finjan's patent portfolio. It also notes that Defendant’s own patents cite various Finjan patents as prior art and that Defendant is aware of two other lawsuits involving Finjan's patents, suggesting a basis for Plaintiff's allegations of pre-suit knowledge and willful infringement.

Case Timeline

Date	Event
2004-01-30	Earliest Priority Date for ’996 Patent
2005-11-30	Earliest Priority Date for ’299 Patent and ’182 Patent
2005-12-12	Earliest Priority Date for ’289 Patent and ’154 Patent
2010-07-13	’996 Patent Issued
2010-07-13	’289 Patent Issued
2011-04-19	’299 Patent Issued
2011-09-06	’182 Patent Issued
2012-03-20	’154 Patent Issued
2014-06-30	Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 7,756,996 - *EMBEDDING MANAGEMENT DATA WITHIN HTTP MESSAGES* (Issued July 13, 2010)

The Invention Explained

• Problem Addressed: The patent describes the inefficiency of transmitting network security and management data (e.g., antivirus signature updates) using proprietary, non-HTTP protocols. This practice creates additional network traffic separate from standard web traffic, increasing packet volume and processing overhead on a corporate network (’996 Patent, col. 1:11-34).
• The Patented Solution: The invention proposes embedding this "non-HTTP management data" directly within standard HTTP message streams that are already flowing between client computers and a network gateway. A component at the gateway inserts the management data into an outbound HTTP message, and a corresponding component at the client extracts it upon receipt, thereby "piggy-backing" on existing traffic to optimize bandwidth and reduce the total number of network packets (’996 Patent, Abstract; col. 2:35-52).
• Technical Importance: This method offered a way to streamline network communications by consolidating distinct data streams into the ubiquitous HTTP protocol, reducing overhead and simplifying traffic management (’996 Patent, col. 4:56-62).

Key Claims at a Glance

• The complaint asserts at least claims 4-6 for indirect infringement (Compl. ¶43). Independent claim 4 is analyzed below.
• Claim 4 (Method) Elements:
  • Receiving server-originated non-HTTP management data intended for at least one client computer.
  • Inserting the data within a server-originated HTTP message before it is transmitted to the client.
  • Extracting the data from the HTTP message after it is received by the client.
  • Receiving a client-originated HTTP message that has client-originated non-HTTP management data embedded within it.
  • Extracting the client-originated data at the gateway.
  • Transmitting the client-originated data to the management server.
• The complaint reserves the right to assert additional claims (Compl. ¶35).

U.S. Patent No. 7,757,289 - *SYSTEM AND METHOD FOR INSPECTING DYNAMICALLY GENERATED EXECUTABLE CODE* (Issued July 13, 2010)

The Invention Explained

• Problem Addressed: The patent identifies a vulnerability in conventional antivirus technologies that cannot detect malicious code generated "on the fly" at run-time. For example, a seemingly harmless script could execute a document.write() function that, in turn, generates and inserts a new, malicious script into a webpage as it is being rendered by a browser (’289 Patent, col. 3:30-40, col. 4:3-14).
• The Patented Solution: The invention describes a system where a gateway computer intercepts web content and replaces a potentially dangerous function call (e.g., document.write()) with a "substitute function." When the client's browser later invokes this substitute function, the input intended for the original function is first sent to a separate security computer for inspection. Only after the security computer transmits back an indicator that the input is "safe" is the original function invoked at the client with that input (’289 Patent, Abstract; Fig. 2).
• Technical Importance: This approach created a mechanism to analyze executable code not as it exists statically, but at the moment of its dynamic creation at run-time, thereby protecting against a sophisticated class of malware (’289 Patent, col. 4:15-28).

Key Claims at a Glance

• The complaint asserts at least claims 1-9, 19-21, 25-28, and 35-39 for indirect infringement (Compl. ¶65). Independent claim 1 is analyzed below.
• Claim 1 (Method) Elements:
  • Receiving content at a gateway computer, the content including a call to an original function with an input.
  • Modifying the content at the gateway by replacing the call to the original function with a call to a substitute function.
  • Transmitting the modified content from the gateway to the client computer.
  • At the client, processing the modified content and transmitting the input to a security computer for inspection when the substitute function is invoked.
  • Determining at the security computer whether it is safe for the client to invoke the original function with the input.
  • Transmitting an indicator of safety from the security computer to the client.
  • Invoking the original function at the client only if the indicator confirms it is safe.
• The complaint reserves the right to assert additional claims (Compl. ¶57).

U.S. Patent No. 7,930,299 - *SYSTEM AND METHOD FOR APPENDING SECURITY INFORMATION TO SEARCH ENGINE RESULTS* (Issued April 19, 2011)

• Technology Synopsis: The patent describes a system for enhancing web search safety. It involves a content scanner assessing the potential security risks of websites listed in search engine results and then generating a combined summary that appends security information to those results (Compl. ¶18).
• Asserted Claims: At least claims 1-12 and 21 (Compl. ¶87).
• Accused Features: The complaint alleges that Symantec’s Norton Safe Web product, which annotates search results with safety ratings, infringes the ’299 Patent (Compl. ¶28, 82).

U.S. Patent No. 8,015,182 - *SYSTEM AND METHOD FOR APPENDING SECURITY INFORMATION TO SEARCH ENGINE RESULTS* (Issued September 6, 2011)

• Technology Synopsis: Related to the ’299 patent, this invention covers a system for appending security information to search results. The claims require a search engine, a client computer, and a content security scanner that assesses potential security risks in the search results (Compl. ¶21).
• Asserted Claims: At least claims 1-21 (Compl. ¶109).
• Accused Features: The complaint alleges that Symantec’s Norton Safe Web product infringes the ’182 Patent (Compl. ¶28, 104).

U.S. Patent No. 8,141,154 - *SYSTEM AND METHOD FOR INSPECTING DYNAMICALLY GENERATED EXECUTABLE CODE* (Issued March 20, 2012)

• Technology Synopsis: Related to the ’289 patent, this invention is directed to a gateway computer that protects a client from dynamically generated malicious content. It describes using a content processor to process a first function and then invoking a second function only if a security computer indicates it is safe to do so (Compl. ¶24).
• Asserted Claims: One or more claims (Compl. ¶112).
• Accused Features: The complaint alleges that Symantec’s SONAR with Insight technology infringes the ’154 Patent (Compl. ¶27, 115).

III. The Accused Instrumentality

Product Identification

• The complaint names several Symantec technologies: Browser Intrusion Prevention System, Insight, Disarm, Norton Safe Web, Norton Safe Search, and Symantec Endpoint Manager. These technologies are allegedly incorporated into a range of products including Norton Internet Security, Norton 360, Symantec Endpoint Protection, and Messaging Gateway, among others (Compl. ¶25, 31).

Functionality and Market Context

• Symantec Endpoint Protection Manager (SEPM): Alleged to be a management tool that communicates with client endpoints to establish and enforce security policies, manage antivirus deployment, and handle updates and reporting (Compl. ¶30).
• Insight with SONAR: Described as a proactive threat detection system. Insight is a reputation-based technology that analyzes file attributes to assess risk, while SONAR is a behavioral analysis engine that "examines programs as they run, potentially injecting code into applications" to detect new threats (Compl. ¶27). A marketing visual for Symantec Insight and SONAR highlights security against mutating malware (Compl. p. 7).
• Norton Safe Web / Safe Search: Identified as a service that analyzes websites for malicious content and annotates search engine results with safety ratings (Compl. ¶28). A screenshot depicts Norton Safe Web annotating a Wikipedia search result with a "Site is Safe" rating and a summary of threats (Compl. p. 8).
• Disarm: Described as a technology within Symantec’s Messaging Gateway that deconstructs email attachments (e.g., Office, PDF files), removes malicious content like macros or scripts, and reconstructs the documents before delivery (Compl. ¶29).

IV. Analysis of Infringement Allegations

’996 Patent Infringement Allegations

Claim Element (from Independent Claim 4)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
receiving server-originated non-HTTP management data from a management server computer	Symantec Endpoint Protection Manager allegedly sends security policies and antivirus updates from a server to endpoint clients.	¶30, 38	col. 6:4-7
inserting the server-originated non-HTTP management data within a server-originated HTTP message	The complaint alleges that SEPM embodies the invention, but does not provide specific technical facts detailing how or if management data is embedded within HTTP messages.	¶38	col. 6:8-12
extracting the server-originated non-HTTP management data from within the...HTTP message subsequent to...being received by the at least one client computer	The complaint alleges endpoint clients embody the invention, but provides no facts on the extraction mechanism.	¶38	col. 6:13-18
receiving a client-originated HTTP message...having client-originated non-HTTP management data embedded therewithin	Two-way communication is alleged between SEPM and clients for purposes such as reporting.	¶30	col. 6:19-22
transmitting the client-originated non-HTTP management data to the management server computer	The complaint alleges clients report back to the SEPM server, implying transmission of management data.	¶30	col. 6:25-28

Identified Points of Contention

• Technical Question: A central factual question may be whether Symantec Endpoint Protection Manager communicates policy and update data by embedding it within standard HTTP packets, as claimed, or if it uses a separate proprietary protocol that does not involve such embedding. The complaint does not provide sufficient detail for analysis of this specific technical implementation.
• Scope Question: The dispute may turn on whether the management data transmitted by SEPM constitutes "non-HTTP management data." If Symantec’s data is formatted as standard HTTP/S traffic, it raises the question of whether it falls within the scope of this claim term.

’289 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
receiving at a gateway computer content being sent to a client computer...the content including a call to an original function	Disarm technology operates at the Messaging Gateway; SONAR operates on files at the endpoint, which can be viewed as a gateway for the operating system. Both intercept content containing executable elements (macros, scripts, function calls).	¶27, 29	col. 10:13-17
modifying the content at the gateway computer, including replacing the call to the original function with a corresponding call to a substitute function	SONAR is alleged to "potentially inject[...] code into applications," and Disarm is alleged to "deconstruct the attachment" and "reconstruct the documents," which the complaint implies constitutes the claimed modification.	¶27, 29	col. 10:18-23
transmitting the input to the security computer for inspection when the substitute function is invoked	SONAR allegedly leverages the "Insight" cloud-based reputation service to "make decisions about files," which corresponds to sending an input for inspection.	¶27	col. 10:27-31
determining at the security computer whether it is safe for the client computer to invoke the original function	The Insight service analyzes file source, age, and other metrics to determine if a file is a threat.	¶27	col. 10:32-35
invoking the original function at the client computer with the input, only if the indicator received...indicates that such invocation is safe	Symantec’s endpoint products allegedly use the determination from SONAR and Insight to decide whether to allow an application or file to run.	¶9, 27	col. 10:40-44

Identified Points of Contention

• Technical Question: It will be a key factual issue whether the operation of SONAR (behavioral analysis via code injection/API hooking) or Disarm (file reconstruction) is technically equivalent to the patent's specific method of "replacing the call to the original function with a...substitute function."
• Scope Question: A dispute may arise over whether the "gateway computer" limitation reads on an endpoint security product (like SONAR) or is limited to a network appliance. Similarly, whether a cloud-based reputation database like "Insight" functions as the claimed "security computer" may be a point of contention.

V. Key Claim Terms for Construction

• Term from the ’996 Patent: "non-HTTP management data"

  • Context and Importance: This term is foundational to the patent’s novelty. The infringement case depends on establishing that the data Symantec Endpoint Protection Manager transmits is both "management data" and "non-HTTP." Practitioners may focus on this term because Symantec could argue its management communications use standard HTTP/S protocols and thus are not "non-HTTP."
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The specification describes the data as being for network management or security applications, such as antivirus signature files, and notes it is "typically" transmitted using a "proprietary non-HTTP protocol," suggesting the term refers to the data's substance and purpose, not merely its transport layer (’996 Patent, col. 1:11-31).
    • Evidence for a Narrower Interpretation: The patent’s summary contrasts the invention with systems that create "additional traffic, above and beyond the HTTP traffic." This could support an interpretation where any data packaged and sent using HTTP/S conventions, regardless of its content, would not be considered "non-HTTP" (’996 Patent, col. 1:31-32).

• Term from the ’289 Patent: "replacing the call to the original function with a corresponding call to a substitute function"

  • Context and Importance: This phrase describes the core technical mechanism of the invention. The infringement analysis for the ’289 and ’154 patents will hinge on whether Symantec's SONAR and Disarm technologies perform this specific act of replacement. Practitioners may focus on this term because alternative security techniques like sandboxing or API hooking might achieve similar results without literal "replacement" of code in the content stream.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The patent's objective is to intercept and inspect inputs to function calls before execution. A party could argue that any mechanism achieving this interception, such as runtime API hooking, is functionally what the patent describes, even without literal code replacement in the static file.
    • Evidence for a Narrower Interpretation: The detailed description and figures illustrate a process where a "content modifier" at a gateway alters the content before it is processed by the client, which suggests a literal, pre-processing replacement of one function call with another in the content itself (’289 Patent, Fig. 2; col. 9:18-25).

VI. Other Allegations

• Indirect Infringement: The complaint alleges inducement for the ’996, ’289, and ’299 patents, citing Defendant’s creation and distribution of extensive customer-facing materials, including user guides, technical support webpages, whitepapers, and training programs, which allegedly instruct users on how to use the accused products in an infringing manner (Compl. ¶45-52, 67-74, 89-96). For the ’182 Patent, the complaint alleges contributory infringement, asserting that Norton Safe Web is a material component of the patented system, is not a staple article of commerce, and is especially adapted for use in an infringing manner (Compl. ¶110).
• Willful Infringement: Willfulness is alleged for all five patents-in-suit. The allegations are based on pre-suit knowledge stemming from at least two meetings between the parties regarding Finjan’s patent portfolio, Defendant's citation to Finjan patents as prior art in its own patent prosecution, and Defendant's awareness of other litigation involving Finjan's patents (Compl. ¶41, 63, 85, 107, 118).

VII. Analyst’s Conclusion: Key Questions for the Case

• A central issue will be one of technical mechanism: Does the evidence show that Symantec's accused products, particularly SONAR and Symantec Endpoint Protection Manager, operate using the specific methods recited in the claims (e.g., embedding non-HTTP data within HTTP packets, replacing function calls with substitutes), or do they achieve similar security outcomes through fundamentally different, non-infringing technologies?
• The case will likely depend on a core question of definitional scope: How will the court construe dispositive claim terms such as "non-HTTP management data" and "replacing the call to the original function"? The breadth or narrowness of these definitions will be critical in determining whether the accused functionalities fall within the scope of the patents.
• A key evidentiary question for the ’299 and ’182 patents will be one of system architecture: Does the complaint provide sufficient facts to demonstrate that Norton Safe Web, which annotates search results with security ratings, practices the specific client, search engine, and content scanner interactions as required by the asserted claims?