Finjan Inc v. Zscaler Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Finjan, Inc. (Delaware)
  • Defendant: Zscaler, Inc. (Delaware)
  • Plaintiff’s Counsel: Kramer Levin Naftalis & Frankel LLP
• Case Identification: 4:17-cv-06946, N.D. Cal., 12/05/2017
• Venue Allegations: Plaintiff alleges venue is proper because Defendant is headquartered and maintains its principal place of business within the Northern District of California, and has regularly conducted business and committed acts of infringement in the district.
• Core Dispute: Plaintiff alleges that Defendant’s cloud-based internet security platform and associated services infringe four patents related to proactive malware detection, analysis, and management.
• Technical Context: The technology domain is network security, specifically methods for identifying and neutralizing malicious software ("malware") delivered over the internet before it can compromise endpoint devices or networks.
• Key Procedural History: The complaint alleges that Plaintiff first contacted Defendant regarding a potential license on or about May 26, 2016, at which time it provided an exemplary claim chart for one of the asserted patents. The complaint also notes that Defendant has previously studied and sought to invalidate a related, parent patent (U.S. Patent No. 6,092,194) in an inter partes review (IPR) proceeding, suggesting Defendant's familiarity with the underlying technology and patent specification.

Case Timeline

Date	Event
1996-11-08	Earliest Priority Date (’780, ’305 Patents)
2000-05-17	Earliest Priority Date (’633, ’494 Patents)
2004-10-12	’780 Patent Issue Date
2010-01-12	’633 Patent Issue Date
2011-07-05	’305 Patent Issue Date
2014-03-18	’494 Patent Issue Date
2016-05-26	Finjan contacts Zscaler regarding licensing and provides infringement notice for ’305 and ’494 Patents
2017-12-05	Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 6,804,780 - SYSTEM AND METHOD FOR PROTECTING A COMPUTER AND A NETWORK FROM HOSTILE DOWNLOADABLES, Issued October 12, 2004

The Invention Explained

• Problem Addressed: The patent’s background section describes that conventional computer security systems were not designed to recognize viruses attached to or configured as "Downloadables"—executable application programs like Java™ applets or ActiveX™ controls that are downloaded from a source and run on a destination computer (’780 Patent, col. 1:46-64).
• The Patented Solution: The invention provides a method to generate a unique and persistent identifier, a "Downloadable ID," for a given Downloadable. The method involves obtaining the Downloadable, fetching software components that it references and requires for execution, and then performing a function, such as a cryptographic hash, on the combination of the Downloadable and its fetched components to create the ID (’780 Patent, Abstract; FIG. 8). This ID allows a security system to recognize a complex, multi-part program without repeated, resource-intensive analysis (’780 Patent, col. 2:12-18).
• Technical Importance: This approach provided a method for reliably identifying complex, web-based executable content that could be composed of multiple files, enhancing the efficiency of security scanning beyond simple, single-file signature matching (Compl. ¶11).

Key Claims at a Glance

• The complaint asserts independent claim 1 (Compl. ¶38).
• Claim 1 recites a computer-based method with the essential elements of:
  • Obtaining a Downloadable that includes one or more references to software components required to be executed by it.
  • Fetching at least one software component identified by the reference(s).
  • Performing a hashing function on the Downloadable and the fetched software component(s) to generate a Downloadable ID.
• The complaint asserts claims 1-18, thereby including dependent claims (Compl. ¶38).

U.S. Patent No. 7,647,633 - MALICIOUS MOBILE CODE RUNTIME MONITORING SYSTEM AND METHODS, Issued January 12, 2010

The Invention Explained

• Problem Addressed: The patent addresses the security risks posed by "mobile code" (e.g., Java applets, scripts, ActiveX controls), which can execute undesirable operations on network-connected devices. The patent notes that prior art protection methods could be inflexible and resource-intensive (’633 Patent, col. 1:29-57).
• The Patented Solution: The invention describes a protection system, typically operating on a network server or firewall, that monitors incoming information. If the system determines the information includes executable code, it transmits "mobile protection code" (MPC) to the information's destination. This MPC is designed to create a protective "sandbox" environment on the destination device, intercepting the executable's operations and enforcing security policies in real-time (’633 Patent, Abstract; col. 2:38-56).
• Technical Importance: This method enables dynamic, content-specific security by delivering a protective wrapper along with potentially malicious code, allowing for flexible protection of client devices without requiring pre-installed security software (Compl. ¶14).

Key Claims at a Glance

• The complaint asserts independent claim 1 (Compl. ¶54).
• Claim 1 recites a computer-based method with the essential elements of:
  • Receiving downloadable-information.
  • Determining whether the downloadable-information includes executable code.
  • Based on that determination, transmitting mobile protection code to an information-destination of the downloadable-information if it is determined to include executable code.
• The complaint asserts claims 1-41, thereby including dependent claims (Compl. ¶54).

Multi-Patent Capsule: U.S. Patent No. 8,677,494

• Patent Identification: U.S. Patent No. 8,677,494, MALICIOUS MOBILE CODE RUNTIME MONITORING SYSTEM AND METHODS, issued March 18, 2014 (Compl. ¶15).
• Technology Synopsis: This patent discloses a computer-based method for creating security profiles for downloadables. The method comprises receiving an incoming downloadable, deriving security profile data that includes a list of suspicious computer operations the downloadable may attempt, and storing this profile data in a database (Compl. ¶17, 76).
• Asserted Claims: Claims 3-5 and 7-18, including independent claims 3, 7, and 14 (Compl. ¶72).
• Accused Features: The complaint alleges that Zscaler's Cloud Sandbox receives incoming downloadables, derives security profile data by identifying suspicious operations, and stores the resulting profiles in a threat database (Compl. ¶¶ 76-78).

Multi-Patent Capsule: U.S. Patent No. 7,975,305

• Patent Identification: U.S. Patent No. 7,975,305, METHOD AND SYSTEM FOR ADAPTIVE RULE-BASED CONENT SCANNERS FOR DESKTOP COMPUTERS, issued July 5, 2011 (Compl. ¶18).
• Technology Synopsis: The patent describes a system for rule-based scanning of web content to find exploits. The method involves receiving content, selectively diverting it from its destination, scanning it using parser and analyzer rules that describe exploits as patterns of tokens, and updating those rules to adapt to new threats (Compl. ¶20, 93).
• Asserted Claims: Claims 1-25, including independent claims 1 and 13 (Compl. ¶89).
• Accused Features: The complaint accuses Zscaler's security products of receiving internet content, diverting it for scanning, and using analyzer and parser rules to recognize and block potential exploits before the content reaches the end user (Compl. ¶¶ 93-94).

III. The Accused Instrumentality

Product Identification

• The accused instrumentalities are Zscaler's cloud-based security products and services, including its Internet Access Bundles, Private Access Bundle, Zscaler Enforcement Node (“ZEN”), Secure Web Gateway, Cloud Firewall, Cloud Sandbox, and Cloud Architecture (Compl. ¶35).

Functionality and Market Context

• The accused products collectively operate as a cloud-native security platform that acts as an intermediary gateway for internet traffic (Compl. ¶¶ 27, 30). User traffic is routed through Zscaler's globally distributed data centers, or ZENs, which perform inline inspection of content for malware and enforce security policies (Compl. ¶29, 30).
• A core feature is the "Cloud Sandbox," which performs static and dynamic analysis on unknown files to identify malicious behavior and prevent zero-day exploits (Compl. ¶31). This analysis results in the creation of security profiles that identify suspicious operations (Compl. ¶32). The complaint provides a visual from a Zscaler document showing a report that identifies "Suspicious operations" such as "Stealing user credentials" and "Downloading additional malware" (Compl. p. 10).
• The complaint alleges these services are commercially significant, citing Zscaler's infrastructure of over 100 data centers processing 40 billion requests per day (Compl. ¶29).

IV. Analysis of Infringement Allegations

’780 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
obtaining a Downloadable that includes one or more references to software components required to be executed by the Downloadable	Zscaler's security gateways receive downloadables that contain references to other components, such as dropped files, that are required for execution. The complaint provides a screenshot of a Zscaler report listing "Dropped Files" and describes this as obtaining a downloadable with references to software components.	¶42, ¶43	col. 9:20-25
fetching at least one software component identified by the one or more references	Zscaler's system fetches at least one external software component required by the downloadable for its operation. A visual in the complaint shows a Zscaler report for a backdoor program and explicitly annotates that Zscaler "fetches at least one software component" by downloading content from a malicious URL.	¶42, ¶43	col. 9:26-30
performing a hashing function on the Downloadable and the fetched software components to generate a Downloadable ID	Zscaler's Cloud Sandbox performs a hashing function (e.g., MD5, SHA1) on the downloadable and its associated components to generate a unique identifier. A visual from a Zscaler report shows an MD5 hash explicitly labeled by the complaint as a "Downloadable ID."	¶43	col. 9:31-35

• Identified Points of Contention:
  • Scope Questions: A central question may be whether the term "Downloadable," described in the patent with examples like Java applets and ActiveX controls from the 1990s, can be construed to cover the broad range of modern file types (e.g., executable files, PDFs) that Zscaler’s system analyzes.
  • Technical Questions: The analysis may question whether the "Dropped Files" identified by Zscaler's sandbox (Compl. p. 15) are "fetched" from an external source as required by the claim, or if they are created locally by the primary file during execution within the sandbox, which may not satisfy the "fetching" limitation.

’633 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
receiving, by a computer, downloadable-information	Zscaler's security gateways receive downloadable information, such as web pages and files, from the internet on behalf of end users.	¶58, ¶60	col. 5:2-6
determining, by the computer, whether the downloadable-information includes executable code	Zscaler's Advanced Threats Protection service analyzes received information to identify executable objects and scripts, such as Java applets, ActiveX, and injected scripts.	¶59	col. 5:7-10
based upon the determination, transmitting from the computer mobile protection code to at least one information-destination... if the downloadable-information is determined to include executable code	If Zscaler determines a file is suspicious (i.e., may contain executable code), it is sent to the Zscaler Cloud Sandbox for further analysis. The complaint alleges this special handling and analysis environment constitutes the "mobile protection code" and the sandbox is the "information-destination." A diagram from a Zscaler document is annotated to show that "MPC [is] included at this stage" when "Suspicious Files" are sent to "Behavioral Analysis."	¶58, ¶60	col. 5:11-16

• Identified Points of Contention:
  • Scope Questions: A primary dispute will likely concern the definition of "mobile protection code." The complaint posits that routing a file to a server-side sandbox is equivalent to transmitting MPC. A counterargument may be that the patent requires transmitting a distinct piece of protective software to the end-user's device to create a sandbox there, not merely re-routing traffic within the defendant's own cloud.
  • Technical Questions: The analysis will question whether the "information-destination of the downloadable-information" is Zscaler's own Cloud Sandbox, as alleged, or if the claim requires this destination to be the end-user's client device for which the content was originally intended.

V. Key Claim Terms for Construction

For the ’780 Patent:

• The Term: "Downloadable"
• Context and Importance: The definition of this term is critical for determining the scope of infringement. Practitioners may focus on this term because the patent's specification provides 1990s-era examples (Java applets, ActiveX), while the complaint accuses a modern security platform that analyzes a much wider array of executable content. The dispute will concern whether the term is limited to its exemplary embodiments or covers any functionally equivalent network-delivered executable program.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The specification provides a broad functional definition: "A Downloadable is an executable application program, which is downloaded from a source computer and run on the destination computer" (’780 Patent, col. 1:50-53).
  • Evidence for a Narrower Interpretation: The specification immediately follows the definition with a list of specific examples: "Examples of Downloadables include Java™ applets... JavaScript scripts... ActiveX™ controls... and Visual Basic" (’780 Patent, col. 1:55-62). This list could be argued to confine the term's meaning to that class of technologies.

For the ’633 Patent:

• The Term: "mobile protection code"
• Context and Importance: This term appears to be a neologism coined by the patentee and is central to the infringement theory. Practitioners may focus on this term because the complaint alleges that the act of sending a suspicious file to a server-side sandbox meets this limitation. The case may hinge on whether "mobile protection code" is a functional concept of protective action or requires a structurally distinct software component transmitted to the client.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The patent does not provide a formal definition for "mobile protection code," potentially leaving it open to a functional interpretation where any transmitted instructions or processes that result in a protective action at a destination could qualify. The abstract refers to causing MPC "to be transferred to and rendered operable within a destination device," a process the complaint alleges maps to sending a file to the Zscaler sandbox (Compl. ¶58; ’633 Patent, Abstract).
  • Evidence for a Narrower Interpretation: The abstract describes "forming a protection agent including the MPC, protection policies and a detected-Downloadable." This suggests the MPC is a component of a package delivered to the end-user device. Further, the patent discusses causing the MPC "to be executed within a Downloadable-destination in a manner that enables various Downloadable operations to be detected, intercepted or further responded to," which strongly suggests the MPC operates on the client machine where the threat would manifest (’633 Patent, col. 2:50-56).

VI. Other Allegations

• Indirect Infringement: The complaint alleges induced infringement for all asserted patents. It claims Defendant instructs and encourages its customers to use the accused products in an infringing manner through materials such as administration guides, user guides, training, and certifications available on its website (Compl. ¶¶ 50-52, 69-70, 86-87, 103-104).
• Willful Infringement: Willfulness is alleged for all asserted patents. The complaint bases this on alleged pre-suit knowledge from at least May 26, 2016, when Finjan allegedly contacted Zscaler, identified infringing products, and provided a claim chart for the ’305 Patent. The complaint further alleges knowledge based on Zscaler's participation in an IPR proceeding against a parent patent (’194) that shares an identical specification with the ’780 Patent (Compl. ¶¶ 22-24, 45, 63, 80, 97).

VII. Analyst’s Conclusion: Key Questions for the Case

• A core issue will be one of definitional scope: can the term "Downloadable," rooted in the patent’s context of 1990s-era web applets and scripts, be construed to cover the diverse range of modern files analyzed by the accused cloud security platform?
• A key question will be one of structural and functional mapping: does Zscaler's internal, server-side process of routing a suspicious file to its own Cloud Sandbox for analysis meet the claim requirement of "transmitting mobile protection code to... an information-destination"? The resolution may depend on whether "mobile protection code" requires a distinct software component and whether the "destination" must be the end-user's device rather than another server within the accused infringer's own infrastructure.
• A central evidentiary question will be one of technical operation: for the ’780 patent, does the accused system "fetch" components from an external source as required by the claim, or does it merely observe components that are unpacked or created locally by a primary file during sandbox execution, potentially creating a mismatch with the claim language?