Finjan Inc v. Blue Coat Systems Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Finjan, Inc. (Delaware)
  • Defendant: Blue Coat Systems, Inc. (Delaware)
  • Plaintiff’s Counsel: Kramer Levin Naftalis & Frankel LLP
• Case Identification: [Finjan, Inc.](https://ai-lab.exparte.com/party/finjan-inc) v. [Blue Coat Systems, Inc.](https://ai-lab.exparte.com/party/blue-coat-systems-inc), 5:13-cv-03999, N.D. Cal., 08/28/2013
• Venue Allegations: Plaintiff alleges venue is proper in the Northern District of California because Defendant conducts business, markets its products, and has established minimum contacts within the district.
• Core Dispute: Plaintiff alleges that Defendant’s network security appliances and cloud services infringe six patents related to proactive, behavior-based malware detection and neutralization.
• Technical Context: The patents address security threats from executable web content ("downloadables" like Java applets and scripts) by analyzing content, generating unique identifiers, and monitoring behavior to protect networks and endpoints.
• Key Procedural History: The complaint does not allege any pre-suit licensing history, prior litigation between the parties, or post-grant proceedings involving the patents-in-suit.

Case Timeline

Date	Event
1996-11-08	Priority Date for U.S. Patent Nos. 6,804,780 and 6,154,844
2000-05-17	Priority Date for U.S. Patent Nos. 7,058,822 and 7,647,633
2000-11-28	U.S. Patent No. 6,154,844 Issued
2003-02-27	Priority Date for U.S. Patent Nos. 6,965,968 and 7,418,731
2004-10-12	U.S. Patent No. 6,804,780 Issued
2005-11-15	U.S. Patent No. 6,965,968 Issued
2006-06-06	U.S. Patent No. 7,058,822 Issued
2008-08-26	U.S. Patent No. 7,418,731 Issued
2010-01-12	U.S. Patent No. 7,647,633 Issued
2013-08-28	Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 6,804,780 - "System and Method for Protecting a Computer and a Network From Hostile Downloadables"

• Patent Identification: U.S. Patent No. 6,804,780, "System and Method for Protecting a Computer and a Network From Hostile Downloadables," issued October 12, 2004.

The Invention Explained

• Problem Addressed: The patent addresses the inability of conventional security systems to recognize and protect against computer viruses attached to or configured as "Downloadables," which are executable application programs like Java™ applets and ActiveX™ controls downloaded from a source computer ('780 Patent, col. 1:45-67).
• The Patented Solution: The invention provides a system that generates a unique "Downloadable ID" for each piece of executable content, typically by performing a hashing function on the downloadable and all its referenced software components ('780 Patent, col. 8:5-17). This ID allows the system to recognize previously evaluated content efficiently, apply security policies based on the ID, and avoid redundant analysis, thereby saving computational resources (Compl. ¶12; ’780 Patent, Abstract).
• Technical Importance: The technology provided a method for uniquely identifying and applying policies to the emerging threat of executable web content, moving beyond simple signature-based detection prevalent at the time (Compl. ¶7).

Key Claims at a Glance

• The complaint asserts inducement of at least claims 1-8 and 16 (Compl. ¶48). Claim 1 is the lead independent claim.
• Claim 1 recites a computer-based method comprising the elements of:
  • obtaining a Downloadable that includes one or more references to software components required to be executed by the Downloadable;
  • fetching at least one software component identified by the one or more references; and
  • performing a hashing function on the Downloadable and the fetched software components to generate a Downloadable ID.

---

U.S. Patent No. 7,058,822 - "Malicious Mobile Code Runtime Monitoring System and Methods"

• Patent Identification: U.S. Patent No. 7,058,822, "Malicious Mobile Code Runtime Monitoring System and Methods," issued June 6, 2006.

The Invention Explained

• Problem Addressed: The patent addresses the need for "efficient, accurate and flexible protection of computers and other network connectable devices from malicious Downloadables" beyond what was available in prior systems ('822 Patent, col. 2:11-14).
• The Patented Solution: The invention describes a protection system, typically at a network gateway or server, that inspects incoming information to determine if it contains executable code. If it does, the system "causes mobile protection code ('MPC') to be transferred to and rendered operable within a destination device" ('822 Patent, Abstract). This MPC forms a "protection agent" that monitors the downloadable's operations at runtime on the end-user's device, intercepting potentially malicious actions and executing protective policies in response (Compl. ¶15; ’822 Patent, col. 4:3-8).
• Technical Importance: This technology describes a shift from purely static, gateway-level analysis to a dynamic, client-side runtime monitoring approach, creating a "sandbox" to contain and neutralize threats as they attempt to execute (Compl. ¶7).

Key Claims at a Glance

• The complaint asserts inducement of claims 1, 4, 6, and 8, and contributory infringement of claims 1, 2, 4, 9, 10, 12, 15, 28, 31, 33, 34, and 35 (Compl. ¶¶66, 68). Claim 1 is the lead independent claim.
• Claim 1 recites a processor-based method comprising the elements of:
  • receiving downloadable-information;
  • determining whether the downloadable-information includes executable code; and
  • causing mobile protection code to be communicated to at least one information-destination of the downloadable-information, if the downloadable-information is determined to include executable code.

---

U.S. Patent No. 7,647,633 - "Malicious Mobile Code Runtime Monitoring System and Methods"

• Technology Synopsis: As a continuation of the '822 Patent family, this patent is also directed to protecting devices from undesirable operations from web-based content by determining if the content is executable and then "trapping such content and neutralizing possible harmful effects using mobile protection code" (Compl. ¶18).
• Asserted Claims: The complaint asserts claims for direct and indirect infringement but does not specify claim numbers for the ’633 Patent in the body of the complaint, instead making general allegations (Compl. ¶¶79, 86, 88).
• Accused Features: The complaint alleges that the Blue Coat ProxySG Appliances and Software embody the patented invention (Compl. ¶82).

U.S. Patent No. 6,154,844 - "System and Method for Attaching a Downloadable Security Profile to a Downloadable"

• Technology Synopsis: The patent is directed to protecting devices by "linking a security profile to such web-based content" (Compl. ¶21). An "inspector" generates a security profile based on a set of rules and attaches it to the downloadable content before it reaches the end user, allowing a protection engine on the client or gateway to make security decisions based on the profile (’844 Patent, Abstract).
• Asserted Claims: The complaint asserts inducement of at least claims 1, 3-8, 11, 14 and 23-27 (Compl. ¶106).
• Accused Features: The complaint alleges that the Blue Coat WebPulse Service embodies the patented invention (Compl. ¶102).

U.S. Patent No. 6,965,968 - "Policy-Based Caching"

• Technology Synopsis: The patent is directed to methods for enabling "policy-based cache management to determine if digital content is allowable relative to a policy" (Compl. ¶24). This is accomplished by scanning digital content to derive a content profile and then determining whether that content is permissible for caching based on the profile and an applicable policy (’968 Patent, Abstract).
• Asserted Claims: The complaint asserts inducement of at least claims 13-16, 20-21 and 26 (Compl. ¶124).
• Accused Features: The complaint alleges that the ProxySG Appliances and Software and WebPulse Service embody the invention (Compl. ¶120).

U.S. Patent No. 7,418,731 - "Method and System for Caching at Secure Gateways"

• Technology Synopsis: Related to the ’968 Patent, this invention is also directed to policy-based cache management. It involves scanning digital content to derive a profile that includes "at least one computer command the content would perform," and then determining if the content is allowable based on that profile (Compl. ¶27).
• Asserted Claims: The complaint asserts inducement of at least claims 7-9, 11, and 14-16 (Compl. ¶142).
• Accused Features: The complaint alleges that the ProxySG Appliances, ProxyAV Appliances, and WebPulse Service embody the invention (Compl. ¶138).

III. The Accused Instrumentality

Product Identification

• The accused instrumentalities are the Blue Coat ProxySG Appliances and Software, ProxyAV Appliances and Software, and the WebPulse Cloud Service (Compl. ¶28).

Functionality and Market Context

• The accused products are a family of proxy appliances and cloud services placed at the Internet gateway to provide security for web-based communications (Compl. ¶29). The ProxySG appliances utilize a "Content Policy Language" (CPL) to evaluate web requests, scan files for active content (e.g., scripts, JavaScript entities), and remove or replace it based on defined policies (Compl. ¶¶30-32). The ProxyAV appliances provide "inline threat protection and malware scanning of Web content" and can create a "secure hash fingerprint" of a file's content to compare against a database of previously scanned objects (Compl. ¶¶34-35). The WebPulse service is a cloud-based infrastructure that analyzes URL requests in real-time using a "Dynamic Real-Time Rating" system to identify and block suspicious content (Compl. ¶36). A system diagram provided in the complaint illustrates how these components interoperate to protect various user types (Compl. p. 7).

IV. Analysis of Infringement Allegations

6,804,780 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
obtaining a Downloadable that includes one or more references to software components...	Blue Coat's ProxyAV appliances are situated at the internet gateway and scan objects such as webpages.	¶34, ¶35	col. 8:1-3
fetching at least one software component identified by the one or more references; and	The complaint does not provide sufficient detail for analysis of this specific element.	--	col. 8:4-5
performing a hashing function on the Downloadable and the fetched software components to generate a Downloadable ID.	The ProxyAV appliances "create a secure hash fingerprint of the file's content and compare its contents to a database of hashes from previously scanned objects."	¶35	col. 8:6-9

• Identified Points of Contention:
  • Scope Questions: A central question may be whether the accused ProxyAV's creation of a "secure hash fingerprint of the file's content" meets the claim limitation of "performing a hashing function on the Downloadable and the fetched software components." The defense may argue that hashing a single file as received is distinct from the patent's more complex process of fetching all referenced components (e.g., all .class files for a Java applet) and then hashing the complete, reconstituted package.

---

7,058,822 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
receiving downloadable-information;	The ProxySG and ProxyAV appliances are placed at the Internet gateway to receive web-based communications.	¶29, ¶34	col. 3:45-50
determining whether the downloadable-information includes executable code; and	The ProxySG appliances use CPL to scan HTML and ASX files for active content and to detect and remove executables. The ProxyAV appliances perform malware scanning.	¶30, ¶34	col. 4:2-3
causing mobile protection code to be communicated to at least one information-destination... if... determined to include executable code.	The complaint alleges the accused systems neutralize harmful effects using mobile protection code by trapping and removing or replacing active content at the gateway.	¶15, ¶31, ¶32	col. 4:4-8

• Identified Points of Contention:
  • Scope Questions: The infringement analysis may turn on whether Blue Coat's gateway-level action of removing or replacing active content before it reaches the user can be construed as "causing mobile protection code to be communicated to" the end-user's device. The patent's specification appears to describe sending an active monitoring agent or "protection agent" to the destination device to create a runtime sandbox, which raises the question of a potential mismatch between the claimed method and the alleged functionality.

V. Key Claim Terms for Construction

For the ’780 Patent

• The Term: "Downloadable ID"
• Context and Importance: This term is the output of the claimed method. Plaintiff's infringement theory maps this term to Defendant's "secure hash fingerprint" (Compl. ¶35). The definition of what constitutes a "Downloadable ID" under the patent—specifically, what inputs are required for its generation—is therefore critical.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The patent abstract states the ID is used to "identify" the downloadable, and the complaint notes its purpose is to allow recognition "without reevaluation" (Compl. ¶12). This functional description could support a broader definition that includes any unique, hash-based identifier. The specification notes that the ID is "preferably" generated by computing a digital hash, which may suggest other methods are contemplated ('780 Patent, col. 8:5-7).
  • Evidence for a Narrower Interpretation: The detailed description of the preferred embodiment specifies that generating the ID involves prefetching all components embodied in or identified by the code and then performing a hash on the complete code and its components ('780 Patent, col. 8:7-17). This could support a narrower construction requiring a comprehensive hash of a fully constituted downloadable, not just a hash of a single file's contents.

For the ’822 Patent

• The Term: "mobile protection code"
• Context and Importance: This term is central to the dispute, as Plaintiff must demonstrate that Defendant's gateway-level filtering actions constitute communicating "mobile protection code" to the end user. Practitioners may focus on this term because its construction could determine whether there is a fundamental operational mismatch between the patented method and the accused systems.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The complaint describes the purpose of the code as neutralizing "possible harmful effects" (Compl. ¶15). Plaintiff may argue that replacing malicious script with a benign warning message at the gateway is a form of "protection code" that is ultimately "communicated" to the user's browser, satisfying this functional goal.
  • Evidence for a Narrower Interpretation: The patent's abstract describes causing the "mobile protection code (MPC) to be transferred to and rendered operable within a destination device," where it forms a "protection agent" that monitors the downloadable at runtime. The detailed description states the MPC is for "causing one or more predetermined malicious operations...to be monitored or otherwise intercepted" on the destination device ('822 Patent, col. 3:7-10). This language suggests the "code" must be an active, executable agent sent to the client, not simply the result of a filtering action at the gateway.

VI. Other Allegations

• Indirect Infringement: The complaint alleges inducement to infringe all patents-in-suit. The allegations are based on Defendant’s user manuals, datasheets, configuration guides, and marketing materials, which allegedly instruct customers and users to configure and operate the accused products in an infringing manner (Compl. ¶¶49-51, 67, 70-71). The complaint also pleads contributory infringement for the ’822 and ’633 patents, alleging the accused ProxySG appliances are a material component of the patented system, are especially adapted for infringing use, and are not a staple article of commerce (Compl. ¶¶68-69).
• Willful Infringement: The complaint does not include a standalone count for willful infringement. However, in its inducement counts, it alleges that Defendant "knew or was willfully blind to the fact that it was inducing" infringement (e.g., Compl. ¶49). It further alleges that Defendant gained knowledge of the patents "at least as of the time it learned of this action for infringement," suggesting a primary basis for intent founded on post-suit knowledge (Compl. ¶¶55, 75).

VII. Analyst’s Conclusion: Key Questions for the Case

• A core issue will be one of definitional scope: can the term "mobile protection code," described in the ’822 patent specification as an active agent sent to a client device to monitor code at runtime, be construed to cover the accused system’s function of removing or replacing web content at the network gateway before it reaches the client?
• A key evidentiary question will be one of functional operation: does the accused ProxyAV appliance’s generation of a "secure hash fingerprint" based on a single file’s content operate in a substantially similar way to the ’780 patent’s claimed method of generating a "Downloadable ID," which is described as requiring the fetching of all referenced software components and hashing the complete, assembled package?
• The case may also present a question of causation for indirect infringement: does the evidence, such as user manuals and marketing materials, show that Blue Coat specifically intended for its customers to use the accused products in a way that practices every step of the asserted method claims, or do these materials merely instruct on the general, non-infringing operation of a security product?