Finjan LLC v. Cisco Systems Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Finjan, Inc. (Delaware)
  • Defendant: Cisco Systems, Inc. (California)
  • Plaintiff’s Counsel: Kramer Levin Naftalis & Frankel LLP
• Case Identification: 5:17-cv-00072, N.D. Cal., 07/07/2017
• Venue Allegations: Venue is alleged based on Defendant’s principal place of business being located within the district and its continuous business operations therein.
• Core Dispute: Plaintiff alleges that Defendant’s network security products, including its Advanced Malware Protection (AMP) suite and associated threat intelligence services, infringe five patents related to proactive malware detection and analysis.
• Technical Context: The technology domain is network cybersecurity, specifically methods for identifying and neutralizing malicious code in network traffic before it can execute on an end-user’s device.
• Key Procedural History: The complaint alleges a multi-decade relationship between the parties, beginning with an OEM agreement in the late 1990s. Plaintiff asserts that Defendant gained direct knowledge of the patents-in-suit through a series of investments in Plaintiff starting in 2004, which included board observation rights, and through specific technical presentations. Plaintiff further alleges that Defendant acquired technology from Sourcefire, Inc. in 2013 and integrated other technologies around 2012 that it knew practiced the patented inventions. This alleged history of knowledge is the basis for Plaintiff's willfulness claims.

Case Timeline

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 6,154,844 - "SYSTEM AND METHOD FOR ATTACHING A DOWNLOADABLE SECURITY PROFILE TO A DOWNLOADABLE," Issued November 28, 2000

The Invention Explained

• Problem Addressed: The patent describes the problem of protecting computers from hostile "Downloadables" (e.g., Java applets, ActiveX controls), which conventional security systems were not configured to recognize or block effectively ('844 Patent, col. 1:33-54).
• The Patented Solution: The invention proposes a system where an "inspector" analyzes a downloadable file before it is deployed on a web server. This inspection generates a "Downloadable Security Profile" (DSP) that lists potentially suspicious operations the file might perform. This DSP is then linked to the downloadable. A protection engine at a network gateway or on a client computer can then examine this pre-generated profile to enforce a security policy, rather than performing a full, resource-intensive analysis in real time ('844 Patent, Abstract; Fig. 1).
• Technical Importance: The technology established a proactive, pre-vetting security model for web content, enabling security decisions based on a portable, verifiable profile attached to the content itself ('844 Patent, col. 3:1-7).

Key Claims at a Glance

• The complaint asserts independent claim 1, among others (Compl. ¶¶ 55, 71).
• Essential elements of independent claim 1 include:
  • receiving by an inspector a Downloadable;
  • generating by the inspector a first Downloadable security profile that identifies suspicious code in the received Downloadable; and
  • linking by the inspector the first Downloadable security profile to the Downloadable before a web server makes the Downloadable available to web clients.
• The complaint asserts claims 1-44 (Compl. ¶ 55).

U.S. Patent No. 6,804,780 - "SYSTEM AND METHOD FOR PROTECTING A COMPUTER AND A NETWORK FROM HOSTILE DOWNLOADABLES," Issued October 12, 2004

The Invention Explained

• Problem Addressed: As web content became more complex and composed of multiple components, security systems needed a reliable and efficient way to identify a piece of content without having to re-analyze it every time it was encountered (Compl. ¶ 14; '780 Patent, col. 1:11-16).
• The Patented Solution: The invention describes a method for creating a unique "Downloadable ID." This is done by obtaining a downloadable file, "fetching" any external software components it references (such as other code libraries), and then performing a hashing function on the combination of the original file and the fetched components. This unique hash serves as a persistent identifier for the entire package of content, allowing a security system to recognize it later ('780 Patent, Abstract; Fig. 8).
• Technical Importance: This approach provides a method for "fingerprinting" composite web content, enabling security systems to cache analysis results and make faster, more efficient policy decisions upon subsequent encounters with the same content ('780 Patent, col. 2:11-16).

Key Claims at a Glance

• The complaint asserts independent claim 1, among others (Compl. ¶¶ 75, 88).
• Essential elements of independent claim 1 include:
  • obtaining a Downloadable that includes one or more references to software components required to be executed by the Downloadable;
  • fetching at least one software component identified by the one or more references; and
  • performing a hashing function on the Downloadable and the fetched software components to generate a Downloadable ID.
• The complaint asserts claims 1-18 (Compl. ¶ 75).

U.S. Patent No. 7,647,633 - "MALICIOUS MOBILE CODE RUNTIME MONITORING SYSTEM AND METHODS," Issued January 12, 2010

The Invention Explained

• The patent addresses threats from executable "mobile code." The invention describes determining if downloadable information contains executable code and, if so, transmitting "mobile protection code" (MPC) to the destination. This MPC can then create a protected runtime environment or "sandbox" to monitor and control the behavior of the executable code at its destination, neutralizing harmful effects (Compl. ¶¶ 17, 97; '633 Patent, Abstract).

Key Claims at a Glance

• Asserted Claims: Independent claims 1, 14, 28, and 34 are asserted among claims 1-41 (Compl. ¶¶ 93, 107).
• Accused Features: The complaint alleges that the Accused AMP Products scan incoming files, and if they contain executable code, send the file to a sandbox destination along with mobile protection code for analysis (Compl. ¶¶ 97-98).

U.S. Patent No. 8,141,154 - "SYSTEM AND METHOD FOR INSPECTING DYNAMICALLY GENERATED EXECUTABLE CODE," Issued March 20, 2012

The Invention Explained

• The patent describes a system where a gateway computer intercepts content that includes a call to a function. Instead of letting the client execute it directly, the gateway transmits the function's input to a separate security computer for inspection. The client is only permitted to invoke the function if the security computer sends back an indicator that it is safe to do so, thus preventing the execution of dynamically generated malicious code ('154 Patent, Abstract; Compl. ¶ 116).

Key Claims at a Glance

• Asserted Claims: Independent claim 1 is asserted among claims 1-12 (Compl. ¶ 112).
• Accused Features: Cisco's Outbreak Filters allegedly practice the invention by rewriting URLs in emails to redirect them to a proxy (the gateway). The proxy sends the content to Talos (the security computer) for real-time scanning, and the content is only delivered to the end-user if Talos indicates it is safe (Compl. ¶¶ 115-116).

U.S. Patent No. 8,677,494 - "MALICIOUS MOBILE CODE RUNTIME MONITORING SYSTEM AND METHODS," Issued March 18, 2014

The Invention Explained

• The patent discloses a method where a system receives an incoming downloadable, derives a security profile for it that includes a list of suspicious computer operations the downloadable might attempt, and stores this profile data in a database. This allows for the creation of a repository of threat intelligence based on behavioral analysis ('494 Patent, Abstract; Compl. ¶ 129).

Key Claims at a Glance

• Asserted Claims: Independent claims 1 and 10 are asserted among claims 1-18 (Compl. ¶¶ 125, 139).
• Accused Features: The complaint alleges that Cisco AMP for Endpoints receives downloadables and performs a lookup in the cloud, where a security profile detailing suspicious operations is derived and stored in a database (the Talos intelligence cloud) (Compl. ¶ 129).

III. The Accused Instrumentality

Product Identification

• The accused instrumentalities are a suite of Cisco’s security products and services, including Cisco Advanced Malware Protection (AMP) for Endpoints, Networks, and various appliances; the Talos Security Intelligence and Research Group; Cisco Outbreak Filters; and the AMP Threat Grid (Compl. ¶¶ 24, 44).

Functionality and Market Context

• The accused products form a comprehensive threat detection ecosystem. The AMP products operate at network gateways and on endpoint devices to inspect files and network traffic (Compl. ¶¶ 39, 59). They leverage the Talos cloud platform, which provides real-time threat intelligence and file dispositions (Compl. ¶ 39). Files with unknown dispositions are automatically submitted to the AMP Threat Grid, a sandbox environment, for dynamic analysis against hundreds of behavioral indicators (Compl. ¶ 41). The complaint includes a diagram from a Cisco presentation illustrating the "File Lookup and Retrospection" process, where connectors on endpoints and networks query the Cisco TALOS Cloud for file dispositions based on SHA hashes (Compl. p. 11, Ex. 23). The Outbreak Filters product specifically targets email-borne threats by rewriting URLs and scanning the destination content in real-time before allowing or blocking user access (Compl. ¶ 42).

IV. Analysis of Infringement Allegations

'844 Patent Infringement Allegations

• Identified Points of Contention:
  • Scope Questions: The infringement theory may depend on mapping the patent's pre-deployment architecture (where an inspector vets content before it is placed on a web server) to the accused real-time gateway architecture (which inspects content in transit). A question for the court may be whether inspecting content after it has left a web server but before it reaches a client satisfies the claim limitation "before a web server makes the Downloadable available to web clients."
  • Technical Questions: The complaint alleges the security profile is "linked" to the downloadable. A factual question may be whether the internal data records used by the accused products to make a block/allow decision constitute "linking" in the manner required by the patent, or if there is a technical distinction.

'780 Patent Infringement Allegations

• Identified Points of Contention:
  • Technical Questions: A key factual question may be what evidence the complaint provides to support the allegation that the accused products actively "fetch" external software components referenced within a downloadable as part of their hashing process. The infringement allegation could fail if the accused hashing function is performed only on the primary file itself, without resolving and retrieving referenced components as required by the claim.

V. Key Claim Terms for Construction

• The Term: "before a web server makes the Downloadable available to web clients" ('844 Patent, Claim 1)

• Context and Importance: This temporal phrase is critical to mapping the patent's workflow onto the accused real-time gateway products. Practitioners may focus on this term because Defendant may argue its products inspect content after a web server has already made it available, potentially placing the accused activity outside the claim's scope.

• Intrinsic Evidence for Interpretation:

  • Evidence for a Broader Interpretation: The patent’s general description of the system components—developer, inspector, web server, client—could be argued to represent a logical flow rather than a strict, temporally-ordered physical one (e.g., ’844 Patent, Fig. 1). This may support an interpretation where "before...available to web clients" means simply before the client device itself receives the content.
  • Evidence for a Narrower Interpretation: The specification's flowchart for inspecting a downloadable explicitly shows the final step as "FORWARD THE SIGNED INSPECTED DOWNLOADABLE TO THE WEB SERVER FOR DEPLOYMENT" ('844 Patent, Fig. 6, step 645). This language suggests the entire inspection and linking process is completed offline, prior to the content ever being placed on a publicly accessible server, supporting a narrower, pre-deployment construction.

• The Term: "fetching at least one software component" ('780 Patent, Claim 1)

• Context and Importance: This term defines an active step of retrieval that distinguishes the claimed method from simply hashing a single file. The infringement case for the ’780 Patent may depend on whether the accused products are shown to perform this specific action.

• Intrinsic Evidence for Interpretation:

  • Evidence for a Broader Interpretation: The specification of the parent '844 patent, incorporated by reference, discusses various downloadable types. An argument could be made that for certain packaged files (e.g., installers), the process of unpacking the file to access internal components could be considered "fetching."
  • Evidence for a Narrower Interpretation: The specification of the parent patent describes this process in the context of Java applets fetching classes or ActiveX controls using .INF files to retrieve components ('844 Patent, col. 4:45-51). This context suggests "fetching" implies retrieving components that are external to the primary downloadable file, not merely contained within it, supporting a narrower interpretation that requires an out-of-file retrieval step.

VI. Other Allegations

• Indirect Infringement: The complaint alleges that Defendant induces infringement by providing customers with extensive documentation, including quick start guides, user guides, and operating instructions via its support website, which allegedly instruct users on how to configure and use the accused products in an infringing manner (Compl. ¶¶ 72-73, 91).
• Willful Infringement: The complaint alleges a long and detailed pre-suit history of Defendant’s knowledge of the patents-in-suit, beginning with a collaborative relationship and OEM agreement in the late 1990s (Compl. ¶ 47). The allegations for willfulness are based on specific events, including stock purchase agreements from 2004 and 2008 that allegedly identified the patents or their pending applications, Defendant's representative attending Plaintiff's board meetings, and Defendant's receipt of presentations on the patented technology (Compl. ¶¶ 48-49, 65).

VII. Analyst’s Conclusion: Key Questions for the Case

• A core issue will be one of architectural scope: can claim limitations rooted in a pre-deployment, offline content inspection model (as described in the ’844 patent) be construed to cover the accused real-time, in-transit security architecture? The outcome may depend on the court's interpretation of the temporal phrase "before a web server makes the Downloadable available to web clients."
• A key evidentiary question will be one of technical operation: does the accused file analysis process, which uses SHA hashing for cloud lookups, perform the specific step of "fetching...software components" as required by claim 1 of the '780 patent, or is there a fundamental mismatch in the technical steps performed?
• Given the extensive history alleged, a central dispute will likely be willfulness and intent: assuming infringement is found, did the Defendant proceed with developing and selling the accused products despite having direct knowledge of the patents and a high likelihood of infringement, stemming from its prior investment and collaborative relationship with the Plaintiff?