Finjan LLC v. SonicWall Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Finjan, Inc. (Delaware)
  • Defendant: SonicWall, Inc. (Delaware)
  • Plaintiff’s Counsel: Kramer Levin Naftalis & Frankel LLP
• Case Identification: Finjan, Inc. v. SonicWall, Inc., 5:17-cv-04467, N.D. Cal., 08/04/2017
• Venue Allegations: Plaintiff alleges venue is proper because Defendant is headquartered and has its principal place of business in the Northern District of California.
• Core Dispute: Plaintiff alleges that Defendant’s network security appliances, email security products, and associated cloud-based threat analysis services infringe eleven patents related to proactive, behavior-based detection of malicious web content.
• Technical Context: The technology lies in the field of cybersecurity, specifically methods for identifying and neutralizing malware, viruses, and other hostile "downloadables" before they can harm a computer or network.
• Key Procedural History: The complaint alleges a multi-year history of pre-suit licensing negotiations, beginning in June 2014, during which Plaintiff allegedly provided Defendant with notice of the asserted patents and claim charts detailing the alleged infringement.

Case Timeline

Date	Event
1996-11-08	U.S. Patent No. 6,154,844 Priority Date
1997-11-06	U.S. Patent No. 6,804,780 Priority Date
2000-03-30	U.S. Patent No. 6,965,968 Priority Date
2000-05-17	U.S. Patent No. 7,058,822 Priority Date
2000-11-28	U.S. Patent No. 6,154,844 Issued
2001-05-17	U.S. Patent Nos. 7,613,926, 7,647,633, 8,677,494 Priority Date
2004-10-12	U.S. Patent No. 6,804,780 Issued
2004-12-09	U.S. Patent Nos. 7,975,305, 8,225,408 Priority Date
2005-11-15	U.S. Patent No. 6,965,968 Issued
2006-06-06	U.S. Patent No. 7,058,822 Issued
2009-11-03	U.S. Patent No. 7,613,926 Issued
2010-01-12	U.S. Patent No. 7,647,633 Issued
2010-06-14	U.S. Patent No. 8,141,154 Priority Date
2011-07-05	U.S. Patent No. 7,975,305 Issued
2012-03-20	U.S. Patent No. 8,141,154 Issued
2012-07-17	U.S. Patent No. 8,225,408 Issued
2014-03-18	U.S. Patent No. 8,677,494 Issued
2014-06-10	Plaintiff allegedly informed Defendant of patent portfolio and infringement
2017-08-04	Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 6,154,844 - "System and Method for Attaching a Downloadable Security Profile to a Downloadable"

The Invention Explained

• Problem Addressed: The patent addresses the problem of computer security systems being unable to recognize viruses attached to or configured as "Downloadables" (e.g., Java applets, ActiveX controls) delivered over a public network like the Internet (’844 Patent, col. 1:36-52).
• The Patented Solution: The invention proposes a system with an "inspector" that analyzes a downloadable before it is made available on a web server. This inspector generates a "Downloadable Security Profile" (DSP) that identifies potentially suspicious operations or code patterns and links this profile to the downloadable. A protection engine on the client side can then examine this profile against local security policies before allowing the downloadable to run (’844 Patent, Abstract; Fig. 1).
• Technical Importance: The technology represents a shift from purely reactive, client-side virus scanning to a proactive, pre-analysis model performed at a gateway or central server to vet content before widespread distribution (Compl. ¶7).

Key Claims at a Glance

• The complaint asserts independent claim 1 (Compl. ¶¶ 60, 64).
• The essential elements of independent claim 1 are:
  • receiving by an inspector a Downloadable;
  • generating by the inspector a first Downloadable security profile that identifies suspicious code in the received Downloadable; and
  • linking by the inspector the first Downloadable security profile to the Downloadable before a web server makes the Downloadable available to web clients.
• The complaint asserts claims 1-44, which includes dependent claims (Compl. ¶60).

U.S. Patent No. 7,058,822 - "Malicious Mobile Code Runtime Monitoring System and Methods"

The Invention Explained

• Problem Addressed: The patent aims to protect computer networks from undesirable or malicious operations caused by executable mobile code downloaded from the internet (Compl. ¶14; ’822 Patent, col. 1:24-30).
• The Patented Solution: The invention describes a method where a system receives downloadable information, determines if it contains executable code, and if so, transmits "mobile protection code" (MPC) to the destination. This MPC acts as a runtime monitor or agent at the destination, intercepting potentially malicious operations attempted by the downloadable and enforcing security policies (’822 Patent, Abstract; col. 4:1-15).
• Technical Importance: This technology provides a runtime protection mechanism where a security agent is delivered alongside potentially malicious content to police its behavior in the client environment, rather than simply blocking the content at the gateway (Compl. ¶14).

Key Claims at a Glance

• The complaint asserts independent claim 1 (Compl. ¶¶ 79, 83).
• The essential elements of independent claim 1 are:
  • receiving downloadable information;
  • determining whether that the downloadable information includes executable code; and
  • transmitting mobile protection code to at least one information destination of the downloadable information if the downloadable information is determined to include executable code.
• The complaint asserts claims 1-35, which includes dependent claims (Compl. ¶79).

U.S. Patent No. 6,804,780 - "System and Method for Protecting a Computer and a Network from Hostile Downloadables"

• Technology Synopsis: The patent describes generating a unique ID for a downloadable file (e.g., by hashing) to allow for efficient recognition without re-evaluation, saving computing resources (Compl. ¶17). The method involves fetching software components referenced by the downloadable and performing a hashing function on the combination to create the ID (Compl. ¶101).
• Asserted Claims: Claims 1-18 are asserted (Compl. ¶97).
• Accused Features: The complaint alleges that the Accused Products perform a hashing function (MD-5, SHA1, SHA256) on incoming files to generate "File Identifiers" which serve as downloadable IDs (Compl. ¶101).

U.S. Patent No. 7,613,926 - "Method and System for Protecting a Computer and a Network from Hostile Downloadables"

• Technology Synopsis: The patent relates to protecting computers by hashing a downloadable to generate an ID, retrieving security profile data associated with that ID, and then transmitting the downloadable either appended with or accompanied by a representation of that security profile data (Compl. ¶20).
• Asserted Claims: Claims 1-30 are asserted (Compl. ¶130).
• Accused Features: The accused products are alleged to generate downloadable identifiers (e.g., SHA256 hashes), retrieve security profile data from a database (such as a SQL database on the appliance or in the Capture ATP cloud), and transmit the downloadable and a representation of the data to the Sonic Sandbox for further analysis (Compl. ¶¶ 134-136).

U.S. Patent No. 7,647,633 - "Malicious Mobile Code Runtime Monitoring System and Methods"

• Technology Synopsis: This patent is related to the ’822 Patent and describes a method of protecting devices by receiving downloadable information, determining if it contains executable code, and if so, transmitting mobile protection code to the information's destination (Compl. ¶¶ 23, 117).
• Asserted Claims: Claims 1-41 are asserted (Compl. ¶113).
• Accused Features: The complaint alleges the firewall gateway products receive downloadable information, scan it for executable code, and if found, send the code and mobile protection code (equated with the sandbox environment) to the Multi-engine Sonic Sandbox for analysis (Compl. ¶¶ 117-118).

U.S. Patent No. 8,141,154 - "System and Method for Inspecting Dynamically Generated Executable Code"

• Technology Synopsis: The patent describes a gateway protecting a client from dynamically generated malicious content by processing content that includes a call to a first function, transmitting the input of that function to a security computer for inspection, and only invoking a second function if the security computer indicates it is safe (Compl. ¶26, 151).
• Asserted Claims: Claims 1-12 are asserted (Compl. ¶147).
• Accused Features: The Appliance Products allegedly act as a content processor that receives content (e.g., obfuscated JavaScript), transmits an input from that content to the Capture ATP cloud or GRID for a safety determination, and only proceeds based on the received indicator (Compl. ¶152).

U.S. Patent No. 8,677,494 - "Malicious Mobile Code Runtime Monitoring System and Methods"

• Technology Synopsis: The patent covers a method of receiving a downloadable, deriving a security profile for it that includes a list of suspicious computer operations, and storing that profile data in a database (Compl. ¶29, 164).
• Asserted Claims: Claims 1-18 are asserted (Compl. ¶160).
• Accused Features: The Capture ATP service is accused of deriving security profile data, including hashes and lists of suspicious operations (e.g., registry reads, processes created), and storing this data in databases to provide analysis reports (Compl. ¶¶ 165-166).

U.S. Patent No. 7,975,305 - "Method and System for Adaptive Rule-Based Conent Scanners for Desktop Computers"

• Technology Synopsis: The technology involves rule-based scanning of web content using parser and analyzer rules to describe exploits as patterns of tokens, with a system for keeping the rules updated (Compl. ¶32).
• Asserted Claims: Claims 1-25 are asserted (Compl. ¶177).
• Accused Features: The accused products allegedly receive internet content, selectively divert it for scanning, and use analyzer and parser rules (including heuristics) to recognize exploits, with rules being updatable (Compl. ¶¶ 181-184).

U.S. Patent No. 8,225,408 - "Method and System for Adaptive Rule-Based Content Scanners"

• Technology Synopsis: This patent concerns rule-based scanning of web content for exploits written in various programming languages by expressing the exploits as patterns of tokens and analyzing them using a parse tree (Compl. ¶35).
• Asserted Claims: Claims 1-35 are asserted (Compl. ¶196).
• Accused Features: The accused products are alleged to use machine learning, parser rules, and analyzer rules to create parse trees to find exploits in real-time (Compl. ¶201).

U.S. Patent No. 6,965,968 - "Method and System for Adaptive Rule-Based Conent Scanners for Desktop Computers"

• Technology Synopsis: The patent is directed to policy-based cache management, where digital content is scanned to derive a content profile, which is then used to determine if the content is allowable under a given policy (Compl. ¶38).
• Asserted Claims: Claims 1-38 are asserted (Compl. ¶213).
• Accused Features: The accused products allegedly include a web cache, scan incoming digital content to derive a profile, and determine whether the content is allowable under policies (Compl. ¶¶ 217-219).

III. The Accused Instrumentality

Product Identification

• The accused instrumentalities are Defendant’s SonicWall Appliance Products (including the SuperMassive, NSA, and TZ firewall series), Email Security Products, and associated subscription services, notably Capture Advanced Threat Protection (“Capture ATP”) and Gateway Security Services (Compl. ¶¶ 45-56).

Functionality and Market Context

• The accused products are network security appliances and cloud-based services designed to protect enterprise networks from inbound and outbound threats (Compl. ¶¶ 46-48, 51). The Capture ATP service is identified as a cloud-based, multi-engine sandbox that inspects traffic, extracts suspicious code, and executes it in a virtualized environment to analyze its behavior (Compl. ¶53). The complaint presents a diagram illustrating how the Capture ATP service intercepts traffic, sends suspicious files to a "Capture cloud" for sandboxing and analysis, and then passes a judgment on whether to filter the traffic (Compl. p. 16). This service can be configured to block files from reaching the end user until the cloud-based analysis returns a verdict (Compl. ¶67; p. 19).

IV. Analysis of Infringement Allegations

6,154,844 Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
receiving by an inspector a Downloadable	The accused gateway products, acting as an "inspector," receive incoming downloadables such as PDFs with JavaScript or EXE files.	¶64	col. 5:3-5
generating by the inspector a first Downloadable security profile that identifies suspicious code in the received Downloadable	The Capture ATP service's sandbox analyzes the downloadable's behavior, identifies suspicious computer operations (e.g., OS calls, registry changes), and uses rules to generate a security profile that determines if the content is malicious. A diagram in the complaint outlines how a sandbox monitors for such changes (Compl. p. 18).	¶¶65-66	col. 3:55-60
linking by the inspector the first Downloadable security profile to the Downloadable before a web server makes the Downloadable available to web clients	Capture ATP links the generated profile to the downloadable by issuing a verdict and using a blocking mechanism that can prevent the client from accessing the file until the verdict is returned. A user interface screenshot shows a "Block all files until a verdict is returned" option (Compl. p. 19).	¶67	col. 3:60-64

• Identified Points of Contention:
  • Scope Questions: A central question may be whether the accused architecture—an in-line gateway firewall protecting an end user's network—falls within the scope of the claimed method. The patent's description and Figure 1 appear to describe a pre-publication certification system where an "inspector" vets a "downloadable" before it is placed on a "web server" for general public access, which is a different commercial and technical context than a real-time network security gateway. The complaint does not explicitly map the "web server" element of the claim to a component in the accused system.
  • Technical Questions: The analysis may turn on the definition of "linking." Does using a verdict to temporarily block a file transfer constitute "linking" a security profile to the downloadable in the manner contemplated by the patent, or does the patent require a more permanent association, such as a cryptographic signature or an attached data file?

7,058,822 Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
receiving downloadable information	The accused gateway security products receive downloadable information, such as files and email, for end users.	¶83	col. 2:4-5
determining whether that the downloadable information includes executable code	The products scan incoming information to determine whether it contains executable code, such as JavaScript or EXE files. A provided screenshot states the service supports analysis of executable programs (PE), DLLs, and PDFs (Compl. p. 24).	¶84	col. 2:5-7
transmitting mobile protection code to at least one information destination of the downloadable information if the downloadable information is determined to include executable code	If executable code is found, the system sends it to the "Multi-engine Sonic Sandbox," which the complaint identifies as the "information destination." The complaint alleges that the sandbox analysis platform itself constitutes the "mobile protection code."	¶85	col. 2:7-11

• Identified Points of Contention:
  • Scope Questions: The primary point of contention will likely be the interpretation of "transmitting mobile protection code to at least one information destination." The complaint alleges that sending the downloadable to a remote cloud sandbox for analysis satisfies this element, equating the sandbox environment with the "mobile protection code." The patent specification, however, describes forming a "protection agent including the MPC" and sending it to the "destination device" to monitor the downloadable at runtime in a local sandbox (’822 Patent, col. 4:1-15). This raises the question of whether "mobile protection code" must be sent to the end-user's device, as the patent's embodiments suggest, or if sending the downloadable away to a remote analysis server meets the claim limitation.

V. Key Claim Terms for Construction

• The Term: "linking... the... security profile to the Downloadable before a web server makes the Downloadable available to web clients" (’844 Patent, Claim 1).

• Context and Importance: This phrase is central to the infringement theory for the ’844 Patent. Its construction will determine whether the patent's pre-publication certification model can be read onto SonicWall's real-time gateway security architecture. Practitioners may focus on this term because the defendant will likely argue that its products are not "inspectors" and do not interact with a "web server" in the manner claimed.

• Intrinsic Evidence for Interpretation:

  • Evidence for a Broader Interpretation: The specification describes "linking" as potentially including an attachment or a pointer, which could be argued to cover any form of logical association, including a temporary block based on a verdict (’844 Patent, col. 6:15-20).
  • Evidence for a Narrower Interpretation: The patent's Figure 1 explicitly illustrates a three-party system with a "Developer" (120), an "Inspector" (125), and a "Web Server" (185). The specification describes the inspector transmitting the signed downloadable "to the web server... for deployment," which suggests a distinct, sequential process of certification before publication, not in-line filtering (’844 Patent, col. 5:3-7; Fig. 1).

• The Term: "mobile protection code" (’822 Patent, Claim 1).

• Context and Importance: The viability of the infringement case for the ’822 Patent depends on whether SonicWall's cloud-based sandbox can be considered "mobile protection code." The defendant may argue that the term requires a protective software agent sent to the client device, which its products do not do.

• Intrinsic Evidence for Interpretation:

  • Evidence for a Broader Interpretation: The Abstract broadly describes "using mobile protection code" to neutralize harmful effects, without strictly limiting its location in the broadest claims (’822 Patent, Abstract).
  • Evidence for a Narrower Interpretation: The detailed description repeatedly discusses causing "mobile protection code (MPC) to be transferred to and rendered operable within a destination device" and forming a "protection agent including the MPC" for that destination (’822 Patent, col. 4:1-5). This language suggests the "mobile protection code" is code that moves to and operates at the end-user's location.

VI. Other Allegations

• Indirect Infringement: The complaint alleges that Defendant induces infringement by providing customers with products and services along with "quick start guides, administration guides, user guides, and operating instructions" that allegedly instruct users to operate the products in an infringing manner (Compl. ¶¶ 76-77, 94-95).
• Willful Infringement: The complaint alleges willful infringement based on extensive pre-suit knowledge. It details communications and meetings with Defendant beginning on or about June 10, 2014, including the provision of claim charts for several of the asserted patents and detailed discussions of how the patents allegedly read on Defendant's products (Compl. ¶¶ 39-44, 70-72). The complaint further alleges that despite this notice, Defendant continued its infringing activity and made no effort to design around the patents (Compl. ¶71).

VII. Analyst’s Conclusion: Key Questions for the Case

• A core issue will be one of architectural scope: can the method of the ’844 Patent, which the specification and figures frame as an "inspector" pre-certifying a "downloadable" before it is placed on a "web server" for deployment, be construed to cover the accused in-line gateway firewall that inspects traffic in real-time as it flows to an end-user?
• A key evidentiary question will be one of definitional and locational scope: does the term "mobile protection code" from the ’822 Patent, which the specification describes as being sent to a destination device to monitor a downloadable at runtime, read on a remote, cloud-based sandbox to which the downloadable is sent away from the destination for analysis?
• A third question will be one of damages and intent: given the detailed allegations of pre-suit notice and multi-year licensing discussions, the analysis of willfulness will be a significant component of the case, potentially leading to enhanced damages if infringement is found.