DCT

3:17-cv-00183

Finjan LLC v. ESET LLC

Log In

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 3:17-cv-00183, N.D. Cal., 07/01/2016
  • Venue Allegations: Venue is alleged to be proper as Defendants conduct business in the district, have established minimum contacts, and have allegedly infringed and/or induced infringement within the district.
  • Core Dispute: Plaintiff alleges that Defendant’s endpoint, gateway, and server security products, which utilize heuristic and cloud-based threat detection technologies, infringe six patents related to proactive malware analysis and protection.
  • Technical Context: The technology relates to proactive cybersecurity, where potentially malicious downloadable content is analyzed for suspicious behavior or characteristics before it can harm a user's computer or network.
  • Key Procedural History: The complaint alleges that Plaintiff provided Defendant with notice of its patent portfolio and representative claim charts on or about January 22, 2015, followed by a series of in-person and telephonic meetings between October 2015 and April 2016 to discuss the alleged infringement. These allegations of pre-suit knowledge form the basis for the willfulness claims.

Case Timeline

Date Event
1996-11-08 Priority Date for ’844, ’780, and ’305 Patents
2000-05-17 Priority Date for ’086, ’621, and ’755 Patents
2000-11-28 U.S. Patent No. 6,154,844 Issues
2004-10-12 U.S. Patent No. 6,804,780 Issues
2011-07-05 U.S. Patent No. 7,975,305 Issues
2011-12-13 U.S. Patent No. 8,079,086 Issues
2015-01-22 Plaintiff allegedly informs Defendant of patent portfolio and infringement
2015-10-01 Alleged infringement negotiation meetings begin (approximate date)
2015-11-17 U.S. Patent No. 9,189,621 Issues
2015-12-22 U.S. Patent No. 9,219,755 Issues
2016-04-30 Alleged infringement negotiation meetings end (approximate date)
2016-07-01 Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 6,154,844 - "SYSTEM AND METHOD FOR ATTACHING A DOWNLOADABLE SECURITY PROFILE TO A DOWNLOADABLE"

The Invention Explained

  • Problem Addressed: The patent addresses the threat posed by "Downloadables" (e.g., Java applets, ActiveX controls), which are executable programs downloaded from a source computer and run on a destination computer, a threat that traditional security systems were not configured to recognize (’844 Patent, col. 1:36-49).
  • The Patented Solution: The invention proposes a system where an "inspector" entity analyzes a downloadable for suspicious operations or code patterns before it is made available to users by a web server. The inspector generates a "Downloadable Security Profile" (DSP) based on this analysis and links it to the downloadable, thereby providing a verifiable safety assessment that can be checked by a protection engine at a network gateway or on a client computer (’844 Patent, col. 2:3-12; FIG. 1).
  • Technical Importance: This method represents a proactive, network-level approach to security, shifting analysis away from the end-user's machine to a pre-deployment or gateway inspection stage, aiming to stop threats before distribution (Compl. ¶8, ¶12).

Key Claims at a Glance

  • The complaint asserts claims 1-44 (Compl. ¶41). Independent claim 1 is a method claim.
  • Essential elements of claim 1 include:
    • receiving by an inspector a Downloadable;
    • generating by the inspector a first Downloadable security profile that identifies suspicious code in the received Downloadable; and
    • linking by the inspector the first Downloadable security profile to the Downloadable before a web server makes the Downloadable available to web clients.
  • The complaint also asserts dependent claims.

U.S. Patent No. 6,804,780 - "SYSTEM AND METHOD FOR PROTECTING A COMPUTER AND A NETWORK FROM HOSTILE DOWNLOADABLES"

The Invention Explained

  • Problem Addressed: Security systems need an efficient and reliable way to identify downloadables without having to repeatedly perform a full, resource-intensive security analysis on every encounter (Compl. ¶15).
  • The Patented Solution: The invention creates a unique "Downloadable ID" by performing a hashing function not just on the downloadable file itself, but also on external software components that the downloadable references and requires for execution. The system involves "fetching" these external components and including them in the hash calculation to generate a more comprehensive and stable identifier (’780 Patent, Abstract; col. 2:11-17).
  • Technical Importance: This method allows a security system to recognize previously analyzed content with greater accuracy, increasing efficiency and saving computing resources by avoiding redundant evaluations of known safe or malicious files (Compl. ¶15).

Key Claims at a Glance

  • The complaint asserts claims 1-18 (Compl. ¶57). Independent claim 1 is a method claim.
  • Essential elements of claim 1 include:
    • obtaining a Downloadable that includes one or more references to software components required to be executed by the Downloadable;
    • fetching at least one software component identified by the one or more references; and
    • performing a hashing function on the Downloadable and the fetched software components to generate a Downloadable ID.
  • The complaint also asserts dependent claims.

U.S. Patent No. 7,975,305 - "METHOD AND SYSTEM FOR ADAPTIVE RULE-BASED CONTENT SCANNERS FOR DESKTOP COMPUTERS"

  • Technology Synopsis: The patent describes a method for scanning web-based content by using updatable "parser and analyzer rules" to describe computer exploits as patterns of tokens. The system allows these rules to be updated to adapt to new threats (Compl. ¶18, ¶76).
  • Asserted Claims: Claims 1-25 (Compl. ¶72).
  • Accused Features: ESET's Gateway and Mail Security products are accused of infringing by selectively diverting incoming content, scanning it using passive heuristics and rule-based analysis to recognize malicious behavior, and updating the rule database when new malicious content is found (Compl. ¶76, p. 21 ¶4-12).

U.S. Patent No. 8,079,086 - "MALICIOUS MOBILE CODE RUNETIME MONITORING SYSTEM AND METHODS"

  • Technology Synopsis: The patent is directed to a system that protects against undesirable operations from web-based content by creating a profile of the content and sending the profile along with the content to another computer for appropriate action (Compl. ¶21, ¶93).
  • Asserted Claims: Claims 1-42 (Compl. ¶89).
  • Accused Features: ESET's Gateway Security products are accused of receiving a downloadable, deriving a security profile using advanced heuristics, and appending that profile data to the downloadable before transmitting it (Compl. ¶93).

U.S. Patent No. 9,189,621 - "MALICIOUS MOBILE CODE RUNTIME MONITORING SYSTEM AND METHODS"

  • Technology Synopsis: The patent describes a system for determining if a downloadable is suspicious. The system includes a plurality of operating system probes, an interrupter to interrupt a request from the downloadable, a comparator to compare information against a security policy, and a response engine (Compl. ¶24, ¶108).
  • Asserted Claims: Claims 1-16 (Compl. ¶104).
  • Accused Features: ESET's NOD32 product is accused of infringing by using emulation and HIPS technology to monitor operating system subsystems during runtime, comparing information about the downloadable to a security policy, and using a response engine to act on the comparison (Compl. ¶108).

U.S. Patent No. 9,219,755 - "MALICIOUS MOBILE CODE RUNTIME MONITORING SYSTEM AND METHODS"

  • Technology Synopsis: The patent covers a system for reviewing an operating system call issued by a downloadable. The system includes various components such as a downloadable engine, a request broker, file and network system probes, a runtime environment monitor, and a response engine (Compl. ¶27, ¶123).
  • Asserted Claims: Claims 1-8 (Compl. ¶119).
  • Accused Features: ESET's NOD32 product is accused of infringing by using emulation and HIPS technology to perform runtime monitoring of operating system subsystems, monitoring for extension calls and operating system calls, and comparing them to a security policy to either block or allow them (Compl. ¶123).

III. The Accused Instrumentality

Product Identification

  • The accused instrumentalities are ESET's Home Protection, Small Office, and Business product lines, including services. These products allegedly utilize ESET's ThreatSense, ESET Advanced Heuristic, ESET DNA Signature, Host-based Intrusion Prevention System (HIPS), and/or ESET LiveGrid technologies (Compl. ¶28-31).

Functionality and Market Context

  • The complaint alleges that the core of ESET's products is the ThreatSense engine, which provides "advanced heuristic threat detection" to identify and prevent zero-day threats (Compl. ¶32). This is accomplished through two primary methods: "active heuristics," which execute code in a controlled virtual environment (emulation) to observe its behavior, and "passive heuristics," which use static code analysis and rules to identify malicious patterns (Compl. ¶33). This engine is supplemented by LiveGrid, a cloud-based system that aggregates threat data from millions of users to build a reputation database for files and enables rapid updates (Compl. ¶34). A diagram in the complaint illustrates LiveGrid's operation of collecting malware data from users, submitting unknown threats for analysis, and using cloud logic for protection (Compl. p. 9). The complaint alleges these technologies are foundational to all of ESET's security products (Compl. ¶32).

IV. Analysis of Infringement Allegations

6,154,844 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
receiving by an inspector a Downloadable ESET Gateway Security products receive incoming downloadables at the gateway. ¶45 col. 12:50-52
generating by the inspector a first Downloadable security profile that identifies suspicious code in the received Downloadable The ESET products use advanced heuristics via the ThreatSense technology to scan the downloadable and generate a security profile if the content is unknown or suspicious. ¶45, p. 14 ¶1 col. 3:59-64
linking by the inspector the first Downloadable security profile to the Downloadable before a web server makes the Downloadable available to web clients The complaint alleges that a downloadable security profile is "created and linked if the downloadable is unknown" at the gateway before it is made available to end users (web clients). A diagram shows the ESET Gateway positioned between the internet and the local network clients (Compl. p. 13). p. 14 ¶1, 7; ¶45 col. 12:1-4
  • Identified Points of Contention:
    • Scope Questions: A central issue may be the interpretation of "inspector" and the temporal and locational meaning of "before a web server makes the downloadable available to web clients." The patent specification and figures appear to describe an "inspector" as a discrete entity that analyzes content before it is deployed on a web server for public access (’844 Patent, FIG. 1). The complaint alleges that ESET's real-time, in-transit gateway scanning meets this limitation. This raises the question of whether scanning content as it passes through a gateway to a client is equivalent to the pre-deployment inspection process described in the patent.

6,804,780 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
obtaining a Downloadable that includes one or more references to software components required to be executed by the Downloadable ESET NOD32 and other accused products obtain downloadables for analysis. ¶61 col. 2:11-13
fetching at least one software component required to be executed by the Downloadable The complaint alleges that in the process of creating a hash value for its LiveGrid lookup, NOD32 "obtains the software components required to be executed." ¶61 col. 2:13-14
performing a hashing function on the Downloadable and the fetched software components to generate a Downloadable ID The complaint alleges that NOD32 "perform[s] a hashing function on the downloadable and fetched software components" to generate a hash value used for lookups in the LiveGrid system. ¶61 col. 2:15-17
  • Identified Points of Contention:
    • Technical Questions: The infringement theory hinges on the allegation that ESET's products perform the specific step of "fetching" external software components when generating a hash ID. The complaint does not provide detailed evidence of how ESET's hashing function works. This raises the evidentiary question of what proof exists that ESET's LiveGrid technology does more than perform a standard hash on the primary downloadable file itself and actually fetches and incorporates external, referenced components into its hash calculation as required by the claim.

V. Key Claim Terms for Construction

The Term: "inspector" (’844 Patent, Claim 1)

  • Context and Importance: The definition of "inspector" is critical because the patent's architecture depicts it as a distinct entity that appears to operate before a downloadable is deployed on a web server (’844 Patent, FIG. 1). Defendant may argue that its in-transit gateway scanner is not an "inspector" in the context of the patent. Practitioners may focus on this term because the factual difference between pre-deployment analysis and in-transit analysis could be a central point of non-infringement.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The claims do not narrowly define the location or nature of the "inspector" beyond its function of receiving, generating, and linking. The specification describes the inspector system more broadly as comprising a processor, memory, and a "content inspection engine" (’844 Patent, col. 5:67-col. 6:2), which could support an argument that any system performing these functions is an "inspector".
    • Evidence for a Narrower Interpretation: The patent's Figure 1 explicitly shows the INSPECTOR (125) as a separate block that receives a SIGNED DOWNLOADABLE (150) from a DEVELOPER (120) and forwards a SIGNED INSPECTED DOWNLOADABLE (195) to a WEB SERVER (185). This visual and narrative context suggests a distinct, pre-deployment role rather than a real-time gateway function.

The Term: "fetching at least one software component" (’780 Patent, Claim 1)

  • Context and Importance: This term is the central technical limitation that distinguishes the invention from a simple file hash. The infringement case for the ’780 Patent depends entirely on whether ESET's accused products perform this specific action. Practitioners may focus on this term because if "fetching" is construed to require an active process of identifying and retrieving external code modules based on references within a downloadable, Plaintiff will need to provide specific evidence that ESET's hashing process does this.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The claim language itself provides the primary meaning, referring to components "required to be executed by the downloadable." This could be argued to encompass any method of obtaining necessary components for a complete analysis.
    • Evidence for a Narrower Interpretation: The parent '844 patent, whose specification is related, provides a specific example of this process: "the content inspection engine 160 may prefetch all classes embodied in or identified by the Java™ applet bytecode, and then may perform a predetermined digital hash on the Downloadable code (and the retrieved components)" (’844 Patent, col. 4:45-49). This embodiment supports a narrower reading that requires identifying references within the code and actively retrieving those external components.

VI. Other Allegations

Indirect Infringement

  • The complaint alleges inducement to infringe all six patents-in-suit. The allegations state that Defendant instructs and encourages its customers, developers, and users to use the accused products in an infringing manner through mechanisms such as user guides, administration guides, quick start guides, installation videos, and support websites (Compl. ¶52-55, ¶67-70, ¶83-87, ¶99-102, ¶114-117, ¶129-132).

Willful Infringement

  • The complaint alleges willful infringement of all six patents. The basis for this allegation is pre-suit knowledge stemming from Plaintiff's communication with Defendant starting on or about January 22, 2015. Plaintiff alleges it provided representative claim charts and engaged in a series of technical meetings from October 2015 through April 2016, which explained the alleged infringement on a claim-element-by-element basis (Compl. ¶48-49, ¶64, ¶79-80, ¶96, ¶111, ¶126).

VII. Analyst’s Conclusion: Key Questions for the Case

  • A core issue will be one of temporal and architectural scope: Can the '844 patent's inventive concept, which appears centered on a pre-deployment analysis of a downloadable by an "inspector" before it is placed on a web server for distribution, be construed to cover the accused products' function of real-time, in-transit scanning at a network gateway?
  • A key evidentiary question will be one of technical operation: Does the complaint provide sufficient factual basis to support the allegation that ESET's hashing process for its LiveGrid system performs the specific, multi-part function required by Claim 1 of the '780 patent—namely, "fetching" external software components referenced by a downloadable—or does it perform a conventional hash of the downloadable file itself?
  • A central dispute for the runtime monitoring patents ('621 and '755) may be one of functional specificity: Do ESET's general-purpose HIPS and emulation technologies perform the specific monitoring, interrupting, comparing, and responding functions as arranged and claimed in the patents, or is there a fundamental mismatch between the accused system's broad behavioral analysis and the patents' more specific claimed architectures?