DCT

1:06-cv-00369

Finjan Software Ltd v. Secure Computing Corp

Log In

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 1:06-cv-00369, D. Del., 04/10/2007
  • Venue Allegations: Venue is alleged to be proper in the District of Delaware because the corporate defendants are organized and existing under the laws of the State of Delaware.
  • Core Dispute: Plaintiff alleges that Defendants’ Webwasher Secure Content Management suite infringes three patents related to systems and methods for protecting computers and networks from hostile downloadable executable programs.
  • Technical Context: The technology addresses the security risks posed by executable content downloaded from the internet, such as Java applets and ActiveX controls, which became a significant threat vector in the late 1990s and early 2000s.
  • Key Procedural History: The operative pleading is an Amended Complaint. No other significant procedural events are mentioned in the complaint.

Case Timeline

Date Event
1996-11-08 Priority Date for '194 and '780 Patents
2000-05-17 Priority Date for '822 Patent
2000-07-18 U.S. Patent No. 6,092,194 Issued
2004-10-12 U.S. Patent No. 6,804,780 Issued
2006-06-06 U.S. Patent No. 7,058,822 Issued
2007-04-10 Amended Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 6,092,194 - SYSTEM AND METHOD FOR PROTECTING A COMPUTER AND A NETWORK FROM HOSTILE DOWNLOADABLES

  • Issued: July 18, 2000

The Invention Explained

  • Problem Addressed: The patent’s background section states that conventional security systems were not configured to recognize computer viruses attached to or configured as "Downloadable" application programs, such as Java applets or ActiveX controls, which are downloaded from a source and run on a destination computer (ʼ194 Patent, col. 1:40-58).
  • The Patented Solution: The invention is a network security system that intercepts a "Downloadable" and applies a security policy to it. The system generates a unique ID for the downloadable, compares it against various criteria (e.g., lists of known hostile content, access control lists, trusted source URLs, digital certificates), and uses a logical engine to determine whether to block the content or allow it to pass to the end-user's computer (ʼ194 Patent, Abstract; Fig. 3). The system can decompose the downloadable to inspect its underlying code for suspicious operations (ʼ194 Patent, col. 5:40-57).
  • Technical Importance: The technology provided a framework for proactively analyzing the behavior and provenance of executable web content, moving beyond simple signature-matching to address the emerging threat of malicious mobile code.

Key Claims at a Glance

  • The complaint does not identify any specific claims being asserted. The analysis below uses independent claim 1 as a representative example.
  • Independent Claim 1 of the ’194 Patent recites a method with these essential elements:
    • Receiving an incoming Downloadable addressed to a client, by a server that serves as a gateway to the client.
    • Comparing, by the server, Downloadable security profile data against a security policy to determine if the policy has been violated, where the profile data includes a list of suspicious computer operations.
    • Preventing execution of the Downloadable by the client if the security policy has been violated.
  • The complaint does not explicitly reserve the right to assert dependent claims.

U.S. Patent No. 6,804,780 - SYSTEM AND METHOD FOR PROTECTING A COMPUTER AND A NETWORK FROM HOSTILE DOWNLOADABLES

  • Issued: October 12, 2004

The Invention Explained

  • Problem Addressed: This patent, a continuation of the ’194 patent, addresses the same general problem of protecting networks from hostile downloadables (ʼ780 Patent, col. 1:30-34).
  • The Patented Solution: The '780 patent focuses on an improved method for generating a unique identifier for a downloadable. The method involves not only the downloadable itself but also "fetching" external software components that are referenced by the downloadable. A hashing function is then performed on the combination of the downloadable and its fetched components to create a more comprehensive and robust ID ('780 Patent, Abstract; col. 4:50-65).
  • Technical Importance: By including referenced components in the identifier, this method makes it more difficult for malware to evade detection by making superficial changes to a main file while still relying on the same set of malicious external libraries or components.

Key Claims at a Glance

  • The complaint does not identify any specific claims being asserted. The analysis below uses independent claim 1 as a representative example.
  • Independent Claim 1 of the ’780 Patent recites a method with these essential elements:
    • Obtaining a Downloadable that includes one or more references to software components required to be executed by the Downloadable.
    • Fetching at least one software component identified by the one or more references.
    • Performing a hashing function on the Downloadable and the fetched software components to generate a Downloadable ID.
  • The complaint does not explicitly reserve the right to assert dependent claims.

U.S. Patent No. 7,058,822 - MALICIOUS MOBILE CODE RUNTIME MONITORING SYSTEM AND METHODS

  • Issued: June 6, 2006
  • Technology Synopsis: The '822 patent describes a system that protects a destination device by packaging "mobile protection code" (MPC) and security policies together with a downloaded program into a "protection agent." This agent is sent to the destination device, where the MPC executes to monitor the downloaded program's behavior at runtime, intercepting potentially malicious operations (such as file or network access) and enforcing the security policies to prevent harm ('822 Patent, Abstract). This shifts the enforcement mechanism from a network gateway to the client machine itself.
  • Asserted Claims: The complaint does not specify which claims are asserted (Compl. ¶23).
  • Accused Features: The complaint alleges that the Webwasher SCM suite infringes the '822 patent (Compl. ¶11, 23).

III. The Accused Instrumentality

Product Identification

  • The accused instrumentality is the "Webwasher Secure Content Management ('SCM') suite" (Compl. ¶11).

Functionality and Market Context

  • The complaint alleges that Defendants are in the business of developing and distributing "network and systems security solutions," "information security solutions," and "Internet and email content security and filtering solutions" (Compl. ¶¶11-13). It does not provide any specific technical details about the architecture or operation of the Webwasher SCM suite, nor does it describe the specific features alleged to infringe the patents-in-suit.
  • No probative visual evidence provided in complaint.

IV. Analysis of Infringement Allegations

The complaint makes general allegations of infringement for each patent but does not contain specific factual allegations mapping features of the accused Webwasher SCM suite to the elements of any asserted claims. The following tables summarize the infringement theory for the representative independent claims of the '194 and '780 patents based on the complaint's conclusory allegations.

'194 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
receiving an incoming Downloadable addressed to a client, by a server that serves as a gateway to the client The complaint makes a conclusory allegation that the Webwasher SCM suite, as a network security product, performs this function. ¶11, 15 col. 3:1-10
comparing, by the server, Downloadable security profile data pertaining to the Downloadable...against a security policy to determine if the security policy has been violated The complaint makes a conclusory allegation that the Webwasher SCM suite performs security analysis on downloadable content. ¶11, 15 col. 5:5-18
preventing execution of the Downloadable by the client if the security policy has been violated The complaint makes a conclusory allegation that the Webwasher SCM suite blocks content that violates security policies. ¶11, 15 col. 6:50-65

'780 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
obtaining a Downloadable that includes one or more references to software components... The complaint makes a conclusory allegation that the Webwasher SCM suite obtains and analyzes downloadable content. ¶11, 19 col. 4:50-54
fetching at least one software component identified by the one or more references The complaint makes a conclusory allegation that the Webwasher SCM suite's analysis process includes fetching referenced components. ¶11, 19 col. 4:58-63
performing a hashing function on the Downloadable and the fetched software components to generate a Downloadable ID The complaint makes a conclusory allegation that the Webwasher SCM suite generates an identifier for downloadables based on their content and components. ¶11, 19 col. 4:55-58

Identified Points of Contention

  • Evidentiary Questions: The complaint's lack of factual detail suggests that a primary area of dispute will be evidentiary. A key question for the court will be whether discovery reveals evidence that the Webwasher SCM suite's actual operation includes the specific steps recited in the asserted claims.
  • Technical Questions: A technical question for the '780 patent infringement analysis will be whether the SCM suite's method for identifying content involves the specific act of "fetching" external components and including them in a hash, or if it uses a different identification technique that does not meet this claim limitation.

V. Key Claim Terms for Construction

The complaint does not provide a basis for identifying specific claim construction disputes. However, based on the technology, the following terms from the representative independent claims may become central to the case.

The Term: "Downloadable security profile data" ('194 Patent, Claim 1)

  • Context and Importance: This term defines the nature of the information used to evaluate a downloadable. The outcome of the infringement analysis may depend on whether this term is construed broadly to cover any security-relevant data or narrowly to cover only a specific type of data. Practitioners may focus on this term because its scope dictates what type of comparison engine infringes.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The specification describes the "security program" operating in conjunction with a "security database" that includes numerous types of data, such as "security policies 305, known Downloadables 307, known Certificates 309 and Downloadable Security Profile (DSP) data 310" ('194 Patent, col. 4:15-20). This could support a broad definition covering multiple forms of security information.
    • Evidence for a Narrower Interpretation: Claim 1 itself states that the "Downloadable security profile data includes a list a suspicious computer operations that may be attempted by the Downloadable." A defendant may argue this phrase defines and limits the term to a list of potential behaviors, excluding other types of data like URL blacklists or certificate whitelists.

The Term: "fetching" ('780 Patent, Claim 1)

  • Context and Importance: This term is critical to the novelty of the '780 patent's method. Infringement will hinge on whether the accused system's process for identifying a downloadable involves an active retrieval of external components, as the term "fetching" suggests.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The specification states that the "ID generator 315 preferably prefetches all components embodied in or identified by the code for Downloadable ID generation," giving examples such as prefetching all classes in a Java applet's bytecode or all components in an ActiveX .INF file ('194 Patent, col. 4:49-54). This may support an interpretation that includes resolving and gathering components from within a downloaded package.
    • Evidence for a Narrower Interpretation: A defendant may argue that "fetching" requires an active, network-based retrieval of a distinct resource not included in the initial download. An analysis that is confined to the contents of a single downloaded file, even if it contains multiple components, might be argued not to constitute "fetching."

VI. Other Allegations

Indirect Infringement

  • The complaint includes conclusory allegations of contributory and induced infringement (Compl. ¶¶15, 19, 23). It does not, however, allege specific facts to support the required elements of knowledge and intent, such as referencing user manuals or marketing materials that instruct customers to use the accused product in an infringing manner.

Willful Infringement

  • The complaint alleges that Defendants' infringement "has been and continues to be willful and deliberate" (Compl. ¶¶16, 20, 24). It does not allege any facts to support this claim, such as pre-suit knowledge of the patents or an objectively high likelihood of infringement.

VII. Analyst’s Conclusion: Key Questions for the Case

  1. The Evidentiary Question: Given that the complaint was filed prior to the heightened pleading standards established by Twombly and Iqbal, its allegations are conclusory. The central question for the case is therefore evidentiary: can Finjan produce evidence through discovery that demonstrates the Webwasher SCM suite performs the specific technical steps recited in the patent claims?
  2. The Question of Technical Operation: A key factual dispute will likely concern the specific method of operation. For the '780 patent, this raises the question of whether the accused product's identification mechanism involves "fetching" external components to generate a hash, or if it relies on a simpler signature or hash of the primary file alone. For the '822 patent, it raises the question of whether the product deploys "mobile protection code" to the client device for runtime monitoring.
  3. The Question of Claim Scope: The case may turn on claim construction, particularly the scope of "Downloadable security profile data" in the '194 patent. A core issue will be whether this term is limited to a specific "list of suspicious computer operations" as recited in the claim, or if it can be construed more broadly to cover the range of security checks (e.g., URL filtering, certificate validation) that a modern web security gateway performs.