Symantec Corp v. Zscaler Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Symantec Corporation (Delaware)
  • Defendant: Zscaler, Inc. (Delaware)
  • Plaintiff’s Counsel: Morris, Nichols, Arsht & Tunnell LLP; Baker Botts LLP
• Case Identification: 1:17-cv-00432, D. Del., 04/18/2017
• Venue Allegations: Venue is asserted in the District of Delaware based on Zscaler's incorporation in the state, which deems it a resident of the district.
• Core Dispute: Plaintiff alleges that Defendant’s cloud-based network security platform infringes seven patents related to various aspects of network security, including bandwidth management, malware detection, content rating, and data flow processing.
• Technical Context: The lawsuit concerns the field of enterprise network security, a critical market focused on protecting corporate networks from internet-based threats and managing data traffic.
• Key Procedural History: The complaint does not allege any significant pre-suit history such as prior litigation between the parties, Inter Partes Review proceedings, or licensing negotiations regarding the patents-in-suit.

Case Timeline

Date	Event
1996-12-09	U.S. Patent No. 6,285,658 Priority Date
2000-09-25	U.S. Patent No. 8,402,540 Priority Date
2000-09-25	U.S. Patent No. 9,525,696 Priority Date
2001-09-04	U.S. Patent No. 6,285,658 Issued
2003-09-15	U.S. Patent No. 7,587,488 Priority Date
2004-01-13	U.S. Patent No. 7,360,249 Priority Date
2005-04-22	U.S. Patent No. 8,316,446 Priority Date
2006-01-31	U.S. Patent No. 8,316,429 Priority Date
2008	Zscaler Founded / Accused Platform Launch
2008-04-15	U.S. Patent No. 7,360,249 Issued
2009-09-08	U.S. Patent No. 7,587,488 Issued
2012-11-20	U.S. Patent No. 8,316,429 Issued
2012-11-20	U.S. Patent No. 8,316,446 Issued
2013-03-19	U.S. Patent No. 8,402,540 Issued
2016-12-20	U.S. Patent No. 9,525,696 Issued
2017-04-18	Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 6,285,658 - "System for Managing Flow Bandwidth Utilization at Network, Transport and Application Layers in Store and Forward Network"

• Patent Identification: U.S. Patent No. 6,285,658, "System for Managing Flow Bandwidth Utilization at Network, Transport and Application Layers in Store and Forward Network," issued September 4, 2001. (Compl. ¶7).

The Invention Explained

• Problem Addressed: Traditional TCP/IP networks lack explicit rate control, leading to inefficiencies and potential instability when high-speed and low-speed packet flows compete for the same network resources. (’658 Patent, col. 2:52-59).
• The Patented Solution: The invention provides a method for classifying network traffic flows based on "selectable information" from multiple layers of the communication protocol (e.g., network, transport, and application layers). Based on this classification, a policy is used to assign a service level to the flow, which is then enforced through direct rate control, allowing for more granular management of bandwidth. (’658 Patent, Abstract; col. 3:36-54).
• Technical Importance: This approach enabled network managers to implement sophisticated, policy-based bandwidth allocation, moving beyond simple packet queuing or discarding to actively manage and prioritize different types of network traffic. (’658 Patent, col. 2:52-61).

Key Claims at a Glance

• The complaint asserts independent claim 7. (Compl. ¶24).
• The essential elements of Claim 7 are:
  • A method for managing bandwidth on Internet Protocol (IP) flows in a packet communication environment allocated into layers, including at least a transport layer, a link layer and an application layer.
  • automatically detecting selectable information about each one of said flows.
  • determining a policy for assigning a service level to said flows based upon said selectable information automatically detected about one of said flows.
  • implementing said policy by explicit data rate control of said one of said flows.

U.S. Patent No. 7,360,249 - "Refining Behavioral Detections for Early Blocking of Malicious Code"

• Patent Identification: U.S. Patent No. 7,360,249, "Refining Behavioral Detections for Early Blocking of Malicious Code," issued April 15, 2008. (Compl. ¶8).

The Invention Explained

• Problem Addressed: Behavior-blocking security software typically detects malicious code only while it is executing, giving the code an opportunity to cause damage before it is stopped. Conversely, traditional antivirus software relies on pre-existing signatures and can miss novel threats. (’249 Patent, col. 1:36-40; col. 2:3-6).
• The Patented Solution: The invention describes a "blocking-scanning manager" that first detects and blocks attempted malicious behavior. In response, it generates a signature (such as a hash) of the malicious code. This newly created signature is then stored and used to identify and block any future attempts to execute the same or similar code, effectively learning from new threats to prevent their recurrence. (’249 Patent, Abstract; Fig. 1).
• Technical Importance: This method creates a self-refining security system that combines the real-time, heuristic-based detection of behavioral analysis with the proactive prevention of signature-based scanning. (’249 Patent, col. 2:48-52).

Key Claims at a Glance

• The complaint asserts independent claim 12. (Compl. ¶32).
• The essential elements of Claim 12 are:
  • A computer implemented method for preventing malicious code from propagating in a computer.
  • a blocking-scanning manager detecting attempted malicious behavior of running code.
  • responsive to the detection, the blocking-scanning manager blocking the attempted malicious behavior.
  • the blocking-scanning manager generating a signature to identify the code, which comprises applying a hash function to generate a hash of the code and storing the hash.
  • the blocking-scanning manager using at least one stored hash to identify code that attempted malicious behavior, detecting the identified code, and blocking its execution.

U.S. Patent No. 7,587,488 - "Dynamic Background Rater for Internet Content"

• Patent Identification: U.S. Patent No. 7,587,488, "Dynamic Background Rater for Internet Content," issued September 8, 2009. (Compl. ¶9).
• Technology Synopsis: The patent is directed to dynamically generating ratings for Internet content. The method involves dispatching an unrated content identifier (e.g., a URL) to multiple computerized content raters, which use different criteria to generate ratings that are then dynamically combined into a final content category rating. (’488 Patent, Abstract; col. 1:14-18).
• Asserted Claims: The complaint asserts independent claim 1. (Compl. ¶40).
• Accused Features: The complaint alleges that Zscaler’s "Page Risk Index" feature infringes the ’488 Patent by rating URLs using "Content Analysis and Domain Analysis control categories" and combining these to calculate a risk index for each web request. (Compl. ¶41).

U.S. Patent No. 8,316,429 - "Methods and Systems for Obtaining URL Filtering Information"

• Patent Identification: U.S. Patent No. 8,316,429, "Methods and Systems for Obtaining URL Filtering Information," issued November 20, 2012. (Compl. ¶10).
• Technology Synopsis: The patent describes a method for policing Secure Socket Layer (SSL) encrypted traffic at a proxy. The proxy extracts information from a server's digital certificate, categorizes the host (e.g., URL) based on that information, and then determines whether to pass the encrypted traffic through without decryption or to decrypt it for further inspection based on the category. (’429 Patent, Abstract; col. 2:4-6).
• Asserted Claims: The complaint asserts independent claim 1. (Compl. ¶48).
• Accused Features: The complaint alleges Zscaler’s platform performs SSL inspection by categorizing URLs and, based on those categories, determining whether to pass the SSL communication without decryption or to decrypt it for inspection for threats like data leakage and viruses. (Compl. ¶49, ¶16).

U.S. Patent No. 8,316,446 - "Methods and Apparatus for Blocking Unwanted Software Downloads"

• Patent Identification: U.S. Patent No. 8,316,446, "Methods and Apparatus for Blocking Unwanted Software Downloads," issued November 20, 2012. (Compl. ¶11).
• Technology Synopsis: The patent discloses a method for preventing unwanted software downloads by intercepting a download attempt at a URL filter. The filter categorizes the URL, analyzes the file to determine its type (using signatures and file extensions), and then consults a policy to decide whether to block or allow the download based on both the URL category and the file type. (’446 Patent, Abstract).
• Asserted Claims: The complaint asserts independent claim 1. (Compl. ¶56).
• Accused Features: The complaint alleges Zscaler’s platform uses its ZEN component to inspect file downloads, categorize the source URL using a database, and analyze the file type to determine whether to block or allow the download based on a "File Type Policy". (Compl. ¶57, ¶19).

U.S. Patent No. 8,402,540 - "Systems and Methods for Processing Data Flows"

• Patent Identification: U.S. Patent No. 8,402,540, "Systems and Methods for Processing Data Flows," issued March 19, 2013. (Compl. ¶12).
• Technology Synopsis: The patent is directed to a "virtualized network security system" (VNSS) comprising multiple flow processing facilities. The system processes data flows containing subscriber profile data and applies different security policies based on that data to detect abnormalities. (’540 Patent, Abstract).
• Asserted Claims: The complaint asserts independent claim 13. (Compl. ¶64).
• Accused Features: The complaint alleges Zscaler’s platform creates a global network that acts as a "single virtual proxy" (a VNSS), which uses multiple security analysis engines to scan traffic and enforce group and user policies based on subscriber information. (Compl. ¶65).

U.S. Patent No. 9,525,696 - "Systems and Methods for Processing Data Flows"

• Patent Identification: U.S. Patent No. 9,525,696, "Systems and Methods for Processing Data Flows," issued December 20, 2016. (Compl. ¶13).
• Technology Synopsis: The patent describes a flow processing facility for implementing a security policy. The facility includes multiple application processing hardware modules, a subscriber profile to identify data packets, and a network processing module that directs identified packets to the appropriate processing modules based on the security policy. (’696 Patent, Abstract).
• Asserted Claims: The complaint asserts independent claim 1. (Compl. ¶72).
• Accused Features: The complaint alleges Zscaler’s platform, with its ZEN and Central Authority (CA) components, functions as an infringing flow processing facility. It allegedly uses multiple security analysis engines (application processing modules) to scan traffic and apply user-based policies (subscriber profiles) to the data. (Compl. ¶73).

III. The Accused Instrumentality

Product Identification

The complaint identifies the accused instrumentality as "Zscaler's cloud security platform," which includes its "Zscaler Enforcement Node or 'ZEN' component" (collectively, "the Zscaler Platform"). (Compl. ¶20).

Functionality and Market Context

The complaint alleges the Zscaler Platform is a cloud-based security service that acts as a secure internet gateway for enterprises. (Compl. ¶19-20). Its allegedly infringing functionalities include:

• Bandwidth Control: Allocating or throttling bandwidth for IP flows based on application class or URL. (Compl. ¶25).
• Threat Detection: Using a "Behavior Analysis functionality" that executes suspicious files in a sandbox to detect malware and maintains a real-time blacklist of malicious file hashes. (Compl. ¶33).
• Content Rating: Employing a "Page Risk Index" feature that uses "Content Analysis and Domain Analysis" to calculate a risk score for web requests. (Compl. ¶41).
• Encrypted Traffic Inspection: Implementing SSL inspection policies that selectively decrypt and examine encrypted communications based on URL categories. (Compl. ¶49, ¶16).
• Policy Enforcement: Operating as a "virtualized network security system" that uses multiple security engines to enforce granular, user-level security policies. (Compl. ¶65, ¶73).

No probative visual evidence provided in complaint.

IV. Analysis of Infringement Allegations

’658 Patent Infringement Allegations

Claim Element (from Independent Claim 7)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
A method for managing bandwidth on Internet Protocol (IP) flows in a packet communication environment allocated into layers, including at least a transport layer, a link layer and an application layer...	The Zscaler platform performs a method of managing bandwidth for IP flows over the internet, which is a packet communication environment with transport, link, and application layers.	¶25	col. 1:15-21
automatically detecting selectable information about each one of said flows	The platform automatically detects information about flows by, for example, determining that a flow is associated with a specific application class or URL.	¶25	col. 3:45-51
determining a policy for assigning a service level to said flows based upon said selectable information automatically detected about one of said flows	The platform uses policies for specific URLs or traffic classes to assign a service level, such as guaranteeing or throttling bandwidth.	¶25	col. 3:38-41
implementing said policy by explicit data rate control of said one of said flows	The platform implements the policy by throttling bandwidth or guaranteeing a minimum bandwidth for the flow.	¶25	col. 3:41-43

• Identified Points of Contention:
  • Scope Questions: A central issue may be the construction of the term "explicit data rate control." The defense may argue that Zscaler's high-level bandwidth allocation or throttling policies do not constitute the "direct rate control" or "TCP Rate Control" described in the patent's specification, raising the question of whether the accused functionality falls within the claim's scope. (’658 Patent, Abstract; col. 14:4-8).

’249 Patent Infringement Allegations

Claim Element (from Independent Claim 12)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
a blocking-scanning manager detecting attempted malicious behavior of running code	Zscaler's "Behavior Analysis functionality" detects malicious behavior by executing suspicious files in a sandbox and analyzing them.	¶33	col. 4:11-13
responsive to the detection, the blocking-scanning manager blocking the attempted malicious behavior	In response to detection, the Behavior Analysis functionality automatically blocks or quarantines the malware files.	¶33	col. 4:45-54
the blocking-scanning manager generating a signature to identify the code...comprises: the blocking-scanning manager applying a hash function to generate a hash of the code...[and] storing the hash	The Zscaler platform propagates a hash of malicious files to its ZEN components to maintain a blacklist.	¶33	col. 8:4-12
the blocking-scanning manager using at least one stored hash to identify code...detecting code identified by the signature; and...blocking the execution of the identified code	The Zscaler ZEN components use the real-time blacklist of stored hashes to prevent users from downloading identified malicious files.	¶33	col. 8:13-22

• Identified Points of Contention:
  • Scope Questions: A likely point of dispute will be whether Zscaler’s distributed cloud architecture—comprising sandboxes that analyze files and ZENs that maintain a blacklist—constitutes a single "blocking-scanning manager" as recited in the claim. The patent's description of the manager as a "collection of functionalities" may support a broader reading, while its figures depicting a more unitary system could support a narrower one. (’249 Patent, Fig. 1; col. 4:1-4).

V. Key Claim Terms for Construction

For the ’658 Patent

• The Term: "explicit data rate control"
• Context and Importance: The viability of the infringement claim for the ’658 Patent hinges on this term. Zscaler's alleged "throttling bandwidth or guaranteeing a minimum bandwidth" (Compl. ¶25) must be found to be a form of "explicit data rate control." Practitioners may focus on this term because its definition will determine whether modern cloud-based traffic shaping techniques are captured by a patent from the era of on-premise hardware.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The patent abstract states the method enforces policy by "direct rate control," and the summary describes it as assigning service levels in terms of "explicit rates." (’658 Patent, Abstract; col. 4:15-17). This language could support a broad definition covering any direct manipulation of a flow's data rate.
  • Evidence for a Narrower Interpretation: The specification repeatedly discusses a specific technique called "TCP Rate Control" which involves "automatically scheduling TCP packets for transmission." (’658 Patent, col. 3:13-17; col. 14:4-8). A defendant could argue this context limits the claim term to direct manipulation of TCP packet timing, not just high-level bandwidth policies.

For the ’249 Patent

• The Term: "blocking-scanning manager"
• Context and Importance: This term appears to be defined by the patentee and is central to the infringement analysis. The dispute will likely focus on whether Zscaler's distributed, multi-component cloud platform can be considered a single "manager." Practitioners may focus on this term as it raises a structural question: does the claim require a unitary apparatus, or can it read on a collection of coordinated but physically separate cloud services?
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The specification states that a "blocking-scanning manager refers to a collection of functionalities that can be implemented as software, hardware, firmware or any combination of the three." (’249 Patent, col. 4:1-4). This language may support construing the term to cover a logically cohesive but physically distributed system like the Zscaler Platform.
  • Evidence for a Narrower Interpretation: The patent’s Figure 1 depicts the "Blocking-Scanning Manager 101" as a single entity containing distinct internal modules (e.g., Running Code Detection Module 104, Signature Module 108). (’249 Patent, Fig. 1). A defendant may argue this depiction limits the term to a more integrated, monolithic system rather than a collection of separate cloud components like sandboxes and enforcement nodes.

VI. Other Allegations

• Indirect Infringement: For each asserted patent, the complaint alleges induced infringement under 35 U.S.C. § 271(b). The allegations state that Zscaler induces its customers by configuring the ZEN component to operate in an infringing manner and by providing "marketing literature [that] touts functionality" falling within the scope of the claims. (Compl. ¶27, ¶35, ¶43, ¶51, ¶59, ¶67, ¶75).
• Willful Infringement: The complaint does not explicitly plead pre-suit willful infringement. It alleges knowledge for inducement "at least as of service of this complaint" for each patent count, which supports a claim for post-suit infringement. (Compl. ¶27, ¶35, ¶43, ¶51, ¶59, ¶67, ¶75). The prayer for relief requests a declaration that the case is "exceptional" under 35 U.S.C. § 285, which is often tied to findings of willful infringement or litigation misconduct. (Compl. p. 27).

VII. Analyst’s Conclusion: Key Questions for the Case

• A core issue will be one of definitional scope: can claim terms rooted in the context of earlier, on-premise network hardware and software (such as the ’658 Patent’s “explicit data rate control” and the ’249 Patent’s unitary “blocking-scanning manager”) be construed to cover the functionality of a modern, distributed, cloud-native security platform?
• A second central question will be one of technological evolution: do the methods described in patents filed in the early- to mid-2000s, which often presume a more monolithic software architecture, map onto the operational steps of a disaggregated cloud service that separates analysis (e.g., sandboxing) from enforcement (e.g., blacklisting at an edge node)? The case will likely require a deep factual analysis of how the accused Zscaler Platform's components interact to determine if they collectively perform the claimed steps in the recited manner.