Finjan LLC v. Rapid7 Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Finjan, Inc. (Delaware)
  • Defendant: Rapid7, Inc. and Rapid7 LLC (Delaware)
  • Plaintiff’s Counsel: Kramer Levin Naftalis & Frankel LLP; Potter Anderson & Corroon LLP
• Case Identification: 1:18-cv-01519, D. Del., 10/01/2018
• Venue Allegations: Venue is alleged to be proper in the District of Delaware because Defendants are organized under the laws of Delaware and have conducted business in the district.
• Core Dispute: Plaintiff alleges that Defendant’s cybersecurity products, including its Insight Platform, infringe seven patents related to proactive network security and malicious code detection.
• Technical Context: The dispute is in the cybersecurity sector, focusing on technologies that proactively identify and neutralize malware and other online threats by analyzing the structure and behavior of digital content.
• Key Procedural History: The complaint alleges a multi-year history of pre-suit notice, beginning with a letter on March 23, 2016, that identified specific patents and accused products. This was followed by an in-person meeting on May 11, 2016, and the provision of presentations and claim charts to Defendant in 2018. This history may be central to Plaintiff's allegations of willful infringement.

Case Timeline

Date	Event
1997-11-06	Earliest Priority Date for ’305 and ’408 Patents
2000-05-17	Earliest Priority Date for ’086 and ’494 Patents
2005-12-12	Earliest Priority Date for ’289 and ’154 Patents
2006-02-16	Earliest Priority Date for ’918 Patent
2009-11-03	U.S. Patent No. 7,613,918 Issued
2010-07-13	U.S. Patent No. 7,757,289 Issued
2011-07-05	U.S. Patent No. 7,975,305 Issued
2011-12-13	U.S. Patent No. 8,079,086 Issued
2012-03-20	U.S. Patent No. 8,141,154 Issued
2012-07-17	U.S. Patent No. 8,225,408 Issued
2014-03-18	U.S. Patent No. 8,677,494 Issued
2016-03-23	Plaintiff sent written notice of infringement to Defendant
2016-05-11	Plaintiff and Defendant met in person to discuss infringement
2018-02-08	Plaintiff gave PowerPoint presentation to Defendant on infringement
2018-02-12	Plaintiff emailed claim charts to Defendant
2018-10-01	Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 7,975,305 - "METHOD AND SYSTEM FOR ADAPTIVE RULE-BASED CONTENT SCANNERS FOR DESKTOP COMPUTERS"

• Issued: July 5, 2011

The Invention Explained

• Problem Addressed: The patent addresses the shortcomings of conventional network security, which often relies on scanning for known virus "signatures" and may be unable to diagnose novel or dynamically generated threats without significant "over-blocking" of legitimate content. (’305 Patent, col. 1:30-58).
• The Patented Solution: The invention provides an "adaptive rule-based" (ARB) scanner that can be adapted to analyze different types of content (e.g., JavaScript, HTML) without modifying its source code. It does this by using rule files that describe a language's lexical characteristics, how sequences of characters ("tokens") form syntactical constructs ("parsing rules"), and which patterns of tokens correspond to potential exploits ("analyzer rules"). (’305 Patent, Abstract; col. 2:9-27). This allows the system to diagnose exploits based on their programmatic behavior rather than a fixed binary signature.
• Technical Importance: This rule-based, adaptive approach allows for more flexible and accurate detection of emerging and unknown security threats compared to static signature-based methods. (Compl. ¶11).

Key Claims at a Glance

• The complaint asserts Claims 1-25. (Compl. ¶73). Independent claims 1 (system) and 13 (method) appear to be representative.
• Independent Claim 1 includes these essential elements:
  • A network interface for receiving incoming content.
  • A database of parser and analyzer rules corresponding to computer exploits, where rules describe exploits as "patterns of types of tokens."
  • A rule-based content scanner that communicates with the database to scan content and recognize potential exploits.
  • A network traffic probe to selectively divert content to the scanner.
  • A rule update manager to periodically update the rule database.
• The complaint reserves the right to assert additional claims. (Compl. ¶73).

---

U.S. Patent No. 8,225,408 - "METHOD AND SYSTEM FOR ADAPTIVE RULE-BASED CONTENT SCANNERS"

• Issued: July 17, 2012

The Invention Explained

• Problem Addressed: Similar to the ’305 Patent, this invention addresses the difficulty of accurately detecting exploits that can be encoded in an "endless variety of ways," making signature-based detection ineffective. (’408 Patent, col. 3:50-57).
• The Patented Solution: The invention describes a method for scanning content by identifying tokens, identifying patterns of those tokens using parsing rules, and generating a "parse tree" from the identified patterns. This parse tree structure, which represents the programmatic logic of the content, is then analyzed to identify potential exploits based on patterns of nodes within the tree. (’408 Patent, Abstract; col. 8:45-54).
• Technical Importance: The use of a parse tree provides a structured, language-agnostic way to analyze the logical relationships within code, enabling the detection of malicious behavior independent of its specific implementation. (Compl. ¶14).

Key Claims at a Glance

• The complaint asserts Claims 1-35. (Compl. ¶95). Independent claims 1 (method) and 19 (system) appear to be representative.
• Independent Claim 1 includes these essential elements:
  • Identifying tokens within an incoming byte stream.
  • Identifying patterns of tokens.
  • Generating a parse tree from the identified patterns of tokens.
  • Identifying the presence of potential exploits within the parse tree.
  • Wherein the identification steps are based on a set of rules for a specific language.
• The complaint reserves the right to assert additional claims. (Compl. ¶95).

---

U.S. Patent No. 7,757,289 - "SYSTEM AND METHOD FOR INSPECTING DYNAMICALLY GENERATED EXECUTABLE CODE"

• Issued: July 13, 2010
• Technology Synopsis: The patent is directed to inspecting dynamically generated code by receiving content with an original function call, replacing it with a substitute function call, and determining if it is safe to invoke the original function. (Compl. ¶17).
• Asserted Claims: Claims 1-46. (Compl. ¶112).
• Accused Features: The complaint alleges that Defendant’s InsightIDR product uses "Attacker Behavior Analytics" to detect intruder activity and evolving attacker behaviors, which allegedly practices the claimed invention. (Compl. ¶118).

U.S. Patent No. 7,613,918 - "SYSTEM AND METHOD FOR ENFORCING A SECURITY CONTEXT ON A DOWNLOADABLE"

• Issued: November 3, 2009
• Technology Synopsis: The patent describes a method for enforcing a security context on a downloadable file by using security contexts associated with user or group accounts to derive a profile for code received from the Internet. (’918 Patent, Abstract; Compl. ¶20).
• Asserted Claims: Claims 1-36. (Compl. ¶147).
• Accused Features: The Accused Products are alleged to be computer-based platforms with scanning engines that "control the function and operation of various computers and servers to provide security and analyze content," allegedly infringing the ’918 Patent. (Compl. ¶153).

U.S. Patent No. 8,079,086 - "MALICIOUS MOBILE CODE RUNTIME MONITORING SYSTEM AND METHODS"

• Issued: December 13, 2011
• Technology Synopsis: The patent is directed to protecting internet-connected devices by creating a profile of web-based content and sending the profile and content to another computer for appropriate action. (’086 Patent, Abstract; Compl. ¶23).
• Asserted Claims: Claims 1-42. (Compl. ¶165).
• Accused Features: The complaint alleges the Accused Products receive and collect downloadables, use scan engines to detect vulnerabilities and pattern attributes to derive a security profile, and store attributes in a database. (Compl. ¶171-172).

U.S. Patent No. 8,141,154 - "SYSTEM AND METHOD FOR INSPECTING DYNAMICALLY GENERATED EXECUTABLE CODE"

• Issued: March 20, 2012
• Technology Synopsis: The patent describes a gateway computer protecting a client from malicious content by using a content processor to process a first function and invoking a second, original function only if a security computer indicates it is safe to do so. (’154 Patent, Abstract; Compl. ¶26).
• Asserted Claims: Claims 1-12. (Compl. ¶134).
• Accused Features: The Accused Products are alleged to use a security computer with various scanning technologies to determine if invoking a second function is safe, using transmitters like "The Collector" and "Insight Agent" for inspection. (Compl. ¶140-141).

U.S. Patent No. 8,677,494 - "MALICIOUS MOBILE CODE RUNTIME MONITORING SYSTEM AND METHODS"

• Issued: March 18, 2014
• Technology Synopsis: The patent describes deriving and storing security profiles for a downloadable, where the profile includes a list of suspicious computer operations. (Compl. ¶29).
• Asserted Claims: Claims 3-5 and 7-18. (Compl. ¶50).
• Accused Features: The Accused Products allegedly derive security profiles for downloadables, which include a list of suspicious operations, and store these profiles in a database. (Compl. ¶54).

III. The Accused Instrumentality

Product Identification

• The accused instrumentalities are Defendant’s cybersecurity products and services, identified as InsightIDR, InsightVM (Nexpose), InsightAppSec, AppSpider, Metasploit, and Komand technologies, which are integrated into the "Rapid7 Insight Platform." (Compl. ¶38, ¶41).

Functionality and Market Context

• The complaint alleges that the Accused Products form an integrated "Insight Platform" for security operations ("SecOps") that provides visibility, analytics, and automation to detect and respond to threats. (Compl. ¶41). A diagram in the complaint depicts this platform as a central "Unified Data Collection" hub that processes data from various sources to power applications like InsightVM and InsightAppSec. (Compl. p. 11, Ex. 9). The platform allegedly uses "Scan Engines" and "Insight Agents" to collect data from network endpoints, scan for threats, and generate vulnerability summaries. (Compl. ¶44, ¶59). A technical diagram shows data flowing from a customer network through collectors to the cloud-based "Insight Platform" for analysis. (Compl. p. 12, Ex. 10). The platform is alleged to use technologies like "Attacker Behavior Analytics" and "Regex Builder" to define scan scopes and detect threats. (Compl. ¶44, ¶61).

IV. Analysis of Infringement Allegations

’305 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
a network interface, housed within a computer, for receiving incoming content from the Internet...	The Accused Products provide a platform with Scan Engines that operates on a computer to receive and scan content, including web pages, HTML, PDFs, and JavaScript, to prevent malicious code from accessing a client computer.	¶79-80	col. 1:50-55
a database of parser and analyzer rules corresponding to computer exploits...	Rapid7 Cloud Products allegedly perform deep analysis using "purser and analyzer rules" to extract patterns. The complaint points to Defendant's documentation describing "custom fingerprints" containing a "pattern attribute with the regular expression."	¶84	col. 2:15-27
wherein the parser and analyzer rules describe computer exploits as patterns of types of tokens...	The complaint alleges that the "custom fingerprints" in the accused products contain a "pattern attribute with the regular expression to match against the data," which is alleged to describe exploits as patterns of tokens.	¶84	col. 2:20-25
a rule-based content scanner that communicates with said database of rules, for scanning content...	The Accused Products allegedly include Scan Engines which use methods like analysis of hashed files to scan content within a computer. A provided screenshot shows a "Process Hash Details" interface used for this analysis. (Compl. p. 27, Ex. 26).	¶81	col. 2:50-67
a network traffic probe... for selectively diverting content from its intended destination to the... scanner	The Accused Products allegedly integrate with gateways and firewalls to "selectively divert incoming content, such as web pages or email for rule-based content scanning," capturing suspicious traffic for analysis by Rapid7 Cloud Products.	¶82-83	col. 2:50-59
a rule update manager that communicates with said database of rules, for updating said database of rules	The complaint does not provide sufficient detail for analysis of this element.	N/A	col. 2:60-64

• Identified Points of Contention:
  • Scope Questions: A central question may be whether Defendant's "custom fingerprints" and "Regex Builder" (Compl. ¶44, ¶84) meet the claim limitations of a "database of parser and analyzer rules." The analysis will likely focus on whether Defendant's pattern-matching technology performs the specific two-step "parsing" and "analyzing" process required by the patent.
  • Technical Questions: The complaint alleges that the Accused Products "utilize and integrate with existing gateways, firewalls and routers" to divert traffic. (Compl. ¶82). A key question will be what evidence demonstrates that Defendant's products perform this "selective diversion" as a "network traffic probe," rather than simply analyzing data that has already been collected from endpoints by other means.

’408 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
identifying tokens within an incoming byte stream...	The Accused Products are alleged to perform deep analysis of code, using "purser and analyzer rules" to extract "patterns that are responsible for its behavior."	¶102	col. 8:10-14
identifying patterns of tokens...	The complaint alleges that Defendant’s documentation for "custom fingerprints" describes using a "pattern attribute with the regular expression to match against the data."	¶102	col. 8:15-20
generating a parse tree from the identified patterns of tokens...	The complaint does not provide sufficient detail for analysis of this element.	N/A	col. 8:21-25
identifying the presence of potential exploits within the parse tree...	The complaint does not provide sufficient detail for analysis of this element.	N/A	col. 8:26-30

• Identified Points of Contention:
  • Scope Questions: The complaint's infringement theory for the ’408 Patent appears to be coextensive with its theory for the ’305 Patent. However, the ’408 Patent explicitly requires "generating a parse tree" and identifying exploits "within the parse tree." A critical point of contention will be whether Plaintiff can show that Defendant's use of "pattern attribute[s]" and "regular expression[s]" constitutes the generation and analysis of a parse tree as that term is understood in the patent.
  • Technical Questions: The complaint provides no specific factual allegations or evidence related to the generation or use of a "parse tree" by the Accused Products. An evidentiary question will be whether the underlying operation of Defendant's analytics platform involves a tree-based syntactical analysis or a different form of pattern matching.

V. Key Claim Terms for Construction

The Term: "parser... rules" and "analyzer... rules" (’305 Patent, Claim 1)

• Context and Importance: These terms define the core inventive concept of a two-level, rule-based system. The infringement case for the '305 and '408 patents may depend on whether Defendant's "custom fingerprints" (Compl. ¶84) can be shown to embody this specific two-part structure of "parsing" rules (to identify syntactical constructs) and "analyzer" rules (to identify exploits within those constructs).
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The specification states that rule files "describe... patterns of tokens that form syntactical constructs of program code, referred to as parsing rules, and patterns of tokens that correspond to potential exploits, referred to as analyzer rules." (’305 Patent, col. 2:20-27). This functional description could be argued to cover any system that uses one set of patterns for syntax and another for exploits, regardless of name.
  • Evidence for a Narrower Interpretation: The detailed description and Appendix A provide a highly specific grammar and structure for writing parser and analyzer rules, with distinct sections in the rule file for "parser_rules" and "analyzer_rules". (’305 Patent, col. 13:46-49). This may support an argument that the terms require this specific, disclosed structure.

The Term: "parse tree" (’408 Patent, Claim 1)

• Context and Importance: This term is a critical limitation of the asserted ’408 Patent claims. Practitioners may focus on this term because the complaint makes no specific allegation that the Accused Products generate or use a "parse tree," instead relying on more general descriptions of pattern matching. (Compl. ¶102).
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The patent states the parser "uses a parse tree data structure to represent scanned content. A parse tree contains a node for each token identified while parsing, and uses parsing rules to identify groups of tokens as a single pattern." (’408 Patent, col. 10:51-56). This could be interpreted broadly to cover any hierarchical data structure representing the relationship between tokens and syntax rules.
  • Evidence for a Narrower Interpretation: The specification describes a specific dynamic process where the parse tree is "built using a shift-and-reduce algorithm" where "successive tokens... are positioned as siblings" and then "reduced to a single parent node." (’408 Patent, col. 10:56-62). This detailed operational description could support a narrower construction requiring this specific method of tree generation.

VI. Other Allegations

Indirect Infringement

• The complaint alleges inducement of infringement for multiple patents, asserting that Defendant knew or was willfully blind to the fact that it was instructing customers and developers to infringe. (Compl. ¶68, ¶89, ¶107, ¶129). This is allegedly done through the distribution of guidelines, API guides, and other documentation that encourages use of the Accused Products in an infringing manner. (Compl. ¶71, ¶92).

Willful Infringement

• Willfulness is alleged based on Defendant’s purported knowledge of the Asserted Patents for "over two years" prior to the complaint. (Compl. ¶65, ¶86). The complaint alleges this knowledge stems from a March 23, 2016 notice letter, a May 11, 2016 meeting, and a February 8, 2018 PowerPoint presentation that included an "exemplary infringement claim chart" for the ’305 Patent. (Compl. ¶30-34). A table from this presentation is included as visual evidence of this notice. (Compl. p. 9).

VII. Analyst’s Conclusion: Key Questions for the Case

• A core issue will be one of definitional scope: can the patent terms "parser rule," "analyzer rule," and "parse tree," which describe a specific, structured method of syntactical code analysis, be construed to cover the functionality of Defendant's "Attacker Behavior Analytics" and "custom fingerprints," which are described in more general pattern-matching terms?
• A key evidentiary question will be one of technical proof: does the complaint, which relies heavily on marketing materials and high-level product descriptions, provide a sufficient factual basis to demonstrate that the Accused Products actually perform the specific, multi-step technical methods required by the claims, particularly the generation and use of a "parse tree" as claimed in the ’408 Patent?
• A central legal question will be willfulness: given the detailed allegations of pre-suit notice, including meetings and the provision of claim charts, the court will need to evaluate whether Defendant's alleged continued infringement after being notified constitutes the "egregious," "wanton," and "deliberate" conduct required for enhanced damages.