DCT
1:19-cv-01688
ZapFraud Inc v. FireEye Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: ZapFraud Inc (Delaware)
- Defendant: FireEye Inc (Delaware)
- Plaintiff’s Counsel: Farnan LLP; Desmarais LLP
- Case Identification: 1:19-cv-01688, D. Del., 09/10/2019
- Venue Allegations: Venue is based on Defendant's incorporation in Delaware and alleged acts of infringement, minimum contacts, and business activities within the district.
- Core Dispute: Plaintiff alleges that Defendant’s Email Security solutions infringe a patent related to detecting phishing and fraudulent email communications.
- Technical Context: The technology involves automated email analysis to identify deceptive content and structure, addressing the significant and costly market threat of Business Email Compromise (BEC) scams.
- Key Procedural History: The complaint alleges that the inventor of the patent-in-suit was a frequent speaker on email fraud prevention at industry conferences, such as RSA Conference and Black Hat USA, and that Defendant FireEye Inc attended these same conferences.
Case Timeline
| Date | Event |
|---|---|
| 2013-09-16 | U.S. Patent No. 10,277,628 Priority Date |
| 2014-01-01 | FireEye Inc and inventor attend RSA Conference 2014 (approx.) |
| 2015-01-01 | FireEye Inc and inventor attend Black Hat USA 2015 (approx.) |
| 2016-01-01 | FireEye Inc and inventor attend RSA Conference 2016 (approx.) |
| 2019-04-30 | U.S. Patent No. 10,277,628 Issues |
| 2019-09-10 | Complaint Filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 10,277,628 - Detecting Phishing Attempts
The Invention Explained
- Problem Addressed: The patent addresses the problem of existing email security technologies (e.g., blacklisting, whitelisting) being readily defeated by customized phishing emails that are crafted to appear legitimate to a human recipient by incorporating content associated with an "authoritative entity" (Compl. ¶¶19-20; ’628 Patent, col. 1:15-32).
- The Patented Solution: The invention solves this problem by performing a two-part analysis. It first determines a "first likelihood" that an end-user would perceive the message as being from a legitimate "authoritative entity," and then assesses a "second likelihood" that the message was actually transmitted with authorization from that entity. The message is then classified based on a combination of these two likelihoods (’628 Patent, Abstract; Compl. ¶21). This dual assessment of user perception versus technical authenticity is the core of the patented method.
- Technical Importance: This approach advanced beyond simple keyword or sender-based filtering by distinguishing between an email's superficial appearance of legitimacy and its actual technical provenance, a critical step in combating sophisticated social engineering attacks (Compl. ¶¶20-21).
Key Claims at a Glance
- The complaint asserts independent claim 1 and reserves the right to assert other claims (Compl. ¶¶22, 25).
- The essential elements of independent claim 1 are:
- A classification system comprising a client device, a database, and at least one server.
- The server includes one or more processors configured to:
- Parse a display name from an electronic communication.
- Determine that the communication appears to be transmitted on behalf of an "authoritative entity" by computing a "similarity distance" between the parsed display name and the entity's name based on matching display names and/or headers.
- Determine that the communication was not transmitted with authorization from that entity.
- Perform a security determination (e.g., classifying the communication as "good" or "bad") based on the two preceding determinations.
- Perform an action (e.g., erasing, flagging, quarantining) based on a "bad" classification.
III. The Accused Instrumentality
Product Identification
- FireEye Inc Email Security solutions (Compl. ¶22).
Functionality and Market Context
- The accused products are described as email security solutions that protect customers from targeted social engineering attacks, such as Business Email Compromise (Compl. ¶23).
- Functionally, they are alleged to analyze various attributes of incoming emails, including headers, reply-to addresses, and display names, to detect and block impersonation attempts (Compl. ¶24). The system is alleged to include a customer portal, a database for storing impersonation analysis information, and a server that performs the analysis (Compl. ¶25).
- No probative visual evidence provided in complaint.
IV. Analysis of Infringement Allegations
'628 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| a classification system for detecting attempted deception in an electronic communication, comprising: a client device...; at least one of a profile and content database...; and at least one server... | The FireEye Inc Email Security solutions are alleged to be a classification system comprising a customer portal (client device), a database where FireEye Inc stores information for impersonation analysis, and a server. | ¶25(a-c) | col. 6:38-44 |
| a set of one or more processors configured to: 1. parse a display name associated with the electronic communication; | The server processors are alleged to parse the display name of an incoming email. | ¶25(c)(ii)(1) | col. 10:31-33 |
| 2. determine, by at least one classifier component, that the electronic communication appears to have been transmitted on behalf of an authoritative entity by: a. computing a similarity distance between the display name and at least a name of the authoritative entity... | The server's impersonation detection component allegedly determines an email appears to be from an authority (e.g., a customer's employee) by computing a similarity between the email's display name and the authority's name, which is retrieved from the database. | ¶25(c)(ii)(2)(a) | col. 8:50-66 |
| ...wherein the similarity distance is computed by comparison of items by at least one of: i. basing the comparison on at least one of a match between the display name... and the display name of the authoritative entity, and ii. a match between headers... | The similarity comparison is alleged to be based on matching the incoming email's display name with the authoritative entity's display name, and matching headers. | ¶25(c)(ii)(2)(a) | col. 12:1-14 |
| 3. determine, by the at least one classifier component, that the electronic communication was not transmitted with authorization from the authoritative entity... | The classifier component allegedly determines the email was not authorized by analyzing the incoming email's header, reply-to address, and/or content. | ¶25(c)(ii)(3) | col. 9:17-32 |
| 4. based at least in part on [the prior determinations]... perform a security determination including classifying the electronic communication... wherein the classifying includes two or more security classifications including good and bad... | Based on the two prior determinations, the system allegedly performs a security classification, determining an email is a "bad" impersonation attack based on display name matching, domain analysis, and/or reply-to address analysis. | ¶25(c)(ii)(4) | col. 9:47-54 |
| 5. based at least in part on the security determination resulting in a bad classification, perform an action comprising at least one of erasing the electronic communication, marking up the electronic communication..., flagging the electronic communication..., placing... in the spam folder... | Based on a "bad" classification, the system allegedly performs a responsive action, such as blocking or quarantining the email. | ¶25(c)(ii)(5) | col. 9:55-10:4 |
- Identified Points of Contention:
- Scope Questions: The complaint alleges that an "authoritative entity" can be an "employee of a FireEye Inc customer" (Compl. ¶25(c)(ii)(2)(a)). The patent's specification provides examples such as banks and utility providers (’628 Patent, col. 8:62-65). This raises the question of whether the term "authoritative entity" can be construed to cover individuals within a customer's organization, or if it is limited to more public-facing, institutional entities.
- Technical Questions: The claim requires a two-step logical process: determining an email (1) appears to be from an authority, and (2) was not authorized by that authority. A central question for the court will be whether the accused FireEye Inc system performs these two distinct analytical steps as claimed, or if its "impersonation detection" operates on a different, unified logic that does not map to the sequential determinations required by the claim.
V. Key Claim Terms for Construction
The Term: "authoritative entity"
Context and Importance: This term is foundational to the infringement analysis, as it defines the universe of senders whose impersonation is detected by the claimed method. The complaint's application of this term to a customer's employee suggests a broad interpretation is central to its theory. Practitioners may focus on this term because its scope dictates whether the patent covers intra-organizational impersonation or is limited to scams involving major external brands.
Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification provides a non-limiting list of examples: "such as a bank or other financial services provider, shipping/postal carrier, cellular or other utility provider, etc." (’628 Patent, col. 8:62-65). The use of "such as" and "etc." may support an interpretation that the list is merely illustrative, not exhaustive.
- Evidence for a Narrower Interpretation: The specific embodiments and examples provided in the patent consistently refer to large, external organizations like banks (’628 Patent, FIG. 4, col. 17:40-42). This may support an argument that the term is limited to entities of a similar class and does not extend to any individual employee within a customer's organization.
The Term: "similarity distance"
Context and Importance: This term defines the mechanism for comparing a sender's display name to an authority's name. The claim itself recites a long list of potential methods, and the complaint alleges infringement under several different algorithms (Compl. ¶25(c)(ii)(2)(a)(iii)). The construction of this term will be critical to determining if FireEye Inc specific impersonation detection algorithms fall within the claim's scope.
Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The claim language is broad, covering a comparison determined by "at least one of" a list that includes Hamming distance, edit distance, a support vector machine, or "performing at least one normalization followed by a comparison" (’628 Patent, col. 34:1-34). This suggests the term functionally covers a wide range of comparison techniques.
- Evidence for a Narrower Interpretation: A party could argue that the listed techniques, while numerous, are specific technical methods. If an accused system uses a proprietary machine learning model or statistical method that is not a "support vector machine" and does not compute a "Hamming distance" or "edit distance" as those terms were understood at the time of the invention, it may fall outside the literal scope of the claim.
VI. Other Allegations
- Indirect Infringement: The complaint alleges both induced and contributory infringement based on FireEye Inc actively supplying the accused products with the knowledge and intent that its customers would use them in an infringing manner. These allegations are based on knowledge "since at least the filing of this Complaint" and are supported by general claims regarding marketing materials, product manuals, and instructions (Compl. ¶¶29-30).
- Willful Infringement: Willfulness is alleged based on knowledge of the patent and infringement "since at least the filing of this Complaint" (Compl. ¶32). The complaint does not explicitly allege pre-suit knowledge or willfulness, though it does contain factual allegations that Defendant attended industry conferences where the inventor presented on the technology years before the patent issued (Compl. ¶¶14-15).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of definitional scope: can the term "authoritative entity," which is exemplified in the patent with public-facing institutions like banks, be construed broadly enough to cover an "employee of a... customer" as alleged in the complaint's infringement theory?
- A key evidentiary question will be one of functional operation: does the accused "impersonation detection" system perform the distinct two-part logical analysis required by Claim 1—first determining an email appears legitimate and then separately determining it lacks authorization—or is there a fundamental mismatch in its technical operation compared to the claimed method?