DCT
1:19-cv-01688
ZapFraud Inc v. FireEye Inc
Key Events
Amended Complaint
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: ZapFraud, Inc. (Delaware)
- Defendant: FireEye, Inc. (Delaware)
- Plaintiff’s Counsel: Farnan LLP; Desmarais LLP
- Case Identification: 1:19-cv-01688, D. Del., 04/24/2020
- Venue Allegations: Venue is alleged to be proper in the District of Delaware because Defendant FireEye, Inc. is a Delaware corporation.
- Core Dispute: Plaintiff alleges that Defendant’s email security solutions infringe two patents related to methods for detecting phishing and Business Email Compromise by analyzing the apparent and actual source of an electronic communication.
- Technical Context: The technology addresses sophisticated email-based threats that evade traditional filters by mimicking legitimate communications from authoritative entities like banks or corporate executives.
- Key Procedural History: This filing is a Second Amended Complaint. The complaint alleges that Defendant attended multiple industry conferences between 2014 and 2016 where the patents' inventor, Dr. Bjorn Markus Jakobsson, presented on email fraud detection technology.
Case Timeline
| Date | Event |
|---|---|
| 2013-09-16 | Priority Date for ’628 and ’073 Patents |
| 2014-01-01 | Dr. Jakobsson founds ZapFraud (approximate, year only) |
| 2014-01-01 | FireEye attends RSA Conference where Dr. Jakobsson speaks |
| 2015-01-01 | FireEye attends Black Hat USA where Dr. Jakobsson speaks |
| 2016-01-01 | FireEye attends RSA Conference where Dr. Jakobsson speaks |
| 2019-04-30 | U.S. Patent No. 10,277,628 Issues |
| 2020-03-31 | U.S. Patent No. 10,609,073 Issues |
| 2020-04-24 | Second Amended Complaint Filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 10,277,628 - "Detecting Phishing Attempts"
The Invention Explained
- Problem Addressed: The patent asserts that conventional email security measures like whitelisting and blacklisting are easily defeated by customized phishing attempts that use "human-readable content indications of association...with an authoritative entity" to appear legitimate to a recipient (Compl. ¶19; ’628 Patent, col. 2:60-67).
- The Patented Solution: The invention proposes a two-part analysis to solve this problem. It first determines the likelihood that a recipient would perceive a message as coming from a legitimate "authoritative entity," and then separately assesses the likelihood that the message was actually sent with authorization from that entity. The email is then classified based on a combination of these two assessments (’628 Patent, Abstract; col. 3:13-25).
- Technical Importance: This approach aims to counter social engineering tactics central to Business Email Compromise (BEC) scams, which the complaint notes had caused over $12.5 billion in reported losses as of 2018 (Compl. ¶1).
Key Claims at a Glance
- The complaint asserts infringement of at least independent claim 1 (Compl. ¶24).
- Essential elements of claim 1 include:
- A system comprising a client device, a database, and at least one server.
- The server is configured to receive an electronic communication.
- The server's processors are configured to first "parse a display name" associated with the communication.
- Then, "determine...that the electronic communication appears to have been transmitted on behalf of an authoritative entity" by computing a "similarity distance" between the parsed display name and a known name of an authoritative entity from the database.
- Next, "determine...that the electronic communication was not transmitted with authorization from the authoritative entity".
- Based on these two determinations, "perform a security determination including classifying" the communication.
- Finally, based on a "bad" classification, "perform an action" such as erasing, flagging, or quarantining the communication.
- The complaint does not explicitly reserve the right to assert dependent claims.
U.S. Patent No. 10,609,073 - "Detecting Phishing Attempts"
The Invention Explained
- Problem Addressed: The ’073 Patent shares a specification with the ’628 Patent and addresses the same technical problem: the inability of existing technologies to detect phishing emails that incorporate human-readable content to appear trustworthy (Compl. ¶39; ’073 Patent, col. 2:60-67).
- The Patented Solution: The solution is substantively the same as that of the ’628 Patent, involving a combined assessment of the end-user's likely interpretation of a message and a technical verification of the sender's authenticity (’073 Patent, Abstract; Compl. ¶40).
- Technical Importance: The technology is positioned as a defense against the growing threat of BEC and other email-based deception attacks (Compl. ¶1).
Key Claims at a Glance
- The complaint asserts infringement of at least independent claim 1 (Compl. ¶42).
- Essential elements of claim 1 include:
- A system comprising a client device, a database, and at least one server.
- The server's processors are configured to "determine...that the electronic communication appears to have been transmitted on behalf of an authoritative entity" by computing a "similarity distance" between a "first item" from the communication (e.g., display name, email address, text, header) and a "second item" associated with the entity.
- Next, "determine...that the electronic communication was not transmitted with an authorization from the authoritative entity".
- Based on these two determinations, "perform a security action" such as erasing, flagging, or quarantining the communication.
- The complaint does not explicitly reserve the right to assert dependent claims.
III. The Accused Instrumentality
Product Identification
- The complaint identifies the accused instrumentalities as "FireEye Email Security solutions" (Compl. ¶21).
Functionality and Market Context
- The accused products are described as email security solutions that protect customers from targeted social engineering attacks, including Business Email Compromise (Compl. ¶22).
- The relevant functionality involves analyzing attributes of incoming emails, such as "email headers, reply-to addresses, and display names to detect and block impersonation emails" (Compl. ¶23).
- No probative visual evidence provided in complaint.
IV. Analysis of Infringement Allegations
’628 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| a classification system...comprising: a client device...; at least one of a profile and content database...; and at least one server... | The FireEye system allegedly includes a "FireEye Email Security customer portal" (client device), a database for "impersonation analysis" (database), and a "FireEye Email Security server" (server). | ¶24a-c | col. 5:46-6:3 |
| ...processors configured to: parse a display name associated with the electronic communication; | The server allegedly parses the display name of an incoming email. | ¶24c.ii.1 | col. 12:1-4 |
| determine...that the electronic communication appears to have been transmitted on behalf of an authoritative entity by: a. computing a similarity distance between the display name and at least a name of the authoritative entity...basing the comparison on at least one of a match between the display name...and the display name of the authoritative entity, and ii. a match between headers...and headers associated with the authoritative entity... | The system allegedly computes a similarity between the sender's display name and the name of an authoritative entity (e.g., a customer's employee) and also compares email headers to determine if the email appears to be from that entity. The complaint alleges this is done via string similarity algorithms, hash comparisons, or other methods. | ¶24c.ii.2 | col. 12:1-15 |
| determine...that the electronic communication was not transmitted with authorization from the authoritative entity... | The system allegedly analyzes the "incoming email's header email address, reply-to email address, and/or content" to determine the communication is unauthorized. | ¶24c.ii.3 | col. 9:19-24 |
| based at least in part on [the two prior determinations], perform a security determination including classifying the electronic communication... | Based on the impersonation and lack of authorization, the system allegedly performs a security determination, classifying the email as good or bad based on "display name matching, looks-like and sounds-like domain analysis, and/or reply-to address and message header analysis." | ¶24c.ii.4 | col. 9:41-45 |
| based at least in part on the security determination resulting in a bad classification, perform an action... | If the email is classified as bad, the system allegedly performs an action such as "blocking the email or quarantining the email." | ¶24c.ii.5 | col. 9:46-54 |
’073 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| a classification system...comprising: a client device...; at least one of a profile and content database...; and at least one server... | The FireEye system allegedly includes a "FireEye Email Security customer portal" (client device), a database for "impersonation analysis" (database), and a "FireEye Email Security server" (server). | ¶42a-c | col. 5:46-6:3 |
| ...processors configured to: determine...that the electronic communication appears to have been transmitted on behalf of an authoritative entity by: a. computing a similarity distance between a first item from the electronic communication and a second item associated with the authoritative entity... | The system allegedly computes a similarity distance between items from the incoming email (display name, sender address, text, header) and corresponding items from a known authoritative entity (e.g., a customer's employee). The complaint alleges this is done via string similarity algorithms, hash comparisons, or other methods. | ¶42c.ii.1 | col. 8:59-9:4 |
| determine...that the electronic communication was not transmitted with an authorization from the authoritative entity... | The system allegedly analyzes the "incoming email's header email address, reply-to email address, and/or content" to determine the communication is unauthorized. | ¶42c.ii.2 | col. 9:19-24 |
| based at least in part on [the two prior determinations], perform a security action... | Based on the impersonation and lack of authorization, the system allegedly performs a security action such as "blocking the email or quarantining the email." | ¶42c.ii.3 | col. 9:46-54 |
Identified Points of Contention
- Scope Questions: A central question may be whether the accused products perform the specific, sequential logic required by the claims (i.e., first determine the email appears authentic, then determine it is unauthorized). The defense could argue that its products use a different, holistic risk-scoring methodology that does not map onto this two-step process.
- Technical Questions: The complaint alleges that the claimed "similarity distance" is computed using one of a wide variety of techniques, including Hamming distance, edit distance, SVMs, and hash comparisons (Compl. ¶24c.ii.2.a.iii; Compl. ¶42c.ii.1.v). The actual algorithm(s) used by the accused products will be subject to discovery, raising the question of whether FireEye's specific technical implementation for "impersonation analysis" falls within the patent's definition of computing a "similarity distance".
V. Key Claim Terms for Construction
The Term: "authoritative entity"
- Context and Importance: This term defines the universe of senders whose impersonation the patents aim to detect. Its construction is critical because it determines whether the claims cover impersonation of internal employees (as alleged in the complaint) or are limited to external third parties (like banks).
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification provides a non-exhaustive list, stating an authoritative entity can be "a bank or other financial services provider, shipping/postal carrier, cellular or other utility provider, etc." (’628 Patent, col. 2:62-65). The use of "etc." may support a broad construction that includes other types of trusted entities, such as corporate employees.
- Evidence for a Narrower Interpretation: The primary examples in the specification focus on external entities like banks that communicate with a user (’628 Patent, col. 3:3-5). A defendant may argue that the context of the invention is focused on external phishing, not internal "spoofing" of one employee by another, thereby limiting the term's scope to such external entities.
The Term: "similarity distance"
- Context and Importance: This term describes the core technical mechanism for detecting an apparent match between a fraudulent sender and a legitimate one. The definition of what constitutes a "similarity distance" will be central to determining whether the accused products' specific algorithms infringe.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification explicitly mentions several known metrics, including "an edit distance, a Hamming distance, or a similar distance metric," and also discloses the use of a "support vector machine" for this purpose (’628 Patent, col. 12:5-15). This may support an interpretation that covers a range of known computational linguistics and machine learning techniques for comparing strings or data.
- Evidence for a Narrower Interpretation: Practitioners may focus on this term because the complaint's broad list of potential techniques suggests uncertainty about the accused product's actual operation (Compl. ¶24c.ii.2.a.iii). A defendant might argue that its proprietary impersonation detection algorithm does not "compute a similarity distance" in the manner described by the patent, but instead uses a fundamentally different approach, such as a multi-factor heuristic scoring model that does not rely on a direct distance calculation between two specific items.
VI. Other Allegations
Indirect Infringement
- The complaint alleges induced infringement, asserting that FireEye supplies its Email Security solutions with the knowledge and intent for customers to infringe, facilitated by "promotional and marketing materials, supporting materials, instructions, product manuals, and/or technical information" (Compl. ¶28, ¶46). It also alleges contributory infringement, stating the products are not staple articles of commerce and are especially made to infringe (Compl. ¶29, ¶47).
Willful Infringement
- Willfulness is alleged based on FireEye having knowledge of the patents "since at least the filing of this action" (Compl. ¶31, ¶49). This is a post-suit willfulness allegation. However, the complaint also notes that FireEye attended several conferences where the inventor presented on the technology prior to the patents' issuance, which may be used to argue for pre-suit knowledge of the technology, if not the patents themselves (Compl. ¶¶11-12).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of algorithmic correspondence: does the specific, multi-step analytical process recited in the claims—(1) parse a display name, (2) determine it appears authentic via a "similarity distance" calculation, (3) determine it is unauthorized, and (4) classify—accurately describe the technical operation of the accused FireEye Email Security solutions, or do the products employ a different, non-infringing logic for threat detection?
- A second key issue will be one of definitional scope: can the term "authoritative entity," which is exemplified in the patent with external organizations like banks, be construed to cover the internal "employee of a FireEye customer" as alleged in the complaint? The outcome of this claim construction dispute could significantly expand or contract the scope of potential infringement.