DCT
1:19-cv-01688
ZapFraud Inc v. FireEye Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: ZapFraud, Inc. (Delaware)
- Defendant: FireEye, Inc. (Delaware)
- Plaintiff’s Counsel: Farnan LLP; Desmarais LLP
- Case Identification: 1:19-cv-01688, D. Del., 10/18/2019
- Venue Allegations: Venue is alleged to be proper in Delaware on the basis that Defendant FireEye is incorporated in the state, has established minimum contacts, and has advertised, sold, and distributed the accused products within the judicial district.
- Core Dispute: Plaintiff alleges that Defendant’s Email Security solutions infringe a patent related to the detection of phishing and email impersonation attacks.
- Technical Context: The technology addresses sophisticated email-based threats, such as Business Email Compromise, by analyzing discrepancies between an email's apparent sender and its actual origin.
- Key Procedural History: The complaint alleges that Defendant FireEye attended several industry conferences (RSA 2014, Black Hat USA 2015, RSA 2016) where the inventor of the patent-in-suit presented on the underlying technology. The asserted patent was issued on April 30, 2019, and a certificate of correction was issued on October 8, 2019.
Case Timeline
| Date | Event |
|---|---|
| 2013-09-16 | '628 Patent Priority Date |
| 2014-01-01 | ZapFraud founded |
| 2014-01-01 | FireEye and Dr. Jakobsson attend RSA Conference 2014 |
| 2015-01-01 | FireEye and Dr. Jakobsson attend Black Hat USA 2015 |
| 2016-01-01 | FireEye and Dr. Jakobsson attend RSA Conference 2016 |
| 2019-04-30 | U.S. Patent No. 10,277,628 Issued |
| 2019-10-08 | '628 Patent Certificate of Correction Issued |
| 2019-10-18 | First Amended Complaint Filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 10,277,628 - "Detecting Phishing Attempts"
- Patent Identification: U.S. Patent No. 10,277,628, "Detecting Phishing Attempts," issued April 30, 2019. (Compl. ¶10).
The Invention Explained
- Problem Addressed: The patent addresses the failure of existing email security techniques, such as term-based blacklisting, to stop sophisticated phishing attacks. These attacks often use customized, human-readable content that appears legitimate to the recipient, thereby bypassing conventional filters. (Compl. ¶19-20; ’628 Patent, col. 1:15-32).
- The Patented Solution: The invention proposes a two-part analysis to classify emails. First, it determines the likelihood that a recipient would perceive the message as coming from a legitimate, "authoritative entity" by analyzing its content and display features. Second, it assesses the likelihood that the message was actually transmitted with authorization from that entity by examining technical data like delivery paths and authentication protocols. An email is then classified based on a combination of these two assessments. (Compl. ¶21; ’628 Patent, Abstract; ’628 Patent, col. 9:18-47).
- Technical Importance: This approach moves beyond simple content filtering to a more contextual analysis, specifically targeting deceptive impersonation tactics used in financially damaging Business Email Compromise (BEC) scams. (Compl. ¶1, ¶13).
Key Claims at a Glance
- The complaint asserts at least independent claim 1. (Compl. ¶25).
- The essential elements of independent claim 1 are:
- A classification system comprising a client device, a profile and content database, and at least one server.
- The server includes one or more processors configured to:
- Parse a display name from an electronic communication.
- Determine that the communication appears to be from an "authoritative entity" by computing a "similarity distance" between the parsed display name and a name of the authoritative entity retrieved from the database.
- Determine that the communication was not transmitted with authorization from that authoritative entity.
- Perform a "security determination" (e.g., classifying the communication as "good" or "bad") based on the preceding two determinations.
- Perform an action (e.g., blocking, quarantining) if the classification is "bad."
- The complaint also alleges infringement of "one or more claims," reserving the right to assert additional claims. (Compl. ¶22).
III. The Accused Instrumentality
Product Identification
- "FireEye Email Security solutions." (Compl. ¶22).
Functionality and Market Context
- The accused products are described as email security solutions that protect customers from targeted social engineering attacks, specifically Business Email Compromise. (Compl. ¶23).
- The relevant functionality involves the analysis of various email attributes, including "email headers, reply-to addresses, and display names to detect and block impersonation emails." (Compl. ¶24).
- No probative visual evidence provided in complaint.
IV. Analysis of Infringement Allegations
U.S. Patent No. 10,277,628 Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| a classification system... comprising: a client device... at least one of a profile and content database; and at least one server... | The system is alleged to comprise a FireEye customer portal (client device), a database for impersonation analysis (profile and content database), and a FireEye Email Security server. | ¶25(a)-(c) | col. 6:35-44 |
| a set of one or more processors configured to: parse a display name associated with the electronic communication; | The server is alleged to parse the display name of an incoming email. | ¶25(c)(ii)(1) | col. 11:51-54 |
| determine... that the electronic communication appears to have been transmitted on behalf of an authoritative entity by: computing a similarity distance between the display name and at least a name of the authoritative entity... | The server allegedly determines an email appears to be from an employee of a FireEye customer ("authoritative entity") by computing a similarity distance between the email's display name and the employee's name. | ¶25(c)(ii)(2)(a) | col. 9:1-17 |
| wherein the similarity distance is computed by comparison of items by at least one of... a match between headers associated with the electronic communication... and headers associated with the authoritative entity... | The similarity distance computation is alleged to be based on a match between the incoming email's header and headers associated with the customer employee. | ¶25(c)(ii)(2)(a)(ii) | col. 34:18-24 |
| determine... that the electronic communication was not transmitted with authorization from the authoritative entity... | The server allegedly determines the email was not authorized by analyzing the "incoming email's header email address, reply-to email address, and/or content." | ¶25(c)(ii)(3) | col. 9:18-25 |
| based at least in part on [the prior determinations]... perform a security determination including classifying the electronic communication... | Based on the prior steps, the server allegedly performs a security determination to classify the email, for example, as an impersonation attack. | ¶25(c)(ii)(4) | col. 9:41-47 |
| based at least in part on the security determination resulting in a bad classification, perform an action comprising at least one of erasing... marking up... flagging... [or] placing the electronic communications in the spam folder... | Based on a "bad" classification, the server allegedly performs a responsive action, such as "by blocking the email or quarantining the email." | ¶25(c)(ii)(5) | col. 8:5-18 |
- Identified Points of Contention:
- Scope Question: Claim 1 requires computing a similarity distance based in part on a "match between headers... and headers associated with the authoritative entity." The complaint alleges this maps to FireEye comparing an incoming email's header to headers "associated with the... customer employee" (Compl. ¶25(c)(ii)(2)(a)(ii)). This raises the question of whether an individual employee can be said to have "associated headers" in a way that satisfies the claim, and what evidence will show that FireEye's database stores and compares headers in this manner.
- Technical Question: The complaint's allegations for determining matches list a wide array of distinct technical methods (e.g., Hamming distance, edit distance, SVM, MD5 hash, metaphone algorithm) connected by "and/or" (Compl. ¶25(c)(ii)(2)(a)(iii)). This raises a significant factual question: which, if any, of these specific, computationally distinct methods does the accused FireEye system actually employ, and does the evidence align with the specific requirements of the claim's Markush group?
V. Key Claim Terms for Construction
The Term:
"authoritative entity"Context and Importance: This term is the lynchpin of the infringement theory, as the entire claim is directed to detecting impersonation of such an entity. The complaint broadens this to include "an employee of a FireEye customer" (Compl. ¶25(c)(ii)(2)). The construction of this term will dictate whether the patent covers impersonation of any individual or is limited to specific, profiled organizations.
Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification provides a wide range of examples, including "a bank or other financial services provider, shipping/postal carrier, cellular or other utility provider, etc." (’628 Patent, col. 2:62-65), which may support a broad construction that is not limited to a specific type of organization.
- Evidence for a Narrower Interpretation: Claim 1 requires that the "name of the authoritative entity is retrieved from the at least one of the profile and content database" (’628 Patent, col. 34:10-14). This could support a narrower construction requiring the entity to be one that is predefined and profiled within the system's database, rather than any arbitrary person or company.
The Term:
"similarity distance"Context and Importance: This term defines the core technical comparison at the heart of the invention. The claim recites a specific list of techniques for determining the matches used to compute this distance. Practitioners may focus on this term because the factual question of whether FireEye's algorithms perform one of the specifically enumerated methods will be critical to proving infringement.
Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification states that the "distance measure can take a variety of forms, including, one of an edit distance, a Hamming distance, or a similar distance metric," which could suggest the list is exemplary, not exhaustive. (’628 Patent, col. 12:4-7).
- Evidence for a Narrower Interpretation: Claim 1 recites that "matches are determined by at least one of:" followed by a long list of specific methods (e.g., Hamming distance, edit distance, support vector machine) (’628 Patent, col. 34:25-45). This use of a Markush group structure may support a narrower construction limiting the claim to systems that use one or more of the explicitly listed techniques.
VI. Other Allegations
- Indirect Infringement: The complaint alleges inducement, asserting that FireEye provides its Email Security solutions with the knowledge and intent that its customers will use the products in an infringing manner. This is allegedly supported by FireEye's "promotional and marketing materials, supporting materials, instructions, [and] product manuals." (Compl. ¶29). The complaint also pleads contributory infringement, alleging the accused products are especially made to infringe and are not staple articles of commerce. (Compl. ¶30).
- Willful Infringement: Willfulness is alleged based on knowledge "since at least the filing of this Complaint." (Compl. ¶32). The complaint also lays a foundation for potential pre-suit willfulness by alleging that FireEye attended multiple industry conferences between 2014 and 2016 where the inventor, Dr. Jakobsson, presented on the patented fraud detection technology. (Compl. ¶14-15).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of "operational mapping": does the accused FireEye system perform the discrete, two-step logical analysis recited in Claim 1 (first, determining an email "appears" authentic, then separately determining it is "not" authorized), or does it employ a different, holistic algorithm that cannot be cleanly mapped to the patent’s specific claim structure?
- A second key issue will be one of "evidentiary sufficiency": can ZapFraud produce specific, non-conclusory evidence that FireEye's systems use the precise computational methods (e.g., Hamming distance, support vector machine analysis) enumerated in the claim's Markush group, or will the allegations remain a recitation of claim language?
- The case may also turn on a question of "definitional scope": can the term
"authoritative entity", which the patent illustrates with examples like banks and shipping carriers, be construed broadly enough to cover the alleged impersonation of any individual "employee of a FireEye customer"?