Finjan, Inc. v. Proofpoint, Inc. et al
Filing
267
CLAIM CONSTRUCTION ORDER. Signed by Judge Haywood S. Gilliam, Jr. on 12/3/2015. (ndrS, COURT STAFF) (Filed on 12/3/2015)
<![CDATA[
1
2
3
4
UNITED STATES DISTRICT COURT
5
NORTHERN DISTRICT OF CALIFORNIA
6
7
FINJAN, INC.,
Case No. 13-cv-05808-HSG
Plaintiff,
8
v.
CLAIM CONSTRUCTION ORDER
9
10
PROOFPOINT, INC., et al.,
Defendants.
United States District Court
Northern District of California
11
12
Plaintiff Finjan, Inc. filed this patent infringement action against Defendants Proofpoint,
13
Inc. and Armorize Technologies, Inc. The parties seek construction of seven claim terms found in
14
six patents: Patent Nos. 6,154,844 (“the ’844 Patent”), 7,058,822 (“the ’822 Patent”), 7,647,633
15
(“the ’633 Patent”), 7,975,305 (“the ’305 Patent”), 8,141,154 (“the ‘154 Patent”), and 8,225,408
16
(“the ’408 Patent”). This order follows claim construction briefing, a technology tutorial, and a
17
claim construction hearing.
18
19
I. LEGAL STANDARD
Claim construction is a question of law to be determined by the Court. See Markman v.
20
Westview Instruments, Inc., 52 F.3d 967, 979 (Fed. Cir. 1995). “The purpose of claim
21
construction is to determine the meaning and scope of the patent claims asserted to be infringed.”
22
O2 Micro Int’l Ltd. v. Beyond Innovation Tech. Co., 521 F.3d 1351, 1360 (Fed. Cir. 2008)
23
(internal quotation marks omitted).
24
Generally, claim terms should be given their ordinary and customary meaning—i.e., the
25
meaning that the terms would have to a person of ordinary skill in the art at the time of the
26
invention. Phillips v. AWH Corp., 415 F.3d 1303, 1312-13 (Fed. Cir. 2005) (en banc). There are
27
only two circumstances where a claim is not entitled to its plain and ordinary meaning: “1) when a
28
patentee sets out a definition and acts as his own lexicographer, or 2) when the patentee disavows
1
the full scope of a claim term either in the specification or during prosecution.” Thorner v. Sony
2
Computer Entm’t Am. LLC, 669 F.3d 1362, 1365 (Fed. Cir. 2012).
When construing claim terms, the Federal Circuit emphasizes the importance of intrinsic
3
evidence such as the language of the claims themselves, the specification, and the prosecution
5
history. Phillips, 415 F.3d at 1312-17. The claim language can “provide substantial guidance as
6
to the meaning of particular claim terms,” both through the context in which the claim terms are
7
used and by considering other claims in the same patent. Id. at 1314. The specification is likewise
8
a crucial source of information. Although it is improper to read limitations from the specification
9
into the claims, the specification is “the single best guide to the meaning of a disputed term.”
10
Id. at 1315 (“[T]he specification is always highly relevant to the claim construction analysis.
11
United States District Court
Northern District of California
4
Usually, it is dispositive.”) (internal quotation marks omitted); see also Merck & Co. v. Teva
12
Pharms. USA, Inc., 347 F.3d 1367, 1371 (Fed. Cir. 2003) (“[C]laims must be construed so as to be
13
consistent with the specification.”).
Despite the importance of intrinsic evidence, courts may also consider extrinsic evidence—
14
15
technical dictionaries, learned treatises, expert and inventor testimony, and the like—to help
16
construe the claims. Phillips, 415 F.3d at 1317-18. For example, dictionaries may reveal what the
17
ordinary and customary meaning of a term would have been to a person of ordinary skill in the art
18
at the time of the invention. Frans Nooren Afdichtingssystemen B.V. v. Stopaq Amcorr Inc., 744
19
F.3d 715, 722 (Fed. Cir. 2014) (“Terms generally carry their ordinary and customary meaning in
20
the relevant field at the relevant time, as shown by reliable sources such as dictionaries, but they
21
always must be understood in the context of the whole document—in particular, the specification
22
(along with the prosecution history, if pertinent).”). Extrinsic evidence is, however, “less
23
significant than the intrinsic record in determining the legally operative meaning of claim
24
language.” Phillips, 415 F.3d at 1317 (internal quotation marks omitted).
25
II.
26
27
AGREED TERMS
The parties have agreed to the construction of the following terms:
Claim Term
Agreed Claim Construction
28
2
downloadable
1
an executable application
program, which is downloaded
from a source computer and run
on the destination computer
an environment in which a
software application is run,
which may limit resources that
the application is permitted to
access or operations that the
application is permitted to
perform
potentially malicious
executable code
executable wrapper code
combined code
2
security context
3
4
5
6
7
CODE-A
8
CODE-B
CODE-C
9
10
United States District Court
Northern District of California
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
See Dkt. No. 117. In light of the parties’ agreement on the construction of these terms, the Court
adopts the parties’ constructions.
III.
DISPUTED TERMS
A.
’822 and ’633 Patents
The ’822 and ’633 Patents share the same specification and are titled “Malicious Mobile
Code Runtime Monitoring System and Methods.” The inventions provide protection from
“undesirable downloadable operation.” ’822 Patent at 1:25-29; ’633 Patent at 1:30-33.
Embodiments of the invention provide “for receiving downloadable-information and detecting
whether the downloadable-information includes one or more instances of executable code.” ’822
Patent at 5:34-39. Where there is executable code, the invention provides
mobile protection code (“MPC”) and downloadable protection
policies to be communicated to, installed and executed within one or
more received information destinations in conjunction with a
detected-Downloadable. Embodiments also provide, within an
information-destination, for detecting malicious operations of the
detected-Downloadable and causing responses thereto in accordance
with the protection policies. . . .
Id. at 5:44-51 (emphases added). The parties dispute the meaning of the two bolded phrases.
1. “mobile protection code”
Finjan’s Construction
Proofpoint’s Construction
27
28
3
code communicated to at least one
information-destination that, at runtime,
monitors or intercepts actually or potentially
malicious code operations
1
2
code capable of monitoring or intercepting
potentially malicious code
3
4
The parties agree that “mobile protection code” is not a term known in the art. Dkt. No.
5
142 at 5; Dkt. No. 170 at 57. Accordingly, the intrinsic record is the best evidence of the term’s
6
meaning. Vitronics Corp. v. Conceptronic, Inc., 90 F.3d 1576, 1582 (Fed. Cir. 1996) (“[A]
7
patentee may choose to be his own lexicographer and use terms in a manner other than their
8
ordinary meaning, as long as the special definition of the term is clearly stated in the patent
9
specification or file history.”).
In support of its construction, Plaintiff directs the Court to a portion of the specification
11
United States District Court
Northern District of California
10
indicating that “[t]he sandboxed package includes mobile protection code (“MPC”) for causing
12
one or more predetermined malicious operations or operation combinations of a Downloadable to
13
be monitored or otherwise intercepted.” ’822 Patent at 3:6-10. Plaintiff argues that this passage
14
provides an “explicit definition” of the term MPC, and demonstrates that MPC must merely be
15
capable of monitoring or intercepting potentially malicious code. Dkt. No. 142 at 6.
16
Defendants’ construction adds two limitations: (1) that MPC must monitor or intercept
17
actually or potentially malicious code “at runtime” (i.e., that is, monitoring potentially malicious
18
code as the code is being executed), Dkt. No. 143 at 1-3, and (2) that MPC is “code communicated
19
to at least one information-destination,” id. at 4-5.
20
21
a.
“at runtime”
The claims describe the execution of MPC as corresponding to “attempted operations” of
22
the executable code at a downloadable-information destination. See ’822 Patent at 22:63-67
23
(Claim 16); id. at 23:41-45 (Claim 27); ’633 Patent at 22:1-5 (Claim 14); id. at 22:17-22 (Claim
24
20). Claim 28 of the ’633 Patent describes the MPC receiving “operations attempted by the
25
Downloadable” and “initiating, by the MPC on the computer, a protection policy corresponding to
26
the attempted operation.” ’633 Patent at 22:55-63. And Claim 41 of the ’633 Patent describes
27
how the MPC initiates a “protection policy corresponding to the attempted operation.” Id. at
28
4
1
24:30-34.1 The Court finds that the claims’ consistent description of correspondence with
2
“attempted operations” by the downloadable indicates an “at runtime” limitation.
The specifications support this “at runtime” construction. First, the title of the patents is
3
4
“Malicious Mobile Code Runtime Monitoring Systems and Methods.” (emphasis added). The
5
reference to “runtime” also is made in the first sentence of the “Detailed Description”: “In
6
providing malicious mobile code runtime monitoring systems and methods, embodiments of the
7
invention enable actually or potentially undesirable operations of even unknown malicious code to
8
be efficiently and flexibly avoided.” ’822 Patent at 5:30-31; ’633 Patent at 5:30-31 (emphasis
9
added).
Second, the specifications’ description of when MPC is generated and initiated provides
10
United States District Court
Northern District of California
11
further support. The action generator generates MPC only when the protection engine determines
12
that received downloadable information includes executable code, see ’822 Patent at 9:24-26, 30-
13
34; 12:18-65; Figs. 3 and 4. Upon such a determination, the protection engine “causes [MPC] to
14
be communicated to the Downloadable-destination” by way of the transfer engine. Id. at 9:63-67;
15
14:38-43; 16:15-22. Figure 11 is instructive with regard to MPC’s protection method within the
16
destination device. MPC installs its elements and policies in the device and “forms an access
17
monitor or ‘interceptor’ for monitoring or ‘intercepting’ downloadable destination device access
18
attempts within the destination device.” Id. at 20:21-30. When the monitored or intercepted
19
information indicates that the downloadable is attempting to access the device in an undesirable
20
way, MPC executes the protection policies. Id. at 20:33-40; see also id. at 20:54-56 (noting that
21
MPC applies “suitable policies in accordance with an access attempt by a Downloadable”); id. at
22
18:42-47 (discussing MPC’s resource access analyzer component “[d]uring downloadable
23
operation”).
The exemplary application of a sandbox package is further instructive:
24
25
Upon receipt of sandboxed package by a compatible browser, email
or other destination client and activating of the package by a user or
26
27
28
1
See also ’822 Patent at 24:5-11 (Claim 28) (describing the execution of MPC as “such that one
or more operations of the executable code at the destination, if attempted, will be processed by the
[MPC].”); see also ’822 Patent at 24:39-43; ’633 Patent at 22:28-34, 46-51; Id. at 23:21-28.
5
the destination-client, the operating system (or a suitable
responsively initiated distributed component host) will attempt to
initiate sandboxed package 340 as a single Downloadable. Such
processing will, however, result in initiating the MPC 341 and-in
accordance with further aspects of the invention-the MPC will
initiate the Downloadable in a protected manner, further in
accordance with any applicable included or further downloaded
protection policies 342.
1
2
3
4
5
Id. at 11:26-38 (emphasis added). Thus, the destination-client’s receipt and activation of the
6
sandboxed package causes MPC to initiate. Figure 7a also shows how the client’s “attempt” to
7
initiate the sandbox package in fact corresponds to “the beginning of the MPC”—the client
8
recognizes the package as an executable and initiates the mobile code installer. Id. at 17:34-44.
9
The mobile code installer then initiates MPC (not the downloadable), allowing MPC to form a
protection “sandbox” around the downloadable, monitor the downloadable, and intercept
11
United States District Court
Northern District of California
10
malicious code. Id. at 17:45-59. These passages describing an illustrative embodiment of the
12
invention confirm the Court’s construction of the claim.
The Patents’ references to MPC’s monitoring functions in the present or past tense are also
13
14
persuasive. See id. at 20:33-38 (MPC monitors whether “the Downloadable is attempting or has
15
attempted a destination device access” (emphasis added)). The Abstract states the invention
16
provides for “initiating the Downloadable [and] enabling malicious Downloadable operation
17
attempts to be received by the MPC.” Id. at Abstract (emphasis added). And the claims imply
18
MPC only operates upon an “attempt” of the executable code. See id. at Claims 16, 28 (describing
19
method whereby “operations of the executable code at the destination, if attempted, will be
20
processed by the [MPC]” (emphasis added)); ’633 Patent at Claim 14 (same). Defendants contend
21
that there would be references to the future tense (i.e., “will attempt”) if MPC could monitor
22
executable code before runtime and that the language shows that the executable code being
23
monitored or intercepted must actually run (i.e., make an attempt) to be received by the MPC. In
24
light of the intrinsic evidence, the Court agrees.2
Plaintiff responds to Defendants’ proposed construction by contending the specification
25
26
27
28
2
Although not binding on this Court, Finjan, Inc. v. Blue Coat Sys., Inc.’s construction of MPC—
that it operates “at runtime”—is further persuasive support for this Court’s conclusion. See No.
13-CV-03999-BLF, 2014 WL 5361976, at *3 (N.D. Cal. Oct. 20, 2014).
6
1
demonstrates that protection policies exist as part of the static code in MPC, citing the Patent’s
2
“Summary of the Invention” in support:
3
5
Embodiments also provide for delivering static, configurable and/or
extensible remotely operable protection policies to a Downloadabledestination, more typically as a sandboxed package including the
mobile protection code, downloadable policies and one or more
received Downloadables.
6
’822 Patent at 2:42-47 (emphasis added). But, the Court is required to construe the claim term “in
7
a way that comports with the instrument as a whole.” See Markman, 517 U.S. at 389 (emphasis
8
added). The invention’s “Detailed Description” clarifies that “static” refers to the linking engine’s
9
formation of the sandboxed package, which includes initial and complete MPCs, other protection
4
polices, and the downloadable. Id. at 13:31-36. The specification explains that the “[l]inking
11
United States District Court
Northern District of California
10
engine 405 is implementable in a static or configurable manner in accordance, for example, with
12
characteristics of a particular user device/process stored intermittently or more persistently in
13
storage 404.” Id. at 13:37-40. It goes on to explain that the linking engine is also configurable to
14
form a protecting package that has more than one executable of the downloadable or to form
15
16
17
18
an initial MPC, MPC-policy or sandboxed package (e.g. prior to
upon receipt of a downloadable) or an additional MPC, MPC policy
or sandboxed package (e.g. upon or following receipt of a
downloadable), such that suitable MPCs/policies can be provided to
a Downloadable-destination or other destination in a more
distributed manner.
Id. at 14:1-7. That the linking engine allows for such varying static and configurable packaging
19
options does not negate the intrinsic evidence confirming that MPC operates “at runtime.”
20
21
b.
“code communicated to at least one information-destination”
Defendants’ second limitation requires that MPC be construed as “code communicated to
22
at least one information-destination.” Dkt. No. 142 at 4-5. Defendants argue the first word of the
23
term MPC is “mobile,” which means MPC must move somewhere. Id. (“The Court should further
24
conclude . . . that mobile protection code is mobile” (emphasis in original)). But the phrase
25
26
27
“communicated to at least one information-destination” does not appear anywhere in the
specification. Instead, it appears in some—but not all—of the patents’ claims. Compare ’633
Patent at 21:48-55 (disclosing “[a] processor-based system . . . causing [MPC] to be
28
7
1
communicated to at least one information-destination . . . .”) with id. at 21:58-22:5 (“[a] computer
2
program product . . . causing [MPC] to be executed by the mobile code executor at a
3
downloadable-information destination . . .”). If MPC, by definition, needed to be communicated
4
to at least one information-destination, the inclusion of that language in any of the claims would
5
be redundant.
6
Moreover, the Court is not persuaded by Defendants’ argument that Plaintiff expressly
disclaimed its preferred construction during the prosecution of the ’633 Patent. Dkt. No. 142 at 5
8
(quoting language from ’633 Patent’s prosecution history in which Plaintiff stated that “[t]he
9
claimed invention provides a packaging of mobile protection code with a downloadable intended
10
for a destination computer . . . . In distinction with the claimed invention, Golan does not describe
11
United States District Court
Northern District of California
7
the packaging of protection code. Instead, Golan discusses a situation whereby a security monitor
12
is already resident on a client computer . . . .”). It is not clear and unambiguous that Plaintiff’s
13
distinction between Golan’s invention and the’633 Patent’s invention was based on the
14
“communication” of MPC to an information-destination. See Verizon Servs. Corp. v. Vonage
15
Holdings Corp., 503 F.3d 1295, 1306 (Fed. Cir. 2007) (“To operate as a disclaimer, the statement
16
in the prosecution history must be clear and unambiguous, and constitute a clear disavowal of
17
scope.”). Because the disavowal is not unambiguous, the Court declines to adopt Defendants’
18
second limitation.
19
20
21
22
23
24
25
26
27
Accordingly, the Court construes “mobile protection code” as “code that, at runtime,
monitors or intercepts actually or potentially malicious code operations.”
2.
“information-destination/downloadable-information destination”
Finjan’s Construction
no construction necessary—
Plain and ordinary meaning
Proofpoint’s Construction
a user device that receives and
initiates (or otherwise hosts)
execution of the downloadable
information
Plaintiff contends that these terms are explicitly defined in the ’822 Patent as “any server
or computer where the information is communicated to, installed or executed.” Dkt. No. 142 at 23
(citing ’822 Patent at 5:44-48). Contrary to Plaintiff’s description of the specification, the passage
28
8
1
it cites does not provide that an information destination is “any server or computer where the
2
information is communicated to, installed, or executed.” Instead, the passage uses the conjunctive
3
“and”:
Embodiments further provide for causing mobile protection code
(“MPC”) and downloadable protection policies to be communicated
to, installed and executed within one or more received information
destinations in conjunction with a detected-Downloadable.
4
5
6
’822 Patent at 5:44-48 (emphasis added). At the claim construction hearing when questioned
7
about the difference between the specification and the quoted passage, Plaintiff insisted that under
8
its construction an information-destination “does not have to be a location where it has be
9
executed.” Dkt. No. 170 at 49.
10
Defendants argue that the specification defines the terms more narrowly, requiring a “user
United States District Court
Northern District of California
11
device . . . that [is] capable of receiving and initiating or otherwise hosting a mobile code
12
execution.” Dkt. No. 143 at 7 (quoting ’822 Patent 7:60-65).
13
14
The Court finds that the passages the parties cited mostly support Defendants’
construction. The specification’s language is dispositive:
A suitable information-destination or ‘user device’ can further
include one or more devices or processes (such as email, browser or
other clients) that are capable of receiving and initiating or
otherwise hosting a mobile code execution.
15
16
17
18
19
20
’822 Patent at 7:60-65. Vitronics, 90 F.3d at 1582 (“The specification acts as a dictionary when it
expressly defines terms used in the claims or when it defines terms by implication.”).
Thus, consistent with the intrinsic evidence, the Court construes “information-destination”
and “downloadable-information destination” as “a device or process that is capable of receiving
21
and initiating or otherwise hosting a mobile code execution.”
22
23
24
25
26
B.
’408 Patent
The ’408 Patent, titled “Method and System For Adaptive Rule-Based Content Scanners,”
covers “a method and system for scanning content that includes mobile code, to produce a diagnostic
analysis of potential exploits within the content.” ’408 Patent at 1:59-61. The invention uses an
adaptive rule-based content (“ARB”) scanner, which dynamically scans and diagnoses incoming
27
Internet content. Id. at 1:65-2:24. The system generates a parse tree based on tokens and patterns of
28
9
1
tokens it identifies, then identifies exploits (the malicious portions of the code) within the parse tree.
2
Id. at 2:25-57.
3. “parse tree”
3
4
Finjan’s Construction3
5
Proofpoint’s Construction
a way of organizing exploits in scanned
content into a hierarchical structure
a set of nodes linked in a hierarchy that
with one root and several branches,
represents a sequence of words and
much like a family tree or genealogy
symbols according to a given syntax.
chart.
6
7
8
The claim term appears in claims 1, 2, 9, 11, and 22-35 of the ’408 Patent. Independent claim
9
1 describes:
10
A computer processor-based multi-lingual method for scanning
incoming program code, comprising:
United States District Court
Northern District of California
11
receiving, by a computer, an incoming stream of program code;
determining, by the computer, any specific one of a plurality of
programming languages in which the incoming stream is written;
12
13
instantiating, by the computer, a scanner for the specific programming
language, in response to said determining, the scanner comprising
parser rules and analyzer rules for the specific programming language,
wherein the parser rules define certain patterns in terms of tokens,
tokens being lexical constructs for the specific programming language,
and wherein the analyzer rules identify certain combinations of tokens
and patterns as being indicators of potential exploits, exploits being
portions of program code that are malicious;
14
15
16
17
18
identifying, by the computer, individual tokens within the incoming
stream;
19
dynamically building, by the computer while said receiving receives
the incoming stream, a parse tree whose nodes represent tokens and
patterns in accordance with the parser rules;
20
21
dynamically detecting, by the computer while said dynamically
building builds the parse tree, combinations of nodes in the parse
tree which are indicators of potential exploits, based on the analyzer
rules;
22
23
24
and indicating, by the computer, the presence of potential exploits
within the incoming stream, based on said dynamically detecting.
25
26
3
27
28
Plaintiff’s initial construction was “a tree data structure representing exploits in scanned
content.” Defendants’ initial construction was “a set of linked nodes whose nodes represent tokens
and patterns in accordance with the parser rules.” Each party revised its proposed construction in
supplemental briefing filed after the claim construction hearing.
10
1
’408 Patent, 19:45-20:7 (emphases added).
2
Plaintiff’s construction incorporates the limitation that a parse tree applies to “exploits in
3
scanned content” whereas Defendants’ construction describes “a sequence of words and symbols
4
according to a given syntax” without any mention of “scanned content” generally or exploits from
5
the scanned content, specifically. The Court rejects both proposals.
6
There are two problems with Plaintiff’s construction. First, although the parse tree can be
7
used to identify exploits, it is not limited to this use. Parsing rules can be used to perform various
8
actions, such as “setting internal variables; invoking a sub-scanner 270, . . . and searching the
9
parse tree for nodes satisfying specific conditions.” Id. at 8:61-66. Second, while one action of
the parse tree is to identify exploits, that action is not a requisite characteristic of a parse tree. The
11
United States District Court
Northern District of California
10
term’s construction does not need to include all of the parse tree’s uses; it only need describe what
12
the parse tree is. At its core, the parse tree provides a means of organizing and presenting data—
13
for example, each node preferably contains “data indicating inter alia an ID number, the token or
14
rule that the node represents, a character string name as a value for the node, and a numerical list
15
of attributes.” Id. at 8:38-41.
16
Defendants’ construction is similarly flawed. The construction imports the limitation that
17
nodes represent “a sequence of words and symbols according to a given syntax.” But, the
18
definition of parse tree does not need to include an explanation of what the nodes represent. There
19
is no evidence—intrinsic or extrinsic—that a parse tree stops being a parse tree if the nodes were
20
to represent something other than a sequence of words and symbols.
21
On the other hand, the claims impose three requirements that the Court concludes must be
22
a part of the term’s construction. First, a parse tree is “built.” Claim 1 describes the actions of
23
“dynamically building, by the computer while said receiving receives the incoming stream, a
24
parse tree” and “dynamically detecting, by computer while said dynamically building builds the
25
parse tree,” id. at 19:64-66; 20:1-3 (emphasis added); see id. at 20:8-9 (Claim 2) (describing a
26
method “wherein said dynamically building a parse tree is based upon a shift-and-reduce
27
algorithm”). Independent Claim 9 also describes the parser “dynamically building the parse tree.”
28
Id. at 21:1-2. The specifications further confirm this construction—“the parse tree generated by
11
1
parser 220 is dynamically built using a shift-and-reduce algorithm,” id. at 8:29-30, and “[i]t may
2
thus be appreciated that the analyzer is called repeatedly, while the parse tree is being dynamically
3
built up,” id. at 14:53-55; see id. at 9:64-66.
Second, a parse tree is built from “scanned content.” Claim 1 describes the parse tree as
4
5
“identifying . . . individual tokens within the incoming stream; dynamically building, by the
6
computer while said receiving receives the incoming stream, a parse tree whose nodes represent
7
tokens,” id. at 19:62-66 (emphases added). Claim 9 describes “a parser, for dynamically building
8
while said receiver is receiving the incoming stream, a parse tree,” id. at 9:64-66 (emphasis
9
added). The specifications also confirm this construction—“[T]he present invention is able to
diagnose incoming content.” Id. at 2:20-21. The “parser controls the process of scanning
11
United States District Court
Northern District of California
10
incoming content,” id. at 8:19-20, and the “parser 220 uses a parse tree data structure to represent
12
scanned content,” id. at 8:24-25.
Third, a parse tree is a “hierarchical structure of interconnected nodes.” Claims 24 and 30
13
14
illustrate the “interconnected” nature of the nodes—that the “parser positions nodes of the parse
15
tree corresponding to rules as parent nodes, the children of which correspond to tokens within the
16
patterns that correspond to the rules.” Id. at 22:28-32; 23:22-25. Figure 2 from the written
17
description is instructive. The block diagram is an embodiment of the ARB scanner and shows the
18
parse tree as a hierarchical structure with connected nodes.
Here, both parties agree that a parse tree must be hierarchical, see Dkt. No. 166 at 2-3
19
20
(citing extrinsic evidence); Dkt. No. 168 at 2-3 (same). Their understanding is consistent with the
21
Patent’s specification. The specification describes an embodiment that builds the parse tree using
22
a “shift-and-reduce algorithm,” id. at 8:29-30, invoking the image of a hierarchical structure with
23
nodes that are shifted over and moved down depending on their relationships to each other. The
24
parser automatically performs “a reduce operation by creating a new node and moving token
25
nodes underneath the new node” whenever a pattern is matched within the parser rule. Id. at 8:66-
26
9:2.
27
28
Moreover, the specification describes the tokens’ relationships to each other and the fact
that they are built on each other. For instance, the parser’s method describes connecting the
12
1
tokens based on parent-child and sibling relationships—
2
Successive tokens provided to parser 220 by tokenizer 210 are
positioned as siblings. When parser 220 discovers that a parsing
rule identifies a group of siblings as a single pattern, the siblings are
reduced to a single parent node by positioning a new parent node,
which represents the pattern, in their place, and moving them down
one generation under the new parent note.
3
4
5
Id. at 8:30-37.
6
7
Accordingly, the Court construes claim term “parse tree,” in light of the intrinsic evidence,
as “a hierarchical structure of interconnected nodes built from scanned content.”
8
9
10
United States District Court
Northern District of California
11
12
13
C.
The ’154 Patent
The ’154 Patent, titled “System and Method for Inspecting Dynamically Generated
Executable Code,” concerns “new behavioral analysis technology that affords protection against
dynamically generated malicious code,” which are those viruses generated at runtime. ’154 Patent
at 4:32-34; 3:32-33. Behavioral analysis technology is able to block these “viruses that have not
been previously detected and which do not have a signature on record.” Id. at 1:62-64.
14
15
16
17
18
19
1. “a call to a first function . . . [invoking/invoke/calling] a second function”
Finjan’s Construction
no construction necessary—plain and
ordinary meaning
Proofpoint’s Construction
a call to a function different from the second
function . . . [invoking/ invoke/ calling] a
function different from the first function
The disputed language appears in Claims 1, 4, 6, and 10 of the ’154 Patent. Independent
Claim 1 of the ’154 Patent is representative of how the term is used in the claim language:
20
21
22
23
24
25
26
27
a content processor (i) for processing content received over a
network, the content including a call to a first function, and the call
including an input, and (ii) for invoking a second function with the
input, only if a security computer indicates that such invocation is
safe;
’154 Patent at 17:34-38 (emphases added). The parties’ sole dispute concerning this term is
whether the “first function” and the “second function” can be the same function. Plaintiff argues
that “first” and “second” identify the order in which the functions are called, while Defendants
argue that “first” and “second” indicate that they must be different functions.
Defendants’ argument has no support in the ’154 Patent’s claims. Nothing in the claim
28
13
1
language precludes the first and second function from being the same function. Defendants rely
2
on the specification language, however, which describes the “first” and “second” functions as
3
“original” and “substitute.”
4
To enable the client computer to pass function inputs to the security
computer and suspend processing of content pending replies from
the security computer, the present invention operates by replacing
original function calls with substitute function calls within the
content, at a gateway computer, prior to the content being received
at the client computer.
5
6
7
’154 Patent at 4:55-60 (emphasis added).
8
Defendants contend that the specifications would not have described the functions as
9
“original” and “substitute” functions if those functions were identical. Plaintiff responds that
10
Defendants are mistaken when they equate the second function identified in the claims and the
11
United States District Court
Northern District of California
substitute function identified in the specification. Specifically, Plaintiff notes that the second
12
function is invoked only after the security computer indicates that the invocation is safe, while the
13
original function is replaced by the substitute function at the gateway, before the security
14
computer receives the content. See also id. at Fig. 2. As the specification explains, the invention
15
discloses:
16
21
content being sent to a client computer for processing, the content
including a call to an original function, and the call including an
input, modifying the content at the gateway computer, including
replacing the call to the original function with a corresponding
call to a substitute function, the substitute function being
operational to send the input to a security computer for inspection,
transmitting the modified content from the gateway computer to the
client computer, processing the modified content at the client
computer, transmitting the input to the security computer for
inspection when the substitute function is invoked . . .
22
Id. at 5:4-18 (emphasis added). The specification is clear that it is the original function—not the
23
substitute function—that is invoked after the security computer determines that its invocation is
24
safe. The specification continues:
17
18
19
20
25
26
27
28
determining at the security computer whether it is safe for the client
computer to invoke the original function with the input, transmitting
an indicator of whether it is safe for the client computer to invoke
the original function with the input, from the security computer to
the client computer, and invoking the original function at the
client computer with the input, only if the indicator received
from the security computer indicates that such invocation is
14
safe.
1
Id. at 5:18-25 (emphasis added). The Court agrees that this passage of the specification
2
3
4
5
demonstrates that the “second function” described in the claims can be the “original function”
identified in the specification.4 See Chef Am., Inc. v. Lamb-Weston, Inc., 358 F.3d 1371, 1373
(Fed. Cir. 2004) (“These are ordinary, simple English words whose meaning is clear and
unquestionable. . . .They mean exactly what they say.”).
6
Accordingly, the Court concludes that the specification does not support Defendants’
7
8
9
argument that the first and second functions must be different. The term’s plain and ordinary
meaning governs, and no construction is necessary. See Phillips, 415 F.3d at 1312 (“[T]he words
of a claim are generally given their ordinary and customary meaning.”).
10
2. “content processor (i) for processing content received over a network, the
content including a call to a first function, and the call including an input,
and (ii) for invoking a second function with the input, only if security
computer indicates that such invocation is safe”
United States District Court
Northern District of California
11
12
13
Finjan’s Construction
Proofpoint’s Construction
14
means-plus-function under § 112, ¶ 6
15
Function: processing content received over a
network, the content including a call to a first
function, and the call including an input, and (ii)
for invoking a second function with the input, only
if security computer indicates that such invocation
is safe
16
17
18
19
no construction necessary—plain and
ordinary meaning
20
21
22
23
Structure: the algorithm performed by a web
browser running on client computer 210, 410 and
described in col. 10, l. 30 - col. 11, l. 4; as well as
shown in Fig. 3 (steps 324-335, 384-392) and
described in col. 13, l. 63 - col. 14, l. 16 and col.
14, l. 61 - col. 15, l. 3; as well as shown in Fig. 5
(steps 525-540, 585-595) and described in col. 16,
ll. 22-32, 62-67.
The disputed language appears in independent Claim 1 of the ’154 Patent. It reads:
24
25
a content processor (i) for processing content received over a
26
4
27
28
Moreover, the Federal Circuit has repeatedly warned courts that “it is the claims, not the written
description, which define the scope of the patent right.” Laitram Corp. v. NEC Corp., 163 F.3d
1342, 1347 (Fed. Cir. 1998) (“[A] court may not import limitations from the written description
into the claims.”). Here, the claims do not use “original” and “substitute” functions.
15
2
network, the content including a call to a first function, and the call
including an input, and (ii) for invoking a second function with the
input, only if a security computer indicates that such invocation is
safe;
3
’154 Patent at 17:34-38. The parties dispute whether the phrase “content processor for processing
4
. . . and for invoking” is a means-plus-function claim that must be construed under 35 U.S.C. §
5
112, ¶ 6. Defendants contend that it is. Dkt. No. 143 at 20. Section 112, ¶ 6 provides:
1
6
7
8
9
An element in a claim for a combination may be expressed as a
means or step for performing a specified function without the recital
of structure, material, or acts in support thereof, and such claim shall
be construed to cover the corresponding structure, material, or acts
described in the specification and equivalents thereof.
§ 112. Plaintiff argues that the limitation is not a means-plus-function claim and that no
construction is necessary, as a person of ordinary skill in the art would understand the term as it
11
United States District Court
Northern District of California
10
appears in the claim and in light of the specification. Dkt. No. 142 at 20.
12
To determine whether a claim invokes § 112, the Court must determine if the claim
13
limitation is drafted in the means-plus-function format. “The use of the term ‘means’ triggers a
14
rebuttable presumption that § 112, ¶ 6 governs the construction of the claim term.” Robert Bosch,
15
LLC v. Snap-On Inc., 769 F.3d 1094, 1097 (Fed. Cir. 2014) (citations omitted). There is a general
16
presumption that the limitation does not invoke § 112, ¶ 6 where the claim language does not
17
recite the term “means.” Id. The presumption is rebuttable.
18
Before this year, the presumption that § 112 does not apply when a claim term does not use
19
“means” was “a strong one that [was] not readily overcome,” see Lighting World, Inc. v.
20
Birchwood Lighting, Inc., 382 F.3d 1354, 1358 (Fed. Cir. 2004), overruled by Williamson v. Citrix
21
Online, LLC, 792 F.3d 1339 (Fed. Cir. 2015). The Federal Circuit recently clarified, however, that
22
“such a heightened burden is unjustified” and “expressly overrule[d] the characterization of that
23
presumption as strong.” Williamson, 792 F.3d at 1349. Instead, courts must ask whether “the
24
words of the claim are understood by persons of ordinary skill in the art to have a sufficiently
25
definite meaning as the name for structure.” Id. If a “term lacks the word ‘means,’ the
26
presumption can be overcome and § 112, para. 6 will apply if the challenger demonstrates that the
27
claim term fails to ‘recite sufficiently definite structure’ or else recites ‘function without reciting
28
sufficient structure for performing that function.’” Id.
16
1
Both parties agree that the word “means” does not appear in the claim language. Dkt. No.
2
142 at 20; Dkt. No. 143 at 20. Accordingly, the Court finds that the presumption against invoking
3
§ 112, ¶ 6 applies to this language. Defendants have not demonstrated that the claim term “fails to
4
recite sufficiently definite structure” or else “recites function without reciting sufficient structure
5
for performing that function” so as to overcome this presumption. See Robert Bosch, LLC, 769
6
F.3d at 1097; Williamson, 792 F.3d at 1349.
7
The term “content processor” has a sufficiently specific structure. Independent Claim 1
describes how the “content processor” interacts with the invention’s other components (the
9
transmitter and receiver), which informs the term’s structural character. ’154 Patent at 17:32-44,
10
18:7-22; see also id. at 17:45-49 (“[S]aid content processor (i) suspends processing of the content
11
United States District Court
Northern District of California
8
after said transmitter transmits the input to the security computer, and (ii) resumes processing of
12
the content after said receiver receives the indicator from the security computer.”).
13
The specification identifies where the component is located—“Gateway computer 205
14
includes a content modifier 265, client computer 210 includes a content processor 270, and
15
security computer 215 includes an inspector.” Id. at 9:8-10; see also id. at 15:33-36 (“Client
16
computer 410 includes a content processor 470, such as a web browser, which processes content
17
received from the network.”).
18
Figures 2 and 3 of the ’154 Patent are also instructive. The block diagrams illustrate the
19
content processor’s location and its relationship to other components. See Inventio AG v.
20
ThyssenKrupp Elevator Americas Corp., 649 F.3d 1350, 1358 (Fed. Cir. 2011) (holding that the
21
term was not purely functional where “the written descriptions depict the modernizing device and
22
its internal components, namely, the processor, signal generator, converter, memory, and signal
23
receiver elements” and show how the elements are connected together), overruled by Williamson,
24
792 F.3d at 1349. Unlike Williamson, where the term “module” was “simply a generic description
25
for software or hardware that performs a specified function,” see id. at 1350, here, the intrinsic
26
evidence establishes the structural character of “content processor” through its interaction with the
27
system’s other components.
28
Because the intrinsic evidence describes the term’s location and its interactions with other
17
1
components, the means-plus-function limitation does not apply. Thus, the term does not require
2
any construction beyond its plain and ordinary meaning.
The ’305 Patent
3
D.
4
The ’305 Patent, titled “Method and System for Adaptive Rule-Based Content Scanners for
5
Desktop Computers,” covers a method and system for receiving and scanning Internet content to
6
produce a diagnostic analysis of potential exploits within the mobile code. ’305 Patent 1:64-2:9.
7
The invention analyzes incoming content in terms of its programmatic behavior; this behavioral
8
analysis “is an automated process that parses and diagnoses a software program, to determine if
9
such program can carry out an exploit.” Id. at 1:66-2:3.
10
United States District Court
Northern District of California
11
1. “selectively diverting incoming content from its intended destination to said
rule-based content scanner”
13
Finjan’s Construction
no construction necessary—Plain and
ordinary meaning
14
Independent claim 1 describes:
12
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Proofpoint’s Construction
indefinite
A security system for scanning content within a computer,
comprising:
a network interface, housed within a computer, for receiving
incoming content from the Internet on its destination to an Internet
application running on the computer;
a database of parser and analyzer rules corresponding to computer
exploits, stored within the computer, computer exploits being
portions of program code that are malicious, wherein the parser and
analyzer rules describe computer exploits as patterns of types of
tokens, tokens being program code constructs, and types of tokens
comprising a punctuation type, an identifier type and a function
type;
a rule-based content scanner that communicates with said database
of parser and analyzer rules, operatively coupled with said network
interface, for scanning incoming content received by said network
interface to recognize the presence of potential computer exploits
therewithin;
a network traffic probe, operatively coupled to said network
interface and to said rule-based content scanner, for selectively
diverting incoming content from its intended destination to said
rule-based content scanner . . . .
’305 Patent 29:44-66 (emphasis added).
18
1
Although the parties agree that “selectively diverting” requires that some content “is
2
selected to be diverted from” its intended destination to the scanner, Dkt. No. 142 at 22; Dkt. No.
3
143 at 23, they dispute whether the term is indefinite in light of the specification. Defendants
4
contend that the sheer scope of the ordinary meaning of “selectively”—“when items are
5
selected”—renders the claim indefinite. For example, Defendants observe that “[t]he term
6
‘selectively’ suggests that there exists some criteria for choosing what is diverted, but provides no
7
guidance on what constitutes acceptable criteria.” Dkt. No. 143 at 11.
8
“[A] patent is invalid for indefiniteness if its claims, read in light of the specification
delineating the patent, and the prosecution history, fail to inform, with reasonable certainty, those
10
skilled in the art about the scope of the invention.” Nautilus, Inc. v. Biosig Instruments, Inc., 134
11
United States District Court
Northern District of California
9
S. Ct. 2120, 2124 (2014). “The definiteness requirement, so understood, mandates clarity, while
12
recognizing that absolute precision is unattainable.” Id. at 2129.
13
The Court concludes that the term, read in light of the intrinsic evidence, is reasonably
14
definite insofar as it informs those skilled in the art about the scope of the invention with
15
reasonable certainty. As described in Claim 1 and illustrated in Figure 9, a “network traffic probe”
16
is “operatively coupled” to both the network interface, which receives the incoming content, and
17
the rule-based scanner, which uses parser and analyzer rules to scan incoming content. ’305
18
Patent at 2:37-52. The specification describes the process for “selectively diverting.” First, the
19
“network gateway 110 [ ] acts as a conduit for content from the Internet entering into a corporate
20
intranet.” Id. at 5:43-47; Fig. 1. “Preferably, network gateway 110 checks if incoming content is
21
already resident in cache 140, and, if so, bypasses content scanner 130.” Id. at 7:36-40. Thus, if
22
the scanned content and their corresponding security profiles are in the content cache, then that
23
content is not selectively diverted to the ARB scanner. Id. Second, the pre-scanner—which “uses
24
conventional signature technology to scan content,” id. at 8:5-6—identifies whether the network
25
traffic probe should divert specific content to the ARB scanner:
26
27
28
pre-scanner 150 acts as a first-pass filter, to filter content that can be
quickly recognized as innocuous. Content that is screened by prescanner 150 as being potentially malicious is passed along to ARB
scanner 130 for further diagnosis. Content that is screened by prescanner 150 as being innocuous bypasses ARB scanner 130. It is
19
expected that pre-scanner 150 filters 90% of incoming content, and
that only 10% of the content requires extensive scanning by ARB
scanner 130.
1
2
3
Id. at 8:17-25. The passage clarifies that the network traffic probe diverts only the content that the
4
pre-scanner determines is potentially malicious, which corresponds to about 10 percent of
5
incoming content. Given this intrinsic evidence, Defendants’ contention—that it is unclear
6
whether diverting files at random or diverting every third file would constitute “selectively
7
diverting”—is unsupported. See Nautilus, 134 S. Ct. at 2123 (recognizing that “absolute precision
8
is unattainable”); Enzo Biochem, Inc. v. Applera Corp., 599 F.3d 1325, 1335 (Fed. Cir. 2010)
9
(holding that claim “not interfering substantially” was not indefinite even though the construction
“define[d] the term without reference to a precise numerical measurement”). Although the
11
United States District Court
Northern District of California
10
specification describes the invention with reference to exemplary embodiments, the cited passages
12
sufficiently define the claim’s scope: they establish that “selectively diverting” is not a subjective
13
process, but rather a defined one in which content is diverted based on the presence of potential
14
exploits.
15
Additionally, the Court agrees with Plaintiff that the claim’s use of the term “selectively
16
diverting” aligns with the term’s ordinary meaning understandable to those skilled in the art. See
17
Dkt. No. 142 at 22 (relying on expert’s testimony that “a person of ordinary skill in the art would
18
understand the meaning of the term ‘selectively diverting incoming content from its intended
19
destination to said rule-based content scanner’ with reasonable certainty . . . .” (citing Dkt. No.
20
142-1 at ¶ 47-56)); Fortinet, Inc. v. Sophos, Inc., No. C-13-5831 EMC, 2015 WL 877410, at *1
21
(N.D. Cal. Feb. 27, 2015) (holding where the ordinary meaning of claim language “is readily
22
apparent . . . claim construction in such cases involves little more than the application of the
23
widely accepted meaning of commonly understood words” (internal quotation marks and citation
24
omitted)).
25
The Court finds that the claims, viewed in light of the specifications, “inform those skilled
26
in the art about the scope of the invention with reasonable certainty,” and that the term “selectively
27
diverting” is definite. See Nautilus, 134 S.Ct. at 2129. The Court also finds that the plain and
28
ordinary meaning of “selectively diverting” is consistent with the specification and that no
20
1
construction is necessary.
The ’844 Patent
2
E.
3
The ’844 Patent, titled “System and Method for Attaching a Downloadable Security Profile
4
to a Downloadable,” facilitates the protection of computers and networks from a hostile
5
Downloadable.” ’844 Patent at 1:23-27. A downloadable application, or downloadable, is “an
6
executable application program, which is downloaded from a source computer and run on the
7
destination computer.” Id. at 1:44-47. “The network system includes an inspector for linking
8
Downloadable security profiles to a Downloadable, and a protection engine for examining the
9
Downloadable and Downloadable security profiles to determine whether or not to trust the
10
Downloadable security profiles.” Id. at 1:65-2:2. The invention provides for:
United States District Court
Northern District of California
11
a method in a first embodiment comprising the steps of receiving a
Downloadable, generating a first Downloadable security profile for
the received Downloadable, and linking the first Downloadable
security profile to the Downloadable . . . [and] a method in a second
embodiment comprising the steps of receiving a Downloadable with
a linked first Downloadable security profile, determining whether to
trust the first Downloadable security profile, and comparing the first
Downloadable security profile against the security policy if the first
Downloadable.
12
13
14
15
16
17
18
Id. at 2:49-60.
1. “linking the first Downloadable security profile to the Downloadable”
Finjan’s Construction
19
20
21
No construction
necessary—Plain and
ordinary meaning
22
23
24
25
26
27
28
Proofpoint’s Construction
creating an association from the
Downloadable to the first
Downloadable security profile,
including using a pointer from the
Downloadable to the profile or
attaching the profile to the
Downloadable
“downloadable [includes / with] a linked [first] Downloadable security
profile”
Finjan’s Construction
No construction
necessary—plain and
ordinary meaning
Proofpoint’s Construction
Downloadable [includes / with] an
association to a [first]
Downloadable security profile,
including using a pointer from the
Downloadable to the profile or
attaching the profile to the
21
1
2
3
Downloadable
The parties agree that the ’844 Patent describes “linking” as creating an association
between the Downloadable and its Downloadable security profile (“DSP”).
5
The term “linking” herein will be used to indicate an association
between the Downloadable 205 and the DSP 215 (including using a
pointer from the Downloadable 195 to the DSP 215, attaching the
DSP 215 to the Downloadable 205, etc.)
6
’844 Patent at 6:20-24. The parties disagree as to whether the construction of the term “linking”
7
or “linked” should be limited to the two examples in the specification.
4
8
The Court agrees that the ’844 patent expressly defines the term “linking,” and that “the
patentee’s lexicography must govern the claim construction analysis.” Braintree Labs., Inc. v.
10
Novel Labs, Inc., 749 F.3d 1349, 1356 (Fed. Cir. 2014). The Court finds that the definition of
11
United States District Court
Northern District of California
9
“linking” is not limited to the examples identified or even to all potential associations included in
12
the Downloadable itself. The remainder of the cited passage is instructive:
13
14
15
16
Although the signed inspected Downloadable 195 illustrates the
DSP 215 (and Downloadable ID 220) as an attachment, one skilled
in the art will recognize that the DSP 215 can be linked to the
Downloadable 205 using other techniques. For example, the DSP
215 can be stored in the network system 100, and alternatively a
pointer to the DSP 215 can be attached to the signed inspected
Downloadable 195.
17
’844 Patent at 6:13-20. The ’844 Patent does not limit the word “association” in any way. Hill-
18
Rom Servs., Inc. v. Stryker Corp., 755 F.3d 1367, 1372 (Fed. Cir.) cert. denied, 135 S. Ct. 719
19
(2014) (“Even when the specification describes only a single embodiment, the claims of the patent
20
will not be read restrictively unless the patentee has demonstrated a clear intention to limit the
21
claim scope using ‘words or expressions of manifest exclusion or restriction.’” (citation omitted)).
22
The two examples in the specification are only examples. That both examples involve creating an
23
association within the Downloadable itself (either by using a pointer or attaching the DSP to the
24
Downloadable) does not exclude all other methods of associating a Downloadable to a DSP. This
25
is especially true considering the use of “etc.” at the end of the definition. ’844 Patent at 6:24.
26
Finally, the ’844 Patent’s express definition of “linking” as “association” does not add
27
anything to the plain and ordinary meaning of “linking.” Thus, the Court concludes that the plain
28
and ordinary meaning of “linking” governs, that the term is not limited to the exemplar methods in
22
1
the definition, and that no construction is necessary.
2
IV.
3
4
5
CONCLUSION
The Court construes the disputed terms as follows:
Term
mobile protection code
Patent(s)
’633 and ’822 Patents
6
7
8
information-destination/downloadable- ’633 and ’822 Patents
information destination
9
parse tree
’408 Patent
a call to a first function . . .
[invoking/invoke/calling] a second
function
content processor (i) for processing
content received over a network, the
content including a call to a first
function, and the call including an
input, and (ii) for invoking a second
function with the input, only if security
computer indicates that such
invocation is safe
selectively diverting incoming content
from its intended destination to said
rule-based content scanner
linking/linked, as used in: Linking the
first Downloadable security profile to
the Downloadable Downloadable
[includes / with] a linked [first]
Downloadable security profile
’154 Patent
10
United States District Court
Northern District of California
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Construction
code that, at runtime, monitors
or intercepts actually or
potentially malicious code
operations
a device or process that is
capable of receiving and
initiating or otherwise hosting
a mobile code execution
a hierarchical structure of
interconnected nodes built
from scanned content
plain and ordinary meaning;
no construction necessary
’154 Patent
plain and ordinary meaning;
no construction necessary
’305 Patent
plain and ordinary meaning;
no construction necessary
’844 Patent
plain and ordinary meaning;
no construction necessary
IT IS SO ORDERED.
Dated: 12/3/2015
25
________________________
HAYWOOD S. GILLIAM, JR.
United States District Judge
26
27
28
23
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
