Finjan, Inc. v. Cisco Systems Inc.

Filing 499

REDACTED ORDER GRANTING IN PART AND DENYING IN PART CISCOS MOTION FOR PARTIAL SUMMARY JUDGMENT OF NON-INFRINGEMENT re 487 Sealed Order Granting in Part and Denying in Part Cisco's Motion for Partial Summary Judgment of Non-Infringement. Signed by Judge Beth Labson Freeman on 3/30/2020. (tshS, COURT STAFF) (Filed on 3/30/2020)

Download PDF
Redacted 1 2 3 UNITED STATES DISTRICT COURT 4 NORTHERN DISTRICT OF CALIFORNIA 5 SAN JOSE DIVISION 6 7 FINJAN, INC., Plaintiff, 8 v. 9 CISCO SYSTEMS INC., 11 United States District Court Northern District of California 10 Defendant. Case No. 17-cv-00072-BLF ORDER GRANTING IN PART AND DENYING IN PART CISCO’S MOTION FOR PARTIAL SUMMARY JUDGMENT OF NONINFRINGEMENT [Re: ECF 378] 12 Plaintiff Finjan, Inc. (“Finjan”) brings this patent infringement lawsuit against Defendant 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Cisco Systems, Inc. (“Cisco”), alleging infringement of five of Finjan’s patents directed to computer and network security: U.S. Patent Nos. 6,154,844 (the “’844 Patent”); 6,804,780 (the “’780 patent”); 7,647,633 (the “’633 patent”); 8,141,154 (the “’154 patent”); and 8,677,494 (the “’494 patent”). Cisco seeks summary judgment of non-infringement on 3 of the 5 asserted patents: the ’154 Patent, the ’633 Patent, and the ’780 Patent. Cisco also seeks summary judgment of no pre-suit damages. The Court heard oral arguments on January 9, 2020 (the “Hearing”). I. THE ACCUSED PRODUCTS The infringement allegations subject to Cisco’s motion for summary judgment primarily relate to Cisco’s Advanced Malware Protection (“AMP”) products under the following categories: (1) AMP Gateway/Cloud Products (for Enterprise) and AMP for Endpoints (collectively, “AMP Products”) and (2) Talos (or its component, and Threat Grid (collectively “Cisco Sandboxes”). Cisco Systems, Inc.’s Motion for Partial Summary Judgment (“MSJ”) at 1, ECF 3823 (redacted version filed at ECF 378); Plaintiff Finjan, Inc.’s Opposition to Defendant Cisco Systems, Inc.’s Motion for Partial Summary Judgment (“Opp’n”) at 1-2, ECF 400-4 (redacted version filed at ECF 401). The AMP Products screen incoming files that are intended for a user’s 1 device for malicious content. MSJ at 1. For the AMP Gateway Products, a requested file is processed as follows: 2 3 4 5 6 7 MSJ at 2. The AMP appliance may also send a copy of an unknown file to Cisco’s 8 9 10 “sandboxes,” known as Threat Grid and Id. AMP for Endpoints operates similarly to AMP Gateway, except it runs on client (end-user) devices instead of running at a gateway. Id. United States District Court Northern District of California 11 Finjan also accuses the “URL rewriting” feature within the Cisco E-mail Security Appliance 12 (“ESA”) with respect to the ’154 Patent only. MSJ at 2; Opp’n at 2. Cisco’s ESA products screen 13 incoming emails for malicious content before they are delivered to a user’s inbox. 14 II. LEGAL STANDARD 15 Federal Rule of Civil Procedure 56 governs motions for summary judgment. Summary 16 judgment is appropriate if the evidence and all reasonable inferences in the light most favorable to 17 the nonmoving party “show that there is no genuine issue as to any material fact and that the moving 18 party is entitled to a judgment as a matter of law.” Celotex Corp. v. Catrett, 477 U.S. 317, 322 19 (1986). Rule 56 authorizes a court to grant “partial summary judgment” to dispose of less than the 20 entire case and even just portions of a claim or defense. See Fed. R. Civ. P. advisory committee’s 21 note, 2010 amendments. 22 The moving party bears the burden of showing there is no material factual dispute, by 23 “identifying for the court the portions of the materials on file that it believes demonstrate the absence 24 of any genuine issue of material fact.” T.W. Elec. Serv. Inc. v. Pac. Elec. Contractors Ass’n, 809 25 F.2d 626, 630 (9th Cir. 1987). In judging evidence at the summary judgment stage, the Court “does 26 not assess credibility or weigh the evidence, but simply determines whether there is a genuine factual 27 issue for trial.” House v. Bell, 547 U.S. 518, 559-60 (2006). A fact is “material” if it “might affect 28 the outcome of the suit under the governing law,” and a dispute as to a material fact is “genuine” if 2 1 there is sufficient evidence for a reasonable trier of fact to decide in favor of the nonmoving party. 2 Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986). In cases like this, where the nonmoving party will bear the burden of proof at trial on a 4 dispositive issue (e.g., patent infringement), the nonmoving party must “go beyond the pleadings 5 and by her own affidavits, or by the ‘depositions, answers to interrogatories, and admissions on file,’ 6 designate ‘specific facts showing that there is a genuine issue for trial.’” Celotex, 477 U.S. at 324. 7 For a court to find that a genuine dispute of material fact exists, “there must be enough doubt for a 8 reasonable trier of fact to find for the [non-moving party].” Corales v. Bennett, 567 F.3d 554, 562 9 (9th Cir. 2009). In considering all motions for summary judgment, “[t]he evidence of the non- 10 movant is to be believed, and all justifiable inferences are to be drawn in his favor.” Anderson, 477 11 United States District Court Northern District of California 3 U.S. at 255; see also Matsushita Elec. Indus. Co. v. Zenith Radio Corp., 475 U.S. 574, 587 (1986). 12 III. DISCUSSION The Parties’ Dispute Regarding Finjan’s Expert Reports on Infringement 13 A. 14 As an initial matter, the Court addresses a procedural dispute regarding Finjan’s expert 15 reports on infringement. Finjan’s infringement theories in this case have been the subject of 16 extensive motion practice. On April 18, 2019, Finjan moved to supplement (or amend) its 17 infringement contentions pursuant to Local Patent Rule 3-6. ECF 231. On June 11, 2019, 18 Magistrate Judge van Keulen denied Finjan’s motion and rejected its assertion that it was simply 19 adding the codenames of particular components to its previous contentions regarding the associated 20 functionality. ECF 274 at 6-7. Finjan sought relief from Judge van Keulen’s order, which this Court 21 denied on July 17, 2019. ECF 304 at 3-4. Finjan served its expert infringement reports – which 22 included the codenames in dispute – and Cisco moved to strike. ECF 312. The Court granted 23 Cisco’s motion and directed Finjan’s experts to “redraft their reports to remove the disallowed 24 terminology and Talos-only allegations, and to ensure that their opinions track the disclosures in 25 Finjan’s operative infringement contentions.” ECF 397 at 7. At the Hearing, the parties informed 26 the Court that they had not yet finalized the revised infringement expert reports. See Transcript of 27 Proceedings Before the Honorable Beth Labson Freeman on January 9, 2020 (“Hr’g Tr.”) at 49:18- 28 50:21, ECF 419. 3 As a result, the basis for Cisco’s present motion for summary judgment is Finjan’s now- 2 stricken expert reports that include the disallowed codenames. In several instances, Cisco seeks 3 summary judgment on the ground that that the accused codenames have been stricken and thus, 4 cannot be relied upon to show infringement. The Court rejects those arguments wholesale without 5 prejudice. As the Court explained at the Hearing, the Court struck certain codenames from Finjan’s 6 expert reports – but not the experts’ opinions generally. Hr’g Tr. at 50:22-51:6. The Court further 7 allowed Finjan to amend its reports and substitute the disallowed codenames with functionalities 8 that were included in Finjan’s infringement contentions. As of the date of this Order, the Court is 9 not aware of any amended expert reports. Accordingly, the Court decides on Cisco’s motion for 10 summary judgment under the assumption that the codenames used in the expert reports (and the 11 United States District Court Northern District of California 1 parties’ briefing) have a corresponding functionality in the infringement contentions and thus, are 12 still in the case. If, however, Finjan is unable to show that the functionalities corresponding to the 13 codenames were included in its operating infringement contentions, the Court would entertain that 14 dispute in a motion in limine. See Hr’g Tr. at 159:14-17. 15 16 B. Non-infringement of the ’154 Patent 1. Background of the ’154 Patent 17 The ’154 patent is directed to a system and a method “for protecting a client computer from 18 dynamically generated malicious content[.]” ’154 Patent at Abstract. Conventional reactive anti- 19 virus applications perform file scans looking for a virus’s signature against a list known virus 20 signatures kept on a signature file and thus, cannot protect against first time viruses or if a user’s 21 signature file is out of date. ’154 Patent at 1:25-31, id. at 2:32-37. Proactive anti-virus application, 22 on the other hand, use “a methodology known as ‘behavioral analysis’ to analyze computer content 23 for the presence of viruses.” Id. at 1:56-58. 24 Dynamic virus generation occurs at runtime where dynamically generated HTML contains ’154 Patent at 3:53-64. 25 malicious JavaScript code. 26 document.write() is used to generate dynamic HTML at runtime. Id. at 3:53-57. Malicious code 27 inserted in a document.write() function would not be caught prior to runtime because the malicious 28 code is not present in the content prior to runtime. Id. at 3:65-4:4. To this point, the ’154 Patent 4 For example the JavaScript function 1 concerns a “new behavioral analysis technology [that] affords protection against dynamically 2 generated malicious code, in addition to conventional computer viruses that are statically 3 generated.” Id. at 4:31-34. The basic setup of the ’154 Patent involves three components: (1) gateway computer 5 including a content modifier, (2) client computer including a content processor, and (3) security 6 computer including an inspector, a database of client security policies, and an input modifier. ’154 7 Patent at 9:5-11. A preferred embodiment describes a gateway computer that receives content 8 including a call to an original function and an input. Id. at 5:6-9. The gateway computer then 9 substitutes the call to the original function with a corresponding call to a substitute function, which 10 operates to send the input to a security computer for inspection. Id. at 5:10-15. The gateway 11 United States District Court Northern District of California 4 computer transmits the “modified content from the gateway computer to the client computer, 12 processing the modified content at the client computer.” Id. at 5:13-15. The client computer then 13 transmits “the input to the security computer for inspection when the substitute function is invoked.” 14 Id. at 5:15-17. The security computer first determines “whether it is safe for the client computer to 15 invoke the original function with the input.” Id. at 5:17-19. The security computer then transmits 16 “an indicator of whether it is safe for the client computer to invoke the original function with the 17 input,” to the client computer. Id. at 5:19-22. The client computer invokes the original function 18 “only if the indicator received from the security computer indicates that such invocation is safe.” 19 Id. at 5:22-24. 20 21 22 23 24 25 26 27 28 Claim 1 (the only asserted independent claim of the ’154 Patent) provides: A system for protecting a computer from dynamically generated malicious content, comprising: a content processor (i) for processing content received over a network, the content including a call to a first function, and the call including an input, and (ii) for invoking a second function with the input, only if a security computer indicates that such invocation is safe; a transmitter for transmitting the input to the security computer for inspection, when the first function is invoked; and a receiver for receiving an indicator from the security computer whether it is safe to invoke the second function with 5 1 the input. ’154 patent, 17:32-44. 2 3 4 The Court construed “first function / second function” as “substitute function / original function, which is different than the first function.” Order Construing Claims in U.S. Patent Nos. 6,154,844; 6,804,780; 7,647,633; 8,141,154; 8,677,494 (“Markman Order I”) at 35, ECF 134. 5 2. AMP Products 6 7 8 9 10 The non-infringement dispute raised in Cisco’s motion for summary judgment is centered on whether the AMP Products satisfy the claimed “content” that includes a “call to a first [i.e., substitute] function” as construed by the Court.1 Cisco argues that it is entitled to summary judgment as to the accused AMP Products because “AMP does not substitute calls to functions into any content that it receives.” MSJ at 5. According to Cisco, (1) 11 United States District Court Northern District of California 2) 12 13 14 Id. at 5-6. 15 16 17 infringement analysis, Cisco argues, “both the ‘substitute function’ and the ‘original function’ can exist within the content as it was originally created,” which in turn “renders the word ‘substitute’ meaningless.” Id. at 6. 18 19 20 21 Under Finjan’s Finjan responds that claim 1, under the Court’s claim construction, does “not require that the system have a gateway or a content modifier.” Opp’n at 3. Relying on that premise, Finjan argues that it has demonstrated that there is a “substitute” function (or first function) which is different from the “second function.” Id. The allegedly infringing example that Finjan provides is that “there 22 are scenarios where the hacker or some other process modifies the original content by inserting a 23 substitute function in place of the original function.” Id. (citing Expert Report of Michael 24 Mitzenmacher, Ph.D. Regarding Infringement by Cisco Systems, Inc. of Patent Nos. 6,804,780 and 25 26 27 28 In its moving papers, Cisco argued that Finjan’s infringement expert, Dr. Mitzenmacher, relied on an incorrect interpretation of the Court’s claim construction. MSJ at 4-5. As the briefing progressed, however, it appears that the parties no longer present a claim construction dispute. See Opp’n at 4, Reply at 2, Hr’g Tr. at 57:1-20, ECF 419. Thus, the Court need not address this argument. 6 1 1 8,141,154 (“Mitz. Rpt”) ¶ 1934, ECF 400-6). At the Hearing, Finjan provided the same example. 2 See Hr’g Tr. at 59:19-25. 3 The Court is not persuaded by Finjan’s arguments because they are inconsistent with the 4 patent’s specification and the Court’s Markman Order. Under Finjan’s theory, the “substitute 5 function” can be supplied by an external actor (e.g., a hacker) outside the control of any accused 6 product. See Hr’g Tr. at 63:13-18. This theory is contrary to how the ’154 Patent describes the 7 invention. According to the ’154 Patent’s own language: 8 9 10 United States District Court Northern District of California 11 12 13 14 To enable the client computer to pass function inputs to the security computer and suspend processing of content pending replies from the security computer, the present invention operates by replacing original function calls with substitute function calls within the content, at a gateway computer, prior to the content being received at the client computer. ’154 Patent at 4:55-60 (emphasis added). It is the “invention” that replaces the “original” function with a “substitute” function – not an external factor such as a hacker. As Judge Alsup explained in Finjan’s case against Juniper, a “substitute function” supplied by an external system “ultimately amounts to the original content initially received by the claimed system” and not a “substitute” 15 function. Finjan, Inc. v. Juniper Networks, Inc., No. C 17-05659 WHA, 2019 WL 3302717, at *2 16 (N.D. Cal. July 23, 2019). 17 18 19 20 21 22 23 24 25 26 Finjan’s “hacker” theory is also inconsistent with the Court’s construction of “first function/second function.” It is true that claim 1 does not recite or claim a “gateway that modifies content.” See Markman Order I at 38. But, in construing “first function” to mean “substitute function,” the Court acknowledged that the content received by the “content processor” includes a call to “substitute function” — which replaced the “original function” at the (unclaimed) gateway. See Markman Order I at 38 (“[T]he specification clearly discloses a content modifier in the gateway that modifies original content to replace the original function with the substitute function.”) (citing ’154 Patent at 9:13–28). The Court explained that “a person of ordinary skill in the art would understand that the ‘first function’ corresponds to the substitute function in light of the claim language and the specification.” Markman Order at 38. Thus, the Court’s claim construction 27 28 7 1 requires the “original function” be replaced by the “substitute function.”2 To hold otherwise, renders 2 the word “substitute” in the Court’s construction meaningless. To support its position, Cisco cites to Judge Alsup’s decision in Finjan’s case against 4 Juniper, finding that the “the substitute function exists only after the original content is modified at 5 the gateway computer.” Finjan, Inc. v. Juniper Networks, Inc., 387 F. Supp. 3d 1004, 1011 (N.D. 6 Cal. 2019) (citing ’154 Patent at 9:13–28). To be clear, Judge Alsup was tasked with construing the 7 term “content processor” – which this Court had no occasion to construe. See id. at 1010-13. That 8 said, the Court finds Judge Alsup’s analysis well-reasoned and supported by the ’154 Patent’s 9 specification explaining that “the present invention operates by replacing original function calls with 10 substitute function calls within the content, at a gateway computer, prior to the content being 11 United States District Court Northern District of California 3 received at the client computer.” ’154 Patent at 4:55-60. In addition, the Court finds Finjan’s “hacker” theory contrary to the Federal Circuit’s 12 13 understanding of claim 1. The Federal Circuit explained: The ’154 patent has four independent claims (1, 4, 6, and 10), each reciting a system or software program that executes a substitute function. The substitute function inspects the input to an original function to determine if executing the original function with the input violates a security policy. … In the language of the ’154 patent, the “first function” is the inspection step in which the content is assessed for safety, and the “second function” is when, having been deemed safe, the content is actually run. 14 15 16 17 18 19 20 21 22 Palo Alto Networks, Inc. v. Finjan, Inc., 752 F. App’x 1017, 1018 (Fed. Cir. 2018). The Court is not persuaded that a hacker’s code “inspects the input” to “determine if executing the original function with the input violates a security policy” or operate as “the inspection step.” See id.3 In sum, the Court finds that Finjan’s “hacker” infringement theory fails to meet the requirements of 23 24 25 26 27 28 2 The Court notes that in its case against Proofpoint, Finjan made such an argument to address claim construction of the same disputed term (i.e., first function/second function). See Finjan, Inc., v. Proofpoint, Inc., No. 13-CV-05808-HSG, 2015 WL 7770208, at *8 (N.D. Cal. Dec. 3, 2015) (“Plaintiff notes that . . . the original function is replaced by the substitute function at the gateway, before the security computer receives the content.”) (emphasis in original). The Court notes that Judge Alsup similarly rejected Finjan’s “hacker” theory. See Finjan, Inc. v. Juniper Networks, Inc., 2019 WL 3302717, at *2. 3 8 1 claim 1. Next, Finjan asserts that there are other disputed issues of fact that preclude summary 2 3 judgment. Opp’n at 5. The Court addresses and rejects each purported dispute below. First, Finjan argues that “Cisco’s non-infringement arguments for the AMP Products only 5 address when the AMP Cloud is the identified security computer, such that Cisco is not seeking 6 summary disposition for AMP Products in combination with Threat Grid and 7 they are the security computer.” Opp’n at 4-5. Cisco responds that it, in fact, “seeks summary 8 judgment on all accused products, and the identity of the ‘security computer’ is irrelevant to the 9 issues” because “the AMP Products never receive ‘content’ with a call to a substitute function” – 10 irrespective of what Finjan accuses as the “security computer.” Cisco Systems, Inc.’s Reply in 11 United States District Court Northern District of California 4 Support of Its Motion for Partial Summary Judgment (“Reply”) at 1, ECF 407-3 (redacted version 12 filed at ECF 408). The Court agrees with Cisco. As discussed above, Finjan has not identified 13 “content” including “a call to a substitute function” in the AMP Products – making the identity of 14 the security computer irrelevant. and when 15 Second, Finjan claims that Cisco’s declarants4 and Finjan’s expert disagree as to whether 16 AMP Products substitute functions. Without explaining how Dr. Mitzenmacher’s cited examples 17 show that AMP “substitutes calls into the content that it receives,” Finjan string cites to several 18 paragraphs in Dr. Mitzenmacher’s expert report and his deposition transcript. See Opp’n at 5 (citing 19 Mitz. Rpt ¶¶ 1678, 1917, 1919, 2001-2004; see also Ex. 3, 8/30/19 Mitz. Tr. at 110:21-111:13). 20 Cisco replies that “those paragraphs do not explain how a call to any function was substituted into 21 the content, nor how any such call results in transmitting an input to a security computer for 22 inspection, and ¶¶1917 and 1919 do not even relate to AMP.” Reply at 3. The Court agrees with 23 4 24 25 26 27 28 In support of its motion for summary judgment, Cisco relies on declarations from 8 of its employees, describing the operation and features of Cisco’s products. See ECF 382-11, ECF 38213, ECF 382-15, ECF 382-17, ECF 382-19, ECF 382-21, ECF 382-23, ECF 382-25. Finjan criticizes Cisco’s reliance on those fact declarations because the declarants “did not appear to have read or understood the ‘154 Patent and the Court’s Claim Construction[.]” Opp’n at 5. Cisco responds that the declarations simply cover “product operation [that] is undisputed in all material respects.” Reply at 1. The Court is not aware of any authority (and Finjan has not cited to any) that would prohibit Cisco from relying on fact witnesses’ testimony regarding the operation of its products – and thus, rejects Finjan’s complaints regarding the employee declarations. 9 1 Cisco. Paragraphs 1917 and 1919 of Dr. Mitzenmacher’s report discuss Cisco’s ESA with Outbreak 2 Filters and not AMP Products. See Mitz. Rpt ¶¶ 1917, 1919. The remaining cited paragraphs simply 3 name various features as “substitute function” but fail to describe (and so does Finjan in its 4 Opposition brief) how AMP Products do any sort of substitution. See Mitz. Rpt ¶¶ 1678, 2001- 5 2004. As for Dr. Mitzenmacher’s deposition testimony, he testified: 6 10 Q. Do you think -- let me strike that. Is it your opinion that a Cisco product reading content could insert a function into the content? … A. I’m not exactly clear what you’re meaning, but in the manner I described, like, it is, you know, changing the interpretation of a function to do something other than what the function would be doing without the Cisco product. So it’s inserting something in the process somewhere, so I would view that as a -- a change in the interpretation of the content. 11 Transcript of Videotaped Deposition of Michael Mitzenmacher Ph.D. (“Mitz. Dep.”) at 111:14-25, 12 ECF 400-10. Finjan fails to explain how and why Dr. Mitzenmacher’s testimony regarding “change 13 in the interpretation of the content” means that AMP Products substitute calls into the content they 14 receive. Finjan relies on an implausible inference from Dr. Mitzenmacher’s testimony that it fails 15 to explain in sufficient detail for the Court to credit its argument. 7 8 United States District Court Northern District of California 9 16 Third, Finjan argues that “Dr. Mitzenmacher provides examples of first functions that the 17 AMP Products receive.” Opp’n at 5 (citing Mitz. Rpt ¶¶ 1934-1947, 1966, 1996-98, 2042, 2046- 18 47). Cisco replies that “none of those paragraphs explain how a call to any of the functions he 19 identifies was substituted into the content, much less how it would result in transmitting an input to 20 a security computer for inspection, when invoked.” Reply at 3. Again, the Court agrees with Cisco. 21 First, to the extent the string cited paragraphs relate to Finjan’s theory that a hacker (or other 22 malicious content) provides the substitute function, the Court has rejected that theory. 23 remaining paragraphs appear to discuss generally the AMP Products receiving “a call to a first 24 function” but do not explain how the AMP Products supply the “substitute function.” See Mitz. Rpt 25 ¶¶ 1966, 1996-98, 2042, 2046-47. The 26 Fourth, Finjan argues that there is material dispute as to whether AMP Products only send 27 hash values to the AMP Cloud – as opposed to other inputs such as URLs. Opp’n at 5 (citing Mitz. 28 Rpt ¶¶ 2043-45). Cisco replies that “[w]hatever the ‘AMP Cloud receive[s]’ does not impact 10 1 whether a substitute function call in the received content sends the input to the AMP Cloud when 2 invoked, which is the issue.” Reply at 3. The Court agrees. The issue is whether the AMP products 3 receive content including a call to a “substitute function” as construed by the Court – not the type 4 of content AMP receives. *** 5 6 Accordingly, the Court finds that Finjan has failed to identify any material disputed facts as 7 to the AMP Products. Cisco’s Motion for Summary Judgment is GRANTED with respect to non- 8 infringement of the asserted claims of the ’154 Patent by AMP Products. 9 10 3. Email Security Appliance a. URL Rewriting United States District Court Northern District of California 11 Uniform resource locator (“URL”) rewriting is a feature of Cisco’s Outbreak Filters, 12 available on Cisco’s ESA or Cloud Email Security (“CES”). MSJ at 8; see also Mitz. Rpt ¶ 2130. 13 The parties do not dispute the overall functionality of URL rewriting – when Outbreak Filters 14 receive an incoming email, they may “rewrite” a URL within the received email, where the rewritten 15 URL includes an additional address to a Cisco proxy server. Declaration of Don Owens in Support 16 of Cisco Systems, Inc.’s Motion for Partial Summary Judgment (“Owens Decl.”) ¶¶ 4, 6-7, ECF 17 382-21; Mitz. Rpt ¶ 2130. Once the user clicks on the rewritten URL, the user’s request will flow 18 through the proxy server and be evaluated for potentially malicious content. Owens Decl. ¶¶ 8, 10- 19 12; Mitz. Rpt ¶ 2130; see also Hr’g Tr. at 72:9-15. 20 Cisco acknowledges that Finjan “identifies some sort of ‘substitution’” as to the URL 21 rewriting feature – namely, the rewritten URL is a substitute for the original URL. MSJ at 7. Still, 22 Cisco argues that Finjan’s infringement theories fail because “Finjan cannot satisfy the requirements 23 of claim 1 that the ‘incoming content’ have (i) a call to a first function, (ii) a second function (which 24 is different than the first function), and (iii) an ‘input’ that is the same for both.” Id. According to 25 Cisco, Finjan’s infringement theory amounts to the original URL (e.g., cnn.com) corresponding to 26 “original function,” and “input to the original function” – while the rewritten URL must satisfy both 27 the “substitute function” and “the call to the substitute function.” Id. at 7-8. Moreover, Cisco argues 28 that a URL is simply an address and thus, is neither a function nor a call to a function. Id. at 8. 11 Finjan responds that its expert “identified a mountain of evidence demonstrating that Cisco’s 2 ESA receives content with a call to a first (substitute) function, which complies with the Court’s 3 claim construction.” Opp’n at 7 (citing Mitz. Rpt at ¶¶ 2115-2214). Specifically, Finjan identifies 4 (1) emails as received “content”, (2) the processing of the rewritten URL as “call to first function”, 5 (3) URL address to the original content (e.g., cnn.com) as “input” sent to the security computer, and 6 (4) the call to “http://” which calls a “GET” function to process a URL address as the “original 7 function” invoked when the security computer determines that the input is safe. Opp’n at 7 (citing 8 Mitz. Rpt ¶¶ 2130, 2122, 2311, 2335, 2340, 2347-48, 2154). Finjan further argues that Cisco 9 “confuses and conflates the original URL address (i.e., youtube.com) with a call to process the 10 rewritten function (http://secure-web.cisco.com/auth=).” Opp’n at 8. According to Finjan, the latter 11 United States District Court Northern District of California 1 “calls functionality on the identified security computer to perform an authentication and provide a 12 response.” 13 The Court finds that the parties’ dispute concerning the manner in which Cisco’s URL 14 rewriting feature utilizes URL functionality precludes summary judgment. Specifically, the parties 15 dispute whether a URL (or a portion thereof) can be a “function,” or a “call to function” – with 16 Cisco arguing that URLs are nothing more than addresses and Finjan responding that the processing 17 of a URL can be a function. Rendering all inferences in Finjan’s favor, a reasonable jury could find 18 that “http://” (calling a GET function) satisfies the “original function” claimed because it is invoked 19 when the security computer determines that the input (original URL such as cnn.com) is safe or that 20 the processing of the rewritten URL is a “call to first function.” Id. *** 21 22 Cisco’s motion for summary judgment is accordingly DENIED with respect to the non- 23 infringement of the asserted claims of the ’154 Patent by the URL rewriting feature of the ESA 24 Outbreak Filters. 25 26 b. Next, Cisco challenges Finjan’s theory that 27 “content processors.” MSJ at 10-11. Cisco argues that 28 including the rewritten URL” and “neither proxy servers are the claimed “do not receive any content accesses the Internet to retrieve the 12 resource identified by the original URL.” Id. at 11 (citing Owens Decl. ¶¶ 8, 10, 11). Finjan 2 disagrees and argues that 3 receive the rewritten URL and the rewritten URL is “content” received by Cisco’s ESA. Opp’n at 4 11. Finjan further argues that because “ 5 to receive the URLs,” Cisco’s argument on “whether 6 is beside the point.” Id. Cisco replies that Finjan contradicts itself because it has identified “emails” 7 as the received “content” but now claims that the rewritten URL itself is the “content.” Reply at 6. 8 The Court agrees with Cisco. In its infringement theory as to Cisco’s ESA, Finjan has 9 identified “email” as the “content” received by the content processor. See Opp’n at 7 (“Cisco’s ESA 10 offerings infringes the ‘154 Patent because they receive content (which for the ESA are emails) 11 United States District Court Northern District of California 1 ….”) (emphasis added), see also Hr’g Tr. at 72:6-7. The claim requires “a content processor (i) for 12 processing content received over a network, the content …,” meaning the content processor must 13 receive the “content”, which in this scenario is “email” – not the rewritten URL and not “content in 14 some form” as Finjan now argues. See Opp’n at 11. The Court concludes that Finjan has failed to 15 demonstrate that 16 motion for summary judgment of non-infringement as to 17 processors.” 18 19 C. “must, by definition, receive content” because they must receive content in some form in order receive email streams directly receive “content” (i.e., email) and therefore GRANTS Cisco’s accused as “content Non-infringement of the ’633 Patent 1. Background of the ’633 Patent 20 The ’633 Patent is directed to a system and method “for protecting network-connectable 21 devices from undesirable downloadable operation.” ’633 Patent at 1:30-33. The specification 22 explains that conventional virus protection programs fail to protect against certain types of viruses. 23 Id. at 1:58-59. These include Downloadable information comprising program code that can include 24 distributable components (e.g., Java applets, JavaScript scripts, ActiveX controls, Visual Basic add- 25 ins, or others) or application components (e.g., Application programs, Trojan horses, or multiple 26 compressed program). Id. at 1:60-66. To that end, the ’633 Patent “provides protection systems 27 and methods capable of protecting a personal computer . . . from harmful, undesirable, suspicious 28 or other ‘malicious’ operations that might otherwise be effectuated by remotely operable code.” Id. 13 1 at 2:20-25. In one embodiment of the invention, one or more “servers” (e.g., firewalls, resources, 3 gateways, email relays or other devices/processes that are capable of receiving and transferring a 4 Downloadable) determine whether the received information includes executable code (and is a 5 “Downloadable”). ’633 Patent at 2:39-44. The servers can then deliver “static, configurable and/or 6 extensible remotely operable protection policies to a Downloadable-destination, more typically as a 7 sandboxed package including [a] mobile protection code, downloadable policies and one or more 8 received Downloadables.” Id. at 2:45-49. Once the mobile protection code is received, it can be 9 executed within the Downloadable-destination “in a manner that enables various Downloadable 10 operations to be detected, intercepted or further responded to via protection operations.” Id. at 2:49- 11 United States District Court Northern District of California 2 55. Claim 14, the only asserted claim of the ’633 Patent5, provides: 12 13 14. A computer program product, comprising a computer usable medium having a computer readable program code therein, the computer readable program code adapted to be executed for computer security, the method comprising: 14 15 providing a system, wherein the system comprises distinct software modules, and wherein the distinct software modules comprise an information re-communicator and a mobile code executor; 16 17 18 receiving, at the information re-communicator, downloadable-information including executable code; and 19 causing mobile protection code to be executed by the mobile code executor at a downloadable-information destination such that one or more operations of the executable code at the destination, if attempted, will be processed by the mobile protection code. 20 21 22 Claim 14, ’633 Patent (disputed element bolded). 23 2. The Requirements of the Claimed Mobile Protection Code (“MPC”) 24 The dispute at summary judgment is limited to the Cisco items Finjan has identified as MPC 25 (namely: 26 27 28 At the time Cisco filed its motion for summary judgment, claims 1, 8, and 13 of the ’633 Patent were also asserted. Per the parties’ later stipulation, however, Finjan no longer asserts claims 1, 8 and 13. See ECF 388. 14 5 ” – all components of Threat Grid and 1 2 MSJ at 15; Opp’n at 14.6 3 Cisco argues that claim 14 requires an MPC that “(1) is transmitted; (2) is executable; and 4 (3) monitors or intercepts code operations” – and none of the accused products identified by Finjan’s 5 expert satisfies all three requirements. MSJ at 11, 15-16. Finjan does not contest the latter two 6 requirements, but responds that “Claim 14 of the ‘633 Patent has no explicit requirement that MPC 7 be ‘transmitted’ or ‘communicated’ with the downloadable-information.” Opp’n at 12. At the 8 Hearing, Finjan clarified its position and explained: (1) claim 14 does not require transmission and 9 (2) even if it did, installation of software satisfies that element. Hr’g Tr. at 100:20-24. Finjan further 10 argues that all products accused as MPC meet the claim requirements. United States District Court Northern District of California 11 Neither the language of claim 14 nor the Court’s construction of MPC requires MPC to be 12 transmitted. First, there can be no dispute that “transmission” does not appear in claim 14. Other 13 claims of the ’633 Patent, notably, claims 1, 8, and 13 – which are no longer asserted in this case – 14 require MPC to be transmitted or communicated. See ’633 Patent, Claim 1 (“… transmitting from 15 the computer mobile protection code to at least one information destination of the downloadable- 16 information, …”) (emphasis added); id., Claim 8 (“… for causing mobile protection code (‘MPC’) 17 to be communicated by the computer …”); id., Claim 13 (“…means for causing mobile protection 18 code to be communicated to at least one information-destination …”) (emphasis added). Claim 14 19 contains no such language, leading to the presumption that its scope differs from that of claims 1, 8 20 and 13. See Curtiss-Wright Flow Control Corp. v. Velan, Inc., 438 F.3d 1374, 1380 (Fed. Cir. 2006) 21 (recognizing the “presumption that each claim in a patent has a different scope”). Second, the Court construed “mobile protection code” as “code that, at runtime, monitors or 22 23 24 25 26 27 28 In its opening brief, Cisco also challenged Finjan’s theory as to AMP Gateway Products transmitting MPC to Cisco sandbox using APIs. See MSJ 13-14. Cisco argued that 6 and API calls are not MPC because they are not executable. MSJ at 14. Finjan responds that it “disagrees with Cisco’s arguments regarding APIs” but nonetheless, those arguments are “irrelevant because Finjan has not identified RESTful APIs as MPC[.]” Opp’n at 13. Because the parties appear to not dispute this issue, the Court need not address Cisco’s arguments regarding APIs. 15 1 intercepts actually or potentially malicious code operations without modifying the executable code, 2 where the mobile protection code itself must be executable.” See Order Granting Cisco’s Motion 3 for Reconsideration of the Court’s Order Construing Additional Claims at 1, ECF 247. Specifically, 4 the Court rejected Cisco’s request to include the term “mobile” in the construction. See Order 5 Construing Additional Claims in U.S. Patent Nos. 6,154,844; 6,804,780; 7,647,633 (“Markman 6 Order II”) at 4-6, ECF 173. Thus, to the extent Cisco asserts that the term “mobile” in “mobile 7 protection code” requires the MPC to be transmitted, the Court’s construction imposes no such 8 requirement. Cisco relies on Finjan’s arguments at claim construction and this Court’s order in Finjan’s 10 case against Blue Coat (where the Court construed a related term) to argue that claim 14 requires 11 United States District Court Northern District of California 9 “some form of communication” – which pre-installation of software cannot satisfy. See Hr’g Tr. at 12 114:4-6; MSJ at 13; see also Finjan, Inc. v. Blue Coat Sys., Inc., No. 13-CV-03999-BLF, 2014 WL 13 5361976, at *5 (N.D. Cal. Oct. 20, 2014). The Court is not persuaded. First, the Court carefully 14 considered the parties’ arguments at claim construction and elected not to include the term “mobile” 15 (let alone, “transmitted” or “communicated”) in the construction of MPC and sees no reason to 16 revisit or modify its construction. See Markman Order II at 4-6. Second, one of the embodiments 17 described in the ’633 Patent contemplates a scenario were MPC elements are installed on a 18 destination device prior to loading the Downloadable. See ’633 Patent, Fig. 11; see also id. at 19:65- 19 20. Accordingly, the Court rejects Cisco’s non-infringement arguments to the extent that they 20 require the components Finjan identifies as MPC to be “transmitted” or “communicated.” 21 With that in mind, the Court now turns to each accused components identified as MPC and 22 the parties’ arguments as to whether they are “executable” and “at runtime, monitor[] or intercept[] 23 actually or potentially malicious code operations without modifying the executable code.” 24 25 3. Kernel Monitor Cisco does not contend in this motion that (or 26 analogous component in ) is not executable code or that it does not monitor or intercept 27 actually or potentially malicious code operations without modifying the executable code. See MSJ 28 at 11. Thus, Cisco’s only non-infringement argument regarding kernel monitor is that it is “not 16 1 mobile” because “ d” and thus is not transmitted. 2 MSJ at 15. Finjan responds that transmittal is not a requirement of claim 14 and even if it were, 3 “Cisco’s ’ still infringes because it is necessarily transmitted when 4 5 ” Opp’n at 6 14 (citing Expert Report of Nenad Medvidovic, Ph.D. Regarding Infringement By Cisco Systems, 7 Inc. of Patent No. 7,647,633 (“Medvidovic Rpt.”) ¶¶ 635, 659, ECF 400-8). 8 As the Court explained above, claim 14 does not require MPC to be transmitted or 9 communicated. Accordingly, the Court DENIES Cisco’s motion for summary judgment as to kernel 10 United States District Court Northern District of California 11 monitor. 4. 12 As for the remaining accused components, Cisco argues that Finjan fails to demonstrate that 13 they satisfy both requirements for the claimed MPC – specifically, that they (1) are executable and 14 (2) monitor or intercept actually or potentially malicious code operations without modifying the 15 executable code. See MSJ at 15-16. Finjan responds that “[e]ach identified MPC is used to create 16 and generate the virtual machines, which are used to monitor and intercept malicious computer 17 18 operations resulting in a report, thereby comporting with the Court’s construction of MPC.” Opp’n at 15. Finjan goes on to cite to its expert’s report, Cisco’s internal documents, and various technical 19 depositions to describe each of the accused components and why they satisfy the MPC requirements. 20 21 See Opp’n at 15-18. Cisco’s main objection to Finjan’s theory is that even if “these [accused] items can configure, generate or create a 22 , the claim requirements are not satisfied because the MPC itself must be the 23 executable code that at runtime monitors/intercepts actual or potentially malicious code operations 24 25 26 27 (as construed by the Court). Reply at 9. Cisco insists that it is the that does the monitoring. Id. Finjan concedes that the accused components themselves do not monitor – but argues that they Hr’g Tr. at 108:6-13 28 17 1 The Court is not persuaded that Finjan’s theory is inconsistent with the Court’s construction 2 of MPC. To be sure, Finjan’s theory appears to be one step removed from MPC as construed – but 3 the Court’s construction did not specify (and the parties did not ask the Court to do so) how the 4 MPC monitors or intercepts malicious code. 5 components monitor or intercept malicious code A reasonable jury may find that the accused 6 – satisfying the requirements for MPC. That said, the 7 Court has reviewed the voluminous (and largely unhelpful) evidence cited by Finjan to determine 8 whether it has pointed to any evidence that when viewed in the light most favorable to Finjan, would 9 create a triable issue of fact regarding the The Court’s analysis for each component is summarized below. 10 Finjan cites to testimony from Cisco’s fact witness, Dean de Beer, and argues United States District Court Northern District of California 11 12 that 13 Opp’n at 15 (citing Transcript 14 15 of Videotaped Deposition of Dean de Beer (“de Beer Dep.”) at 69:11-20, ECF 400-18 16 ). Cisco concedes that 17 18 . MSJ at 15. Cisco also agrees that Reply at 9. Accordingly, the Court is persuaded that a reasonable jury could agree with 19 20 Finjan that 21 the requirements for MPC. 22 and thus satisfies Finjan cites to an internal Cisco presentation and argues that 23 24 Opp’n at 16 (citing ECF 400-20 at CISCO-FINJAN_00204768.0004). The cited 25 Cisco presentation states that 26 ECF 400-20 at CISCO-FINJAN_00204768.0004. Finjan fails to explain what 27 28 . The remaining string cited evidence also fail to shed any light as to how 18 . Accordingly, 1 2 3 the Court finds that Finjan has failed to identify any triable issues of fact as to . None of Finjan’s cited evidence supports Finjan’s assertion that 4 See Opp’n at 16. 5 6 For example, Finjan cites to Cisco’s fact witness testimony, reproduced below: 7 8 9 10 de Beer Dep. at 72:5-8. Finjan also cites to Dr. Medvidovic’s report, where he identifies as MPC without any explanation. See Medvidovic Rpt at ¶ 4332. The cited testimony 11 United States District Court Northern District of California from Mr. Brozefsky’s deposition (another Cisco fact witness) and the cited internal Cisco document 12 – and it is unclear appear to be describing the overall architecture of Threat Grid and 13 (and Finjan fails to explain) how they relate to application launch scripts or whether application 14 15 launch scripts create virtual machines – let alone monitor or intercept anything. See Transcript of Videotaped Deposition of Craig Brozefsky (“Brozefsky Dep.”) at 24:16-25:8, ECF 400-32; ECF 16 400-26 at CISCO-FINJAN_00074535.00010, 19, 20. The Court is not persuaded that Finjan has 17 18 identified any material triable issue of fact with respect to Finjan has failed to cite to evidence to support that 19 20 Finjan appears to be citing to evidence describing (not accused as MPC) instead of ” (accused as MPC). See 21 as MPC and Medvidovic Rpt ¶ 4332 (identifying 22 as “mobile code executor”). The cited testimony from Mr. Brozefsky identifies 23 Brozefsky 24 Dep. at 38:16-20. This is consistent with Mr. Brozefsky declaration that 25 26 Declaration of Craig Brozefsky in 27 Support of Cisco Systems, Inc.’s Motion for Partial Summary Judgment (“Brozefsky Decl.”) ¶ 10, 28 19 1 ECF 382-11. The Court is not persuaded that Finjan has identified any material issues of fact as to 2 whether 3 Court’s construction. (a data structure) is executable code – a requirement for MPC under the Finjan simply argues that 4 is “executable code because it is in the programming language and monitor or intercepts potentially malicious computer 5 6 operations by creating a virtual environment in Opp’n at 17 (citing Medvidovic Rpt ¶ 7 4341, ECF 400-34 at CISCO-FINJAN_00000721.0002). The cited evidence, however, does not 8 support Finjan’s assertion. The cited Cisco document provides: 9 10 United States District Court Northern District of California 11 12 ECF 400-34 at CISCO-FINJAN_00000721.0002. Dr. Medvidovic references the same Cisco 13 document and makes no mention of creating a virtual environment. See Medvidovic Rpt ¶ 4341. 14 Finjan has not pointed to any evidence that 15 environment. Thus, Finjan has failed to identify a triable issue of fact as to Opp’n Finjan argues that 16 17 is executable code or that it creates a virtual at 17 (citing Medvidovic Rpt.¶ 461). Finjan further argues that lly 18 Opp’n at 18 (citing 19 400-36 at CISCO-FINJAN_00272162.0008). Cisco does not meaningfully dispute Finjan’s claims 20 but argues that Finjan has no evidence that the commands actually used in Cisco’s 21 opposed to the general universe of commands noted in the 22 that Finjan relies on. Reply at 11. Cisco might be correct – but the dispute is a factual one and not 23 properly subject to summary judgment. (as Finjan cites) are those *** 24 For the reasons stated above, the Court GRANTS Cisco’s motion for summary judgment as 25 ” accused 26 to 27 as MPC. The Court DENIES Cisco’s motion for summary judgment as to 28 20 5. Estoppel under Doctrine of Equivalents 1 “[P]rosecution history estoppel limits the broad application of the doctrine of equivalents by 2 barring an equivalents argument for subject matter relinquished when a patent claim is narrowed 3 4 during prosecution.” Conoco, Inc. v. Energy & Envtl. Int’l, L.C., 460 F.3d 1349, 1363 (Fed. Cir. 2006). The Federal Circuit recognizes that “prosecution history estoppel can occur during 5 prosecution in one of two ways, either (1) by making a narrowing amendment to the claim 6 7 (‘amendment-based estoppel’) or (2) by surrendering claim scope through argument to the patent examiner (‘argument-based estoppel’).” Id. Cisco argues that both occurred here. As an initial 8 matter, the Court notes that the briefing on this issue is sparse. For example, it is unclear which 9 specific DOE theories Cisco seeks to preclude under the amendment-based estoppel theory. In any 10 event, the Court endeavors to address the issues presented. United States District Court Northern District of California 11 12 13 14 15 16 17 18 First, Cisco argues that “all claims originally submitted by Finjan were rejected, and then Finjan amended each limitation to which it now applies the DOE.” MSJ at 16. According to Cisco, because “claim 14 was narrowed by amendment for a reasons related to patentability (to overcome the prior art and 101 rejections), there is a presumption that DOE is not available to claim 14[.]” Reply at 12. Finjan responds that “amendments did not introduce new components nor change the scope of the claims” and therefore “there was no surrendering of scope.” Opp’n at 20. Where claims are amended, “the inventor is deemed to concede that the patent does not extend as far as the original claim,” and the patentee has the burden of showing that the amendment 19 does not surrender the particular equivalent in question. Festo Corp. v. Shoketsu Kinzoku Kogyo 20 Kabushiki Co., 535 U.S. 738, 740 (2002). To succeed, then, the patentee must establish that: (1) the 21 equivalent was unforeseeable at the time the claim was drafted; (2) the rationale underlying the 22 amendment bears no more than a tangential relation to the equivalent in question; or (3) the patentee 23 could not reasonably be expected to have described the insubstantial substitute in question. Id. at 24 740–41. 25 26 27 28 21 1 The amendments to claim 14 (claim 30 at prosecution) are reproduced below: 2 3 4 5 6 7 8 9 10 United States District Court Northern District of California 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ECF 378-19 at FINJAN-CISCO 000890 (amendments underlined and struck through). This amendment was in response to the Office Action dated February 25, 2009, where the examiner rejected claim 14 (claim 30 at prosecution) under 35 U.S.C. § 101 and under 35 U.S.C. 102(e) as being anticipated by Golan, U.S. Patent 5,974,549. See ECF 378-18 at FINJAN-CISCO 000910, 11. “If a claim is narrowed for any reason related to patentability, ‘the inventor is deemed to concede that the patent does not extend as far as the original claim.’” Quintal Research Grp., Inc. v. Nintendo of Am., Inc., No. C 13-00888 SBA, 2015 WL 4396464, at *11 (N.D. Cal. July 17, 2015) (quoting Festo, 535 U.S. at 722, 737-38). Thus, a narrowing amendment may occur when a preexisting claim limitation is narrowed by amendment or when a new claim limitation is added by amendment. AngioScore, Inc. v. TriReme Med., Inc., 50 F. Supp. 3d 1276, 1301 (N.D. Cal. 2014) (citation and quotation marks omitted). Here, the overall claim was narrowed because claim limitations were added. Accordingly, the Court agrees with Cisco that the amendment was a narrowing one to overcome a patentability challenge. Next, the Court must consider whether Finjan has rebutted the presumption that it surrendered the equivalent in question. Cisco has not identified the specific equivalent for which it seeks summary judgment. To the extent Cisco is arguing that Finjan’s amendment surrendered equivalents of MPC – due to the rejection based on the Golan reference – the Court is not persuaded. 22 Finjan argues that the amendments were not due to the Golan reference because “Finjan identified 2 the same claim element that existed before the amendment (and, aside from the grammatical change 3 after the amendment) as not being taught by Golan and the examiner agreed.” Opp’n at 20 (citing 4 ECF 378-17 at FINJAN-CISCO 001021). The Court agrees. The element that contains the MPC 5 limitation had no more than a grammatical change and thus the amendment bears “no more than a 6 tangential relation” to the MPC element. See Festo, 535 U.S. at 740. Moreover, it appears that 7 Finjan overcame the Golan rejection by argument – not by amendment. Thus, the Court DENIES 8 Cisco’s motion for summary judgment on the basis of amendment-based estoppel of Finjan’s DOE 9 theories regarding MPC. To the extent that Cisco seeks summary judgment on other DOE theories 10 (unrelated to MPC) the Court finds that the issue is not adequately briefed and declines to rule on it. 11 United States District Court Northern District of California 1 Second, Cisco argues that “Finjan is estopped by argument-based estoppel” because “Finjan 12 argued clearly and unmistakably during prosecution that its invention was different from the Golan 13 reference because ‘Golan discusses a situation whereby a security monitor is already resident on a 14 client computer.’” MSJ at 17 (citing ECF 378-17 at FINJAN-CISCO 001020; ECF 378-19 at 15 FINJAN-CISCO 000899). Thus, according to Cisco, “by asserting a theory whereby a file is 16 transmitted to an alleged Information-Destination where there is ‘already resident’ something Finjan 17 characterizes as MPC, Finjan attempts to recapture through DOE exactly what it distinguished by 18 argument during prosecution, which it cannot do.” MSJ at 17. Finjan responds that Cisco’s 19 argument-based estoppel theory is “an attempt to reargue claim construction of ‘mobile protection 20 code.’” Opp’n at 20. Finjan also argues that there was no “clear and unmistakable surrender of 21 subject matter” during prosecution. Opp’n at 19. 22 The Court agrees with Finjan that Cisco’s argument-based estoppel theory is an attempt to 23 relitigate the claim construction of “mobile protection code” – where Cisco’s efforts to include 24 “mobile” in the construction were unsuccessful. See Cisco’s Responsive Claim Construction Brief 25 at 1 (citing to prosecution history distinguishing “present invention” from non-mobile, pre-installed 26 protection code at the client), ECF 154 ; see also Markman Order II at 4-6. As the Court explained 27 earlier in this Order, the Court is not persuaded that revisiting claim construction is warranted. 28 *** 23 1 Accordingly, the Court DENIES Cisco’s motion for summary judgment on DOE theories 2 regarding MPC. 3 D. 4 Non-infringement of the ’780 Patent 1. Background of the ’780 Patent The ’780 patent is directed to a system and a method “for protecting a computer and a 6 network from hostile Downloadables.” ’780 Patent at 1:30-33. Downloadables are executable 7 programs typically requested by Internet browsers or web engines. Id. at 1:50-55. Examples of 8 Downloadables include Java applets, JavaScript scripts, and ActiveX controls. Id. at 1:55-61. The 9 specification explains that computer network security systems “are not configured to recognize 10 computer viruses which have been attached to or configured as Downloadable application 11 United States District Court Northern District of California 5 programs.” Id. at 1:47-50. To that end, the ’780 patent involves: (1) a security policy, (2) an 12 interface for receiving a Downloadable, and (3) a comparator “for applying the security policy to 13 the Downloadable to determine if the security policy has been violated.” Id. at 2:1-4. Once the 14 system receives a Downloadable, the system uses an ID generator to compute a Downloadable ID 15 by fetching all the components of the Downloadable and performing a hash function on the 16 Downloadable and the fetched components. Id. at 2:12-16. Next, a security policy may indicate 17 which test to perform on the Downloadable, including: 18 21 (1) a comparison with known hostile and non-hostile Downloadables; (2) a comparison with Downloadables to be blocked or allowed per administrative override; (3) a comparison of the Downloadable security profile data against access control lists; (4) a comparison of a certificate embodied in the Downloadable against trust certificates; and (5) a comparison of the URL from which the Downloadable originated against trust and untrusted URLs. 22 Id. 2:17-26. A local engine will then determine, based on the result of these comparisons, whether 23 to allow or block the Downloadable. Id. 2:26-27. 19 20 24 25 26 27 28 The only asserted independent claim (claim 9) provides: 9. A system for generating a Downloadable ID to identify a Downloadable, comprising: a communications engine for obtaining a Downloadable that includes one or more references to software components required to be executed by the Downloadable; and 24 an ID generator coupled to the communications engine that fetches at least one software component identified by the one or more references, and for performing a hashing function on the Downloadable and the fetched software components to generate a Downloadable ID. 1 2 3 4 5 ’780 Patent, Claim 9. The Court construed “performing a hashing function on the Downloadable and the fetched software components to generate a Downloadable ID” to mean “performing a hashing function on 6 the Downloadable together with its fetched software components to generate a unique and 7 8 9 reproducible ID for that Downloadable.” Markman Order I at 25. Relevant to this motion, the Court has found that the ID generator may perform “one or more” hashing functions to generate “one or more” Downloadable IDs for “one or more” Downloadables. Id. 10 11 2. AMP Products United States District Court Northern District of California Cisco argues that it is entitled to summary judgment as to the AMP products because AMP 12 13 Products hash each file as received and thus, “Finjan cannot satisfy the ‘fetched’ requirement or the ‘together’ requirement of the Court’s construction.” MSJ at 19. Cisco explains 14 15 16 Id. On the other hand, 17 18 ” Id. 19 Finjan does not meaningfully dispute that AMP Products hash files as received, but argues 20 21 that software components that are “resident in a Downloadable” may nonetheless be “fetched” as required by the claims. Opp’n at 21. According to Finjan, “Dr. Mitzenmacher provided an opinion 22 for each of the accused products (including AMP Products, Cisco Sandboxes, and combinations 23 24 25 26 27 thereof) discussing ‘hashing HTML files together with JavaScript’ showing that the accused products for the ‘780 Patent infringe because the referenced software components (e.g., JavaScript), that may be ‘inside’ the Downloadable (e.g., HTML or web page) are fetched first in order for them to then be hashed together.” Opp’n at 21. Cisco replies that (1) “[a]ll of Finjan’s ‘AMP’ evidence describes what Threat Grid does 28 25 1 after it receives a file (a Downloadable) from AMP” and not the AMP Products on their own and 2 (2) the claims require “‘fetching’ something that is not already in the Downloadable.” Reply at 12- 3 13. 4 As for Cisco’s first argument, the Court has reviewed the specific cites Finjan provided with 5 regard to AMP Products (Opp’n at 21-11 (citing Mitz. Rpt ¶¶ 1295, 1370, 1374, 1394, 1501, 1304))7 6 and has identified one paragraph in which Dr. Mitzenmacher opines that the AMP Products hash 7 files and internal software components together: 8 9 10 United States District Court Northern District of California 11 12 13 Mitz. Rpt ¶ 1394. Accordingly, Cisco’s “no evidence” theory fails. 14 15 16 17 As for Cisco’s substantive argument, the Court finds that Finjan has identified a disputed issue of fact. Specifically, Finjan’s expert opines that an internal software component may be “fetched” – and Cisco disagrees. Cisco dubs the dispute as “a question of claim construction.” Reply at 13 (citing prosecution history and written description of the ’780 Patent). The Court 18 disagrees. 19 The parties do not dispute that fetching must occur – Cisco simply rejects Dr. Mitzenmacher’s opinion that software components may be fetched from within a Downladable. 20 Q. So your opinion is that a downloadable that contains components when downloaded by a device, that device would also be fetching the components that are within that downloadable? 21 22 A. I’d say that would be one way that it could occur. 23 Deposition of Michael Mitzenmacher at 210:11-16, ECF 400-48. Moreover, as Finjan pointed out 24 25 at the Hearing, the ’780 Patent contemplated the scenario where the software components are “embodied” in the Downloadable: 26 27 28 7 To be clear, the Court has not (or could reasonably be expected to have) reviewed the 600+ pages of Finjan’s expert report as suggested by Finjan’s string cites. See Opp’n at 20 (citing Mitz. Rpt ¶¶ 820-1635). 26 1 3 The ID generator 315 preferably prefetches all components embodied in or identified by the code for Downloadable ID generation. For example, the ID generator 315 may prefetch all classes embodied in or identified by the Java TM applet bytecode to generate the Downloadable ID. 4 ’780 Patent, 4:56-61; Hr’g Tr. at 147:6-9 (“Mr. Hannah: The specification in column 4, line 56, it 5 actually specifically addresses this issue in which components are embodied within the 6 Downloadable. The Software components are embodied in the Downloadable.”) 2 *** 7 8 Accordingly, viewing the evidence in the light most favorable to Finjan, the Court finds that 9 a material issue of fact exists and thus DENIES Cisco’s motion for summary judgment as to AMP 10 United States District Court Northern District of California 11 12 Products. 3. Threat Grid and Cisco seeks summary judgment of non-infringement as to Threat Grid and on 13 the ground that Finjan identifies no evidence that Threat Grid and perform a hashing 14 function on the Downloadable and fetched software components together. MSJ at 20. As for Threat 15 Grid, Cisco explains that when a file (“sample”) is submitted, Threat Grid generates 16 . MSJ at 20 (citing Brozefsky Decl. ¶ 12). 17 Threat Grid may then execute the sample in a sandbox, which may result in “artifacts” being created 18 and after the execution is completed . MSJ at 20 (citing Brozefsky 19 20 Decl. ¶¶ 13-14). Based on this description, Cisco argues that “[w]hile the hashes of the 21 ultimately may be stored together, they are not hashed together[.]” MSJ at 20. As for 22 , Cisco argues that Finjan has only identified “an analysis report generated by 23 that includes a number of hashes” but has no evidence that 24 function on the Downloadable and fetched software components together.” MSJ at 20. According 25 to Cisco, summary judgment is warranted because “a ‘collection of hashes’ is not a Downloadable 26 ID.” MSJ at 20 (citing Mitz. Rpt ¶¶ 1365-1366, 1400-1402, 1528-1530). performs a hashing 27 Finjan responds that its infringement theories demonstrate that Cisco’s products “fetch” and 28 “hash” files “together.” Opp’n at 21. First, Finjan asserts that Dr. Mitzenmacher provided an 27 1 opinion for Cisco Sandboxes (like he did for AMP Products) showing that the accused products for the ‘780 Patent infringe because the 2 that may be ‘inside’ the Downloadable (e.g., 3 referenced software components 4 HTML or web page) are fetched first in order for them to then be hashed together.” Id.; see also 5 Opp’n at 22 (citing Mitz Rept ¶¶ 1370, 1374). As the Court concluded above for AMP products, 6 Finjan has identified a material issue of fact as to whether software components may be “fetched” 7 from “inside” the Downloadable. 8 9 10 Second, Finjan argues that Threat Grid and hash the Downloadable and the fetched software components together because “a file will be hashed together with its fetched software components and the combined analysis will include a unique Downloadable ID United States District Court Northern District of California 11 .” Opp’n at 22 (citing Mitz. Rpt ¶¶ 1295, 1299, 1330, 1335, 1339, 1344, 1361, 12 1365, 1381, 1400). The cited paragraphs, however, support Cisco’s explanation that the file and its 13 components are 14 confirmed at the Hearing that 15 hashes are then put in a report: 16 17 18 19 20 . Finjan’s counsel as it comes in to Cisco’s sandboxes and those Mr. Hannah: …. It’s a single session they call. And so the file comes in, That is all recorded in the same session. All of that is done together. Once that session is complete, ... and when they see the processing is done, then they spit out, as counsel said, a report. Hr’g Tr. at 133:22-133:7. Finjan nonetheless claims that “these together because it’s happening in a single session” are happening . Hr’g 21 Tr. at 144:8-11. 22 23 24 25 26 The Court finds Finjan’s “sequence of hashes” argument unpersuasive. The storing together of separately generated hashes does not satisfy the “together with” requirement of claim 9, as construed by the Court. First, Finjan’s theory that the “sequence of hashes” are “happening together” because they take place in the “same session” appears nowhere in the cited expert testimony. Second, the claim requires “performing a hashing function on the Downloadable 27 together with its fetched software components to generate a unique and reproducible ID for that 28 28 1 Downloadable.” Markman Order I at 25. The Court fails to see how a “sequence of hashes” (created 2 in one session or otherwise) stored in a file or report is any different than simple hashing of files and 3 storing them together – neither of which Finjan invented. To be clear, the Court recognizes that 4 under the Court’s construction, the ID generator may perform “one or more” hashing functions – 5 but that doesn’t change the “together with” requirement, for which Finjan has failed to set forth any 6 evidence. Accordingly, the Court concludes that Finjan’s theory of “sequence of hashes” stored in 7 a file or report does not satisfy the claim requirements. *** 8 9 Accordingly, with respect to Threat Grid and , the Court (i) DENIES summary judgment as to Finjan’s infringement theory that software components may be fetched from “inside” 11 United States District Court Northern District of California 10 the Downloadable and then hashed together with the Downloadable and (ii) GRANTS summary 12 judgment as to Finjan’s infringement theory that a “sequence of hashes” stored in a report or file 13 satisfies the “together with” requirements of claim 9. 14 4. Dropper (Dropped Filed) 15 Separately, Cisco challenges Finjan’s infringement theories with regard to dropper (or 16 dropped) files. Cisco explains that dropped files are downloaded in response to a first file being 17 executed. MSJ at 22. Cisco argues that “dropped files” are “separate executable files that are 18 downloaded as a result of the original (e.g., ‘parent’) file executing” and thus, cannot satisfy the 19 claim element “software components required to be executed by the Downloadable.” MSJ at 22. 20 To make this argument, Cisco relies on the nature and functionality of dropper (or dropped) files, 21 but cites to no evidence in support of its factual assertions. Finjan, on the other hand, cites to Dr. 22 Mitzenmacher’s report, in which he describes the operation of dropper (or dropped) files within 23 Threat Grid. Opp’n at 23. On this record, the Court declines to conclude that no material dispute 24 of fact is present and DENIES summary judgment with respect to dropper (or dropped) files on the 25 ground that dropper (or dropped) files are “separate executable files.” 26 5. Estoppel under Doctrine of Equivalents 27 Cisco seeks summary judgment on Finjan’s DOE infringement theory for the ID generator 28 limitation of claim 9 (claim 11 at prosecution). Cisco argues that the ID generator limitation was 29 1 amended during prosecution to distinguish prior art by affirmatively requiring the ID generator to 2 fetch at least one software component and to perform a hashing function on the Downloadable and 3 the fetched software components. MSJ at 22 (citing ECF 378-14 (’780 Patent File History) at 4 FINJAN-CISCO 000577, 602, 609). Because the amendments to claim 9 narrowed the scope of the 5 claim for purposes of patentability, Cisco argues, Finjan is estopped from asserting a DOE theory 6 on this element. MSJ at 22. Finjan responds that the amendment only “reworded” the claim 7 language and did not narrow the scope of the claim because the “fetching” and “hashing” language 8 was included in the claim prior to the amendment. Opp’n at 24. According Finjan, because the 9 amendments were not made “to narrow the claim element to overcome prior art, the ID generator is 10 United States District Court Northern District of California 11 not subject to prosecution history estoppel.” Id. Claim 9 (claim 11 during prosecution) was amended twice, as demonstrated below: 12 13 14 15 16 17 18 19 ECF 378-14 at FINJAN-CISCO 000577 (amendments underlined). 20 21 22 23 24 25 26 27 28 30 1 2 3 4 5 6 7 8 9 ECF 378-14 at FINJAN-CISCO 000602 (amendments in handwriting). 10 Here, contrary to Finjan’s assertion, the amendment did not simply reword the claim 11 United States District Court Northern District of California language. The ID generator element was amended to require: (1) fetching of at least one software 12 13 14 component (as opposed to the broader pre-amendment language requiring fetching “at least one component”) and (2) the claimed “function” to be a hashing function. These are narrowing amendments – triggering the amendment-based estoppel on Finjan’s DOE theories regarding ID 15 generator. 16 Moreover, the amendments were made to overcome patentability challenges. The examiner 17 explained that the amended claim was allowed because “[i]t was not found to be taught in the art of 18 a downloadable that includes references to software components required to be executed by the 19 downloadable and performing a hashing function on the downloadable and the fetched software 20 component to generate a downloadable ID.” ECF 378-14 at FINJAN-CISCO 000610. Even if the 21 examiner had not identified the amendments as the reason for allowance, when the record lacks 22 23 explanation for the amendment, courts “presume that the PTO had a substantial reason related to patentability for including the limiting element added by amendment.” Conoco, 460 F.3d at 1363 24 (citation omitted). 25 The burden then shifts to Finjan to show that the amendment does not surrender the particular 26 27 ID generator equivalent in question. Festo, 535 U.S. at 740. Finjan argues that “‘a function on the Downloadable and all components fetched to generate a Downloadable ID’ as well as wherein the 28 31 1 function includes a hashing function’ existed prior to any amendments.” Opp’n at 24 (citing to ECF 2 378-14 at FINJAN-CISCO 000577-78). 3 component” limitation was not included in the pre-amendment language. Second, the “hashing 4 function” was included in a separate (dependent) claim – not claim 9 (claim 11 at prosecution). See 5 ECF 378-14 at FINJAN-CISCO 000578 (claim 17). The Court is not persuaded. First, the “software Finally, Finjan argues that “the examiner, not Finjan, added the ‘hashing’ function, thus 7 prosecution history estoppel does not apply because there was no clear and unmistakable disavowal 8 by the patentee.” Opp’n at 24-25. Finjan appears to be conflating the standard for argument-based 9 estoppel (which Cisco has not moved on as to the ID generator) with amendment-based estoppel 10 (which Cisco has moved on). See Conoco, 460 F.3d at 1364 (“Unlike amendment-based estoppel, 11 United States District Court Northern District of California 6 we do not presume a patentee’s arguments to surrender an entire field of equivalents through simple 12 arguments and explanations to the patent examiner.”). When applying amendment-based estoppel, 13 courts “presume that the patentee surrendered all subject matter between the broader and the 14 narrower language” when an amendment is made for purposes of patentability. Festo, 535 U.S. at 15 739. 16 In sum, Finjan has failed to articulate why the amendments to claim 9 do not surrender the 17 DOE infringement theories it asserts. Accordingly, the Court GRANTS Cisco’s motion for 18 summary judgment on Finjan’s DOE infringement theories as to the ID generator limitation of claim 19 9. 20 E. 21 Cisco seeks summary judgment on the issue of pre-suit damages because “[n]o admissible 22 evidence exists of Finjan putting Cisco on notice, prior to the filing of the Complaint, that a specific 23 Cisco product infringes a specific Finjan patent, as required under the law to recover pre-suit 24 damages.” MSJ at 23. Finjan concedes that “for purposes of this trial only and preserving all 25 appeals, the start date of damages is the filing of the initial complaint on January 6, 2017.” Opp’n 26 at 25. Because there is no dispute, the Court GRANTS Cisco’s motion for summary judgment and 27 holds that Finjan is not entitled to recover damages prior to the date it filed suit (i.e., January 6, 28 2017). Pre-Suit Damages 32 1 IV. ORDER For the foregoing reasons, the Court: 2 3 4 (1) As to Cisco’s motion for summary judgment of non-infringement of the ’154 Patent, a. Cisco’s motion is GRANTED with respect to AMP Products, b. Cisco’s motion is DENIED with respect to URL rewriting feature of the ESA 5 Outbreak Filters, and 6 7 8 9 c. Cisco’s motion is GRANTED with respect to accused as “content processor.” (2) As to Cisco’s motion for summary judgment of non-infringement of the ’633 Patent, a. Cisco’s motion is GRANTED with respect to 10 United States District Court Northern District of California 11 accused as MPC, b. Cisco’s motion is DENIED with respect to kernel monitor, 12 13 ” accused as MPC, and c. Cisco’s motion for summary judgment is DENIED with respect to Finjan’s DOE 14 theories regarding MPC. 15 16 (3) As to Cisco’s motion for summary judgment of non-infringement of the ’780 Patent; a. Cisco’s motion for summary judgment is DENIED with respect to AMP 17 Products, 18 19 20 21 22 23 24 25 26 27 b. Cisco’s motion for summary judgment with respect to Threat Grid and is (i) DENIED as to Finjan’s infringement theory that software components may be fetched from “inside” the Downloadable and then hashed together with the Downloadable and (ii) GRANTED as to Finjan’s infringement theory that a “sequence of hashes” stored in a report or file satisfies the “together with” requirements of claim 9. c. Cisco’s motion for summary judgment is DENIED with respect to dropper (or dropped) files on the ground that dropper (or dropped) files are “separate executable files.” d. Cisco’s motion for summary judgment is GRANTED with respect to Finjan’s 28 33 1 2 DOE theories regarding the ID generator limitation of claim 9. (4) Cisco’s motion for summary judgment on the issue of pre-suit damages is GRANTED. 3 4 IT IS SO ORDERED. 5 6 7 8 Dated: March 20, 2020 ______________________________________ BETH LABSON FREEMAN United States District Judge 9 10 United States District Court Northern District of California 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 34

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.


Why Is My Information Online?