- Redacted 1 2 3 UNITED STATES DISTRICT COURT 4 NORTHERN DISTRICT OF CALIFORNIA 5 SAN JOSE DIVISION 6 7 FINJAN, INC., Case No. 17-cv-00072-BLF 8 Plaintiff, ORDER GRANTING IN PART AND DENYING IN PART CISCO’S MOTION 9 v. FOR PARTIAL SUMMARY JUDGMENT OF NON- 10 CISCO SYSTEMS INC., INFRINGEMENT 11 Defendant. [Re: ECF 378] 12 Plaintiff Finjan, Inc. (“Finjan”) brings this patent infringement lawsuit against Defendant 13 Cisco Systems, Inc. (“Cisco”), alleging infringement of five of Finjan’s patents directed to computer 14 and network security: U.S. Patent Nos. 6,154,844 (the “’844 Patent”); 6,804,780 (the “’780 patent”); 15 7,647,633 (the “’633 patent”); 8,141,154 (the “’154 patent”); and 8,677,494 (the “’494 patent”). 16 Cisco seeks summary judgment of non-infringement on 3 of the 5 asserted patents: the ’154 Patent, 17 the ’633 Patent, and the ’780 Patent. Cisco also seeks summary judgment of no pre-suit damages. 18 The Court heard oral arguments on January 9, 2020 (the “Hearing”). 19 I. THE ACCUSED PRODUCTS 20 The infringement allegations subject to Cisco’s motion for summary judgment primarily 21 relate to Cisco’s Advanced Malware Protection (“AMP”) products under the following categories: 22 (1) AMP Gateway/Cloud Products (for Enterprise) and AMP for Endpoints (collectively, “AMP 23 Products”) and (2) Talos (or its component, and Threat Grid (collectively “Cisco 24 Sandboxes”). Cisco Systems, Inc.’s Motion for Partial Summary Judgment (“MSJ”) at 1, ECF 382- 25 3 (redacted version filed at ECF 378); Plaintiff Finjan, Inc.’s Opposition to Defendant Cisco 26 Systems, Inc.’s Motion for Partial Summary Judgment (“Opp’n”) at 1-2, ECF 400-4 (redacted 27 1 device for malicious content. MSJ at 1. 2 For the AMP Gateway Products, a requested file is processed as follows: 3 4 5 6 7 8 MSJ at 2. The AMP appliance may also send a copy of an unknown file to Cisco’s 9 “sandboxes,” known as Threat Grid and Id. AMP for Endpoints operates similarly 10 to AMP Gateway, except it runs on client (end-user) devices instead of running at a gateway. Id. 11 Finjan also accuses the “URL rewriting” feature within the Cisco E-mail Security Appliance 12 (“ESA”) with respect to the ’154 Patent only. MSJ at 2; Opp’n at 2. Cisco’s ESA products screen 13 incoming emails for malicious content before they are delivered to a user’s inbox. 14 II. LEGAL STANDARD 15 Federal Rule of Civil Procedure 56 governs motions for summary judgment. Summary 16 judgment is appropriate if the evidence and all reasonable inferences in the light most favorable to 17 the nonmoving party “show that there is no genuine issue as to any material fact and that the moving 18 party is entitled to a judgment as a matter of law.” Celotex Corp. v. Catrett, 477 U.S. 317, 322 19 (1986). Rule 56 authorizes a court to grant “partial summary judgment” to dispose of less than the 20 entire case and even just portions of a claim or defense. See Fed. R. Civ. P. advisory committee’s 21 note, 2010 amendments. 22 The moving party bears the burden of showing there is no material factual dispute, by 23 “identifying for the court the portions of the materials on file that it believes demonstrate the absence 24 of any genuine issue of material fact.” T.W. Elec. Serv. Inc. v. Pac. Elec. Contractors Ass’n, 809 25 F.2d 626, 630 (9th Cir. 1987). In judging evidence at the summary judgment stage, the Court “does 26 not assess credibility or weigh the evidence, but simply determines whether there is a genuine factual 27 issue for trial.” House v. Bell, 547 U.S. 518, 559-60 (2006). A fact is “material” if it “might affect 1 there is sufficient evidence for a reasonable trier of fact to decide in favor of the nonmoving party. 2 Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986). 3 In cases like this, where the nonmoving party will bear the burden of proof at trial on a 4 dispositive issue (e.g., patent infringement), the nonmoving party must “go beyond the pleadings 5 and by her own affidavits, or by the ‘depositions, answers to interrogatories, and admissions on file,’ 6 designate ‘specific facts showing that there is a genuine issue for trial.’” Celotex, 477 U.S. at 324. 7 For a court to find that a genuine dispute of material fact exists, “there must be enough doubt for a 8 reasonable trier of fact to find for the [non-moving party].” Corales v. Bennett, 567 F.3d 554, 562 9 (9th Cir. 2009). In considering all motions for summary judgment, “[t]he evidence of the non- 10 movant is to be believed, and all justifiable inferences are to be drawn in his favor.” Anderson, 477 11 U.S. at 255; see also Matsushita Elec. Indus. Co. v. Zenith Radio Corp., 475 U.S. 574, 587 (1986). 12 III. DISCUSSION 13 A. The Parties’ Dispute Regarding Finjan’s Expert Reports on Infringement 14 As an initial matter, the Court addresses a procedural dispute regarding Finjan’s expert 15 reports on infringement. Finjan’s infringement theories in this case have been the subject of 16 extensive motion practice. On April 18, 2019, Finjan moved to supplement (or amend) its 17 infringement contentions pursuant to Local Patent Rule 3-6. ECF 231. On June 11, 2019, 18 Magistrate Judge van Keulen denied Finjan’s motion and rejected its assertion that it was simply 19 adding the codenames of particular components to its previous contentions regarding the associated 20 functionality. ECF 274 at 6-7. Finjan sought relief from Judge van Keulen’s order, which this Court 21 denied on July 17, 2019. ECF 304 at 3-4. Finjan served its expert infringement reports – which 22 included the codenames in dispute – and Cisco moved to strike. ECF 312. The Court granted 23 Cisco’s motion and directed Finjan’s experts to “redraft their reports to remove the disallowed 24 terminology and Talos-only allegations, and to ensure that their opinions track the disclosures in 25 Finjan’s operative infringement contentions.” ECF 397 at 7. At the Hearing, the parties informed 26 the Court that they had not yet finalized the revised infringement expert reports. See Transcript of 27 Proceedings Before the Honorable Beth Labson Freeman on January 9, 2020 (“Hr’g Tr.”) at 49:18- 1 As a result, the basis for Cisco’s present motion for summary judgment is Finjan’s now- 2 stricken expert reports that include the disallowed codenames. In several instances, Cisco seeks 3 summary judgment on the ground that that the accused codenames have been stricken and thus, 4 cannot be relied upon to show infringement. The Court rejects those arguments wholesale without 5 prejudice. As the Court explained at the Hearing, the Court struck certain codenames from Finjan’s 6 expert reports – but not the experts’ opinions generally. Hr’g Tr. at 50:22-51:6. The Court further 7 allowed Finjan to amend its reports and substitute the disallowed codenames with functionalities 8 that were included in Finjan’s infringement contentions. As of the date of this Order, the Court is 9 not aware of any amended expert reports. Accordingly, the Court decides on Cisco’s motion for 10 summary judgment under the assumption that the codenames used in the expert reports (and the 11 parties’ briefing) have a corresponding functionality in the infringement contentions and thus, are 12 still in the case. If, however, Finjan is unable to show that the functionalities corresponding to the 13 codenames were included in its operating infringement contentions, the Court would entertain that 14 dispute in a motion in limine. See Hr’g Tr. at 159:14-17. 15 B. Non-infringement of the ’154 Patent 16 1. Background of the ’154 Patent 17 The ’154 patent is directed to a system and a method “for protecting a client computer from 18 dynamically generated malicious content[.]” ’154 Patent at Abstract. Conventional reactive anti- 19 virus applications perform file scans looking for a virus’s signature against a list known virus 20 signatures kept on a signature file and thus, cannot protect against first time viruses or if a user’s 21 signature file is out of date. ’154 Patent at 1:25-31, id. at 2:32-37. Proactive anti-virus application, 22 on the other hand, use “a methodology known as ‘behavioral analysis’ to analyze computer content 23 for the presence of viruses.” Id. at 1:56-58. 24 Dynamic virus generation occurs at runtime where dynamically generated HTML contains 25 malicious JavaScript code. ’154 Patent at 3:53-64. For example the JavaScript function 26 document.write() is used to generate dynamic HTML at runtime. Id. at 3:53-57. Malicious code 27 inserted in a document.write() function would not be caught prior to runtime because the malicious 1 concerns a “new behavioral analysis technology [that] affords protection against dynamically 2 generated malicious code, in addition to conventional computer viruses that are statically 3 generated.” Id. at 4:31-34. 4 The basic setup of the ’154 Patent involves three components: (1) gateway computer 5 including a content modifier, (2) client computer including a content processor, and (3) security 6 computer including an inspector, a database of client security policies, and an input modifier. ’154 7 Patent at 9:5-11. A preferred embodiment describes a gateway computer that receives content 8 including a call to an original function and an input. Id. at 5:6-9. The gateway computer then 9 substitutes the call to the original function with a corresponding call to a substitute function, which 10 operates to send the input to a security computer for inspection. Id. at 5:10-15. The gateway 11 computer transmits the “modified content from the gateway computer to the client computer, 12 processing the modified content at the client computer.” Id. at 5:13-15. The client computer then 13 transmits “the input to the security computer for inspection when the substitute function is invoked.” 14 Id. at 5:15-17. The security computer first determines “whether it is safe for the client computer to 15 invoke the original function with the input.” Id. at 5:17-19. The security computer then transmits 16 “an indicator of whether it is safe for the client computer to invoke the original function with the 17 input,” to the client computer. Id. at 5:19-22. The client computer invokes the original function 18 “only if the indicator received from the security computer indicates that such invocation is safe.” 19 Id. at 5:22-24. 20 Claim 1 (the only asserted independent claim of the ’154 Patent) provides: 21 A system for protecting a computer from dynamically generated malicious content, comprising: 22 a content processor (i) for processing content received over a 23 network, the content including a call to a first function, and the call including an input, and (ii) for invoking a second 24 function with the input, only if a security computer indicates that such invocation is safe; 25 a transmitter for transmitting the input to the security 26 computer for inspection, when the first function is invoked; and 27 the input. 1 ’154 patent, 17:32-44. 2 The Court construed “first function / second function” as “substitute function / original 3 function, which is different than the first function.” Order Construing Claims in U.S. Patent Nos. 4 6,154,844; 6,804,780; 7,647,633; 8,141,154; 8,677,494 (“Markman Order I”) at 35, ECF 134. 5 2. AMP Products 6 The non-infringement dispute raised in Cisco’s motion for summary judgment is centered 7 on whether the AMP Products satisfy the claimed “content” that includes a “call to a first [i.e., 8 substitute] function” as construed by the Court.1 Cisco argues that it is entitled to summary 9 judgment as to the accused AMP Products because “AMP does not substitute calls to functions into 10 any content that it receives.” MSJ at 5. According to Cisco, (1) 11 2) 12 13 14 Id. at 5-6. Under Finjan’s 15 infringement analysis, Cisco argues, “both the ‘substitute function’ and the ‘original function’ can 16 exist within the content as it was originally created,” which in turn “renders the word ‘substitute’ 17 meaningless.” Id. at 6. 18 Finjan responds that claim 1, under the Court’s claim construction, does “not require that the 19 system have a gateway or a content modifier.” Opp’n at 3. Relying on that premise, Finjan argues 20 that it has demonstrated that there is a “substitute” function (or first function) which is different 21 from the “second function.” Id. The allegedly infringing example that Finjan provides is that “there 22 are scenarios where the hacker or some other process modifies the original content by inserting a 23 substitute function in place of the original function.” Id. (citing Expert Report of Michael 24 Mitzenmacher, Ph.D. Regarding Infringement by Cisco Systems, Inc. of Patent Nos. 6,804,780 and 25 26 1 In its moving papers, Cisco argued that Finjan’s infringement expert, Dr. Mitzenmacher, relied on 27 an incorrect interpretation of the Court’s claim construction. MSJ at 4-5. As the briefing progressed, 1 8,141,154 (“Mitz. Rpt”) ¶ 1934, ECF 400-6). At the Hearing, Finjan provided the same example. 2 See Hr’g Tr. at 59:19-25. 3 The Court is not persuaded by Finjan’s arguments because they are inconsistent with the 4 patent’s specification and the Court’s Markman Order. Under Finjan’s theory, the “substitute 5 function” can be supplied by an external actor (e.g., a hacker) outside the control of any accused 6 product. See Hr’g Tr. at 63:13-18. This theory is contrary to how the ’154 Patent describes the 7 invention. According to the ’154 Patent’s own language: 8 To enable the client computer to pass function inputs to the security computer and suspend processing of content pending replies from the 9 security computer, the present invention operates by replacing original function calls with substitute function calls within the 10 content, at a gateway computer, prior to the content being received at the client computer. 11 ’154 Patent at 4:55-60 (emphasis added). It is the “invention” that replaces the “original” function 12 with a “substitute” function – not an external factor such as a hacker. As Judge Alsup explained in 13 Finjan’s case against Juniper, a “substitute function” supplied by an external system “ultimately 14 amounts to the original content initially received by the claimed system” and not a “substitute” 15 function. Finjan, Inc. v. Juniper Networks, Inc., No. C 17-05659 WHA, 2019 WL 3302717, at *2 16 (N.D. Cal. July 23, 2019). 17 Finjan’s “hacker” theory is also inconsistent with the Court’s construction of “first 18 function/second function.” It is true that claim 1 does not recite or claim a “gateway that modifies 19 content.” See Markman Order I at 38. But, in construing “first function” to mean “substitute 20 function,” the Court acknowledged that the content received by the “content processor” includes a 21 call to “substitute function” — which replaced the “original function” at the (unclaimed) gateway. 22 See Markman Order I at 38 (“[T]he specification clearly discloses a content modifier in the gateway 23 that modifies original content to replace the original function with the substitute function.”) (citing 24 ’154 Patent at 9:13–28). The Court explained that “a person of ordinary skill in the art would 25 understand that the ‘first function’ corresponds to the substitute function in light of the claim 26 language and the specification.” Markman Order at 38. Thus, the Court’s claim construction 27 1 requires the “original function” be replaced by the “substitute function.”2 To hold otherwise, renders 2 the word “substitute” in the Court’s construction meaningless. 3 To support its position, Cisco cites to Judge Alsup’s decision in Finjan’s case against 4 Juniper, finding that the “the substitute function exists only after the original content is modified at 5 the gateway computer.” Finjan, Inc. v. Juniper Networks, Inc., 387 F. Supp. 3d 1004, 1011 (N.D. 6 Cal. 2019) (citing ’154 Patent at 9:13–28). To be clear, Judge Alsup was tasked with construing the 7 term “content processor” – which this Court had no occasion to construe. See id. at 1010-13. That 8 said, the Court finds Judge Alsup’s analysis well-reasoned and supported by the ’154 Patent’s 9 specification explaining that “the present invention operates by replacing original function calls with 10 substitute function calls within the content, at a gateway computer, prior to the content being 11 received at the client computer.” ’154 Patent at 4:55-60. 12 In addition, the Court finds Finjan’s “hacker” theory contrary to the Federal Circuit’s 13 understanding of claim 1. The Federal Circuit explained: 14 The ’154 patent has four independent claims (1, 4, 6, and 10), each reciting a system or software program that executes a substitute 15 function. The substitute function inspects the input to an original function to determine if executing the original function with the input 16 violates a security policy. … 17 In the language of the ’154 patent, the “first function” is the inspection step in which the content is assessed for safety, and the “second 18 function” is when, having been deemed safe, the content is actually run. 19 Palo Alto Networks, Inc. v. Finjan, Inc., 752 F. App’x 1017, 1018 (Fed. Cir. 2018). The Court is 20 not persuaded that a hacker’s code “inspects the input” to “determine if executing the original 21 function with the input violates a security policy” or operate as “the inspection step.” See id.3 In 22 sum, the Court finds that Finjan’s “hacker” infringement theory fails to meet the requirements of 23 24 2 The Court notes that in its case against Proofpoint, Finjan made such an argument to address claim 25 construction of the same disputed term (i.e., first function/second function). See Finjan, Inc., v. Proofpoint, Inc., No. 13-CV-05808-HSG, 2015 WL 7770208, at *8 (N.D. Cal. Dec. 3, 2015) (“Plaintiff 26 notes that . . . the original function is replaced by the substitute function at the gateway, before the security computer receives the content.”) (emphasis in original). 27 3 The Court notes that Judge Alsup similarly rejected Finjan’s “hacker” theory. See Finjan, Inc. v. 1 claim 1. 2 Next, Finjan asserts that there are other disputed issues of fact that preclude summary 3 judgment. Opp’n at 5. The Court addresses and rejects each purported dispute below. 4 First, Finjan argues that “Cisco’s non-infringement arguments for the AMP Products only 5 address when the AMP Cloud is the identified security computer, such that Cisco is not seeking 6 summary disposition for AMP Products in combination with Threat Grid and and when 7 they are the security computer.” Opp’n at 4-5. Cisco responds that it, in fact, “seeks summary 8 judgment on all accused products, and the identity of the ‘security computer’ is irrelevant to the 9 issues” because “the AMP Products never receive ‘content’ with a call to a substitute function” – 10 irrespective of what Finjan accuses as the “security computer.” Cisco Systems, Inc.’s Reply in 11 Support of Its Motion for Partial Summary Judgment (“Reply”) at 1, ECF 407-3 (redacted version 12 filed at ECF 408). The Court agrees with Cisco. As discussed above, Finjan has not identified 13 “content” including “a call to a substitute function” in the AMP Products – making the identity of 14 the security computer irrelevant. 15 Second, Finjan claims that Cisco’s declarants4 and Finjan’s expert disagree as to whether 16 AMP Products substitute functions. Without explaining how Dr. Mitzenmacher’s cited examples 17 show that AMP “substitutes calls into the content that it receives,” Finjan string cites to several 18 paragraphs in Dr. Mitzenmacher’s expert report and his deposition transcript. See Opp’n at 5 (citing 19 Mitz. Rpt ¶¶ 1678, 1917, 1919, 2001-2004; see also Ex. 3, 8/30/19 Mitz. Tr. at 110:21-111:13). 20 Cisco replies that “those paragraphs do not explain how a call to any function was substituted into 21 the content, nor how any such call results in transmitting an input to a security computer for 22 inspection, and ¶¶1917 and 1919 do not even relate to AMP.” Reply at 3. The Court agrees with 23 4 In support of its motion for summary judgment, Cisco relies on declarations from 8 of its 24 employees, describing the operation and features of Cisco’s products. See ECF 382-11, ECF 382- 25 13, ECF 382-15, ECF 382-17, ECF 382-19, ECF 382-21, ECF 382-23, ECF 382-25. Finjan criticizes Cisco’s reliance on those fact declarations because the declarants “did not appear to have 26 read or understood the ‘154 Patent and the Court’s Claim Construction[.]” Opp’n at 5. Cisco responds that the declarations simply cover “product operation [that] is undisputed in all material 27 respects.” Reply at 1. The Court is not aware of any authority (and Finjan has not cited to any) that 1 Cisco. Paragraphs 1917 and 1919 of Dr. Mitzenmacher’s report discuss Cisco’s ESA with Outbreak 2 Filters and not AMP Products. See Mitz. Rpt ¶¶ 1917, 1919. The remaining cited paragraphs simply 3 name various features as “substitute function” but fail to describe (and so does Finjan in its 4 Opposition brief) how AMP Products do any sort of substitution. See Mitz. Rpt ¶¶ 1678, 2001- 5 2004. As for Dr. Mitzenmacher’s deposition testimony, he testified: 6 Q. Do you think -- let me strike that. Is it your opinion that a Cisco product reading content could insert a function into the content? 7 … A. I’m not exactly clear what you’re meaning, but in the manner 8 I described, like, it is, you know, changing the interpretation of a function to do something other than what the function would be doing 9 without the Cisco product. So it’s inserting something in the process somewhere, so I would view 10 that as a -- a change in the interpretation of the content. 11 Transcript of Videotaped Deposition of Michael Mitzenmacher Ph.D. (“Mitz. Dep.”) at 111:14-25, 12 ECF 400-10. Finjan fails to explain how and why Dr. Mitzenmacher’s testimony regarding “change 13 in the interpretation of the content” means that AMP Products substitute calls into the content they 14 receive. Finjan relies on an implausible inference from Dr. Mitzenmacher’s testimony that it fails 15 to explain in sufficient detail for the Court to credit its argument. 16 Third, Finjan argues that “Dr. Mitzenmacher provides examples of first functions that the 17 AMP Products receive.” Opp’n at 5 (citing Mitz. Rpt ¶¶ 1934-1947, 1966, 1996-98, 2042, 2046- 18 47). Cisco replies that “none of those paragraphs explain how a call to any of the functions he 19 identifies was substituted into the content, much less how it would result in transmitting an input to 20 a security computer for inspection, when invoked.” Reply at 3. Again, the Court agrees with Cisco. 21 First, to the extent the string cited paragraphs relate to Finjan’s theory that a hacker (or other 22 malicious content) provides the substitute function, the Court has rejected that theory. The 23 remaining paragraphs appear to discuss generally the AMP Products receiving “a call to a first 24 function” but do not explain how the AMP Products supply the “substitute function.” See Mitz. Rpt 25 ¶¶ 1966, 1996-98, 2042, 2046-47. 26 Fourth, Finjan argues that there is material dispute as to whether AMP Products only send 27 hash values to the AMP Cloud – as opposed to other inputs such as URLs. Opp’n at 5 (citing Mitz. 1 whether a substitute function call in the received content sends the input to the AMP Cloud when 2 invoked, which is the issue.” Reply at 3. The Court agrees. The issue is whether the AMP products 3 receive content including a call to a “substitute function” as construed by the Court – not the type 4 of content AMP receives. 5 *** 6 Accordingly, the Court finds that Finjan has failed to identify any material disputed facts as 7 to the AMP Products. Cisco’s Motion for Summary Judgment is GRANTED with respect to non- 8 infringement of the asserted claims of the ’154 Patent by AMP Products. 9 3. Email Security Appliance 10 a. URL Rewriting 11 Uniform resource locator (“URL”) rewriting is a feature of Cisco’s Outbreak Filters, 12 available on Cisco’s ESA or Cloud Email Security (“CES”). MSJ at 8; see also Mitz. Rpt ¶ 2130. 13 The parties do not dispute the overall functionality of URL rewriting – when Outbreak Filters 14 receive an incoming email, they may “rewrite” a URL within the received email, where the rewritten 15 URL includes an additional address to a Cisco proxy server. Declaration of Don Owens in Support 16 of Cisco Systems, Inc.’s Motion for Partial Summary Judgment (“Owens Decl.”) ¶¶ 4, 6-7, ECF 17 382-21; Mitz. Rpt ¶ 2130. Once the user clicks on the rewritten URL, the user’s request will flow 18 through the proxy server and be evaluated for potentially malicious content. Owens Decl. ¶¶ 8, 10- 19 12; Mitz. Rpt ¶ 2130; see also Hr’g Tr. at 72:9-15. 20 Cisco acknowledges that Finjan “identifies some sort of ‘substitution’” as to the URL 21 rewriting feature – namely, the rewritten URL is a substitute for the original URL. MSJ at 7. Still, 22 Cisco argues that Finjan’s infringement theories fail because “Finjan cannot satisfy the requirements 23 of claim 1 that the ‘incoming content’ have (i) a call to a first function, (ii) a second function (which 24 is different than the first function), and (iii) an ‘input’ that is the same for both.” Id. According to 25 Cisco, Finjan’s infringement theory amounts to the original URL (e.g., cnn.com) corresponding to 26 “original function,” and “input to the original function” – while the rewritten URL must satisfy both 27 the “substitute function” and “the call to the substitute function.” Id. at 7-8. Moreover, Cisco argues 1 Finjan responds that its expert “identified a mountain of evidence demonstrating that Cisco’s 2 ESA receives content with a call to a first (substitute) function, which complies with the Court’s 3 claim construction.” Opp’n at 7 (citing Mitz. Rpt at ¶¶ 2115-2214). Specifically, Finjan identifies 4 (1) emails as received “content”, (2) the processing of the rewritten URL as “call to first function”, 5 (3) URL address to the original content (e.g., cnn.com) as “input” sent to the security computer, and 6 (4) the call to “http://” which calls a “GET” function to process a URL address as the “original 7 function” invoked when the security computer determines that the input is safe. Opp’n at 7 (citing 8 Mitz. Rpt ¶¶ 2130, 2122, 2311, 2335, 2340, 2347-48, 2154). Finjan further argues that Cisco 9 “confuses and conflates the original URL address (i.e., youtube.com) with a call to process the 10 rewritten function (http://secure-web.cisco.com/auth=).” Opp’n at 8. According to Finjan, the latter 11 “calls functionality on the identified security computer to perform an authentication and provide a 12 response.” 13 The Court finds that the parties’ dispute concerning the manner in which Cisco’s URL 14 rewriting feature utilizes URL functionality precludes summary judgment. Specifically, the parties 15 dispute whether a URL (or a portion thereof) can be a “function,” or a “call to function” – with 16 Cisco arguing that URLs are nothing more than addresses and Finjan responding that the processing 17 of a URL can be a function. Rendering all inferences in Finjan’s favor, a reasonable jury could find 18 that “http://” (calling a GET function) satisfies the “original function” claimed because it is invoked 19 when the security computer determines that the input (original URL such as cnn.com) is safe or that 20 the processing of the rewritten URL is a “call to first function.” Id. 21 *** 22 Cisco’s motion for summary judgment is accordingly DENIED with respect to the non- 23 infringement of the asserted claims of the ’154 Patent by the URL rewriting feature of the ESA 24 Outbreak Filters. 25 b. 26 Next, Cisco challenges Finjan’s theory that proxy servers are the claimed 27 “content processors.” MSJ at 10-11. Cisco argues that “do not receive any content 1 resource identified by the original URL.” Id. at 11 (citing Owens Decl. ¶¶ 8, 10, 11). Finjan 2 disagrees and argues that “must, by definition, receive content” because they 3 receive the rewritten URL and the rewritten URL is “content” received by Cisco’s ESA. Opp’n at 4 11. Finjan further argues that because “ must receive content in some form in order 5 to receive the URLs,” Cisco’s argument on “whether receive email streams directly 6 is beside the point.” Id. Cisco replies that Finjan contradicts itself because it has identified “emails” 7 as the received “content” but now claims that the rewritten URL itself is the “content.” Reply at 6. 8 The Court agrees with Cisco. In its infringement theory as to Cisco’s ESA, Finjan has 9 identified “email” as the “content” received by the content processor. See Opp’n at 7 (“Cisco’s ESA 10 offerings infringes the ‘154 Patent because they receive content (which for the ESA are emails) 11 ….”) (emphasis added), see also Hr’g Tr. at 72:6-7. The claim requires “a content processor (i) for 12 processing content received over a network, the content …,” meaning the content processor must 13 receive the “content”, which in this scenario is “email” – not the rewritten URL and not “content in 14 some form” as Finjan now argues. See Opp’n at 11. The Court concludes that Finjan has failed to 15 demonstrate that receive “content” (i.e., email) and therefore GRANTS Cisco’s 16 motion for summary judgment of non-infringement as to accused as “content 17 processors.” 18 C. Non-infringement of the ’633 Patent 19 1. Background of the ’633 Patent 20 The ’633 Patent is directed to a system and method “for protecting network-connectable 21 devices from undesirable downloadable operation.” ’633 Patent at 1:30-33. The specification 22 explains that conventional virus protection programs fail to protect against certain types of viruses. 23 Id. at 1:58-59. These include Downloadable information comprising program code that can include 24 distributable components (e.g., Java applets, JavaScript scripts, ActiveX controls, Visual Basic add- 25 ins, or others) or application components (e.g., Application programs, Trojan horses, or multiple 26 compressed program). Id. at 1:60-66. To that end, the ’633 Patent “provides protection systems 27 and methods capable of protecting a personal computer . . . from harmful, undesirable, suspicious 1 at 2:20-25. 2 In one embodiment of the invention, one or more “servers” (e.g., firewalls, resources, 3 gateways, email relays or other devices/processes that are capable of receiving and transferring a 4 Downloadable) determine whether the received information includes executable code (and is a 5 “Downloadable”). ’633 Patent at 2:39-44. The servers can then deliver “static, configurable and/or 6 extensible remotely operable protection policies to a Downloadable-destination, more typically as a 7 sandboxed package including [a] mobile protection code, downloadable policies and one or more 8 received Downloadables.” Id. at 2:45-49. Once the mobile protection code is received, it can be 9 executed within the Downloadable-destination “in a manner that enables various Downloadable 10 operations to be detected, intercepted or further responded to via protection operations.” Id. at 2:49- 11 55. 12 Claim 14, the only asserted claim of the ’633 Patent5, provides: 13 14. A computer program product, comprising a computer usable medium having a computer readable program code therein, the 14 computer readable program code adapted to be executed for computer security, the method comprising: 15 providing a system, wherein the system comprises distinct 16 software modules, and wherein the distinct software modules comprise an information re-communicator and a mobile code 17 executor; 18 receiving, at the information re-communicator, downloadable-information including executable code; and 19 causing mobile protection code to be executed by the 20 mobile code executor at a downloadable-information destination such that one or more operations of the 21 executable code at the destination, if attempted, will be processed by the mobile protection code. 22 Claim 14, ’633 Patent (disputed element bolded). 23 2. The Requirements of the Claimed Mobile Protection Code (“MPC”) 24 The dispute at summary judgment is limited to the Cisco items Finjan has identified as MPC 25 (namely: 26 27 5 At the time Cisco filed its motion for summary judgment, claims 1, 8, and 13 of the ’633 Patent 1 ” – all components of Threat Grid and MSJ at 15; Opp’n at 2 14.6 3 Cisco argues that claim 14 requires an MPC that “(1) is transmitted; (2) is executable; and 4 (3) monitors or intercepts code operations” – and none of the accused products identified by Finjan’s 5 expert satisfies all three requirements. MSJ at 11, 15-16. Finjan does not contest the latter two 6 requirements, but responds that “Claim 14 of the ‘633 Patent has no explicit requirement that MPC 7 be ‘transmitted’ or ‘communicated’ with the downloadable-information.” Opp’n at 12. At the 8 Hearing, Finjan clarified its position and explained: (1) claim 14 does not require transmission and 9 (2) even if it did, installation of software satisfies that element. Hr’g Tr. at 100:20-24. Finjan further 10 argues that all products accused as MPC meet the claim requirements. 11 Neither the language of claim 14 nor the Court’s construction of MPC requires MPC to be 12 transmitted. First, there can be no dispute that “transmission” does not appear in claim 14. Other 13 claims of the ’633 Patent, notably, claims 1, 8, and 13 – which are no longer asserted in this case – 14 require MPC to be transmitted or communicated. See ’633 Patent, Claim 1 (“… transmitting from 15 the computer mobile protection code to at least one information destination of the downloadable- 16 information, …”) (emphasis added); id., Claim 8 (“… for causing mobile protection code (‘MPC’) 17 to be communicated by the computer …”); id., Claim 13 (“…means for causing mobile protection 18 code to be communicated to at least one information-destination …”) (emphasis added). Claim 14 19 contains no such language, leading to the presumption that its scope differs from that of claims 1, 8 20 and 13. See Curtiss-Wright Flow Control Corp. v. Velan, Inc., 438 F.3d 1374, 1380 (Fed. Cir. 2006) 21 (recognizing the “presumption that each claim in a patent has a different scope”). 22 Second, the Court construed “mobile protection code” as “code that, at runtime, monitors or 23 24 6 In its opening brief, Cisco also challenged Finjan’s theory as to AMP Gateway Products 25 transmitting MPC to Cisco sandbox using APIs. See MSJ 13-14. Cisco argued that 26 and API calls are not MPC because they are not executable. MSJ at 14. Finjan responds that it “disagrees with Cisco’s arguments regarding APIs” but nonetheless, those arguments are “irrelevant 27 because Finjan has not identified RESTful APIs as MPC[.]” Opp’n at 13. Because the parties 1 intercepts actually or potentially malicious code operations without modifying the executable code, 2 where the mobile protection code itself must be executable.” See Order Granting Cisco’s Motion 3 for Reconsideration of the Court’s Order Construing Additional Claims at 1, ECF 247. Specifically, 4 the Court rejected Cisco’s request to include the term “mobile” in the construction. See Order 5 Construing Additional Claims in U.S. Patent Nos. 6,154,844; 6,804,780; 7,647,633 (“Markman 6 Order II”) at 4-6, ECF 173. Thus, to the extent Cisco asserts that the term “mobile” in “mobile 7 protection code” requires the MPC to be transmitted, the Court’s construction imposes no such 8 requirement. 9 Cisco relies on Finjan’s arguments at claim construction and this Court’s order in Finjan’s 10 case against Blue Coat (where the Court construed a related term) to argue that claim 14 requires 11 “some form of communication” – which pre-installation of software cannot satisfy. See Hr’g Tr. at 12 114:4-6; MSJ at 13; see also Finjan, Inc. v. Blue Coat Sys., Inc., No. 13-CV-03999-BLF, 2014 WL 13 5361976, at *5 (N.D. Cal. Oct. 20, 2014). The Court is not persuaded. First, the Court carefully 14 considered the parties’ arguments at claim construction and elected not to include the term “mobile” 15 (let alone, “transmitted” or “communicated”) in the construction of MPC and sees no reason to 16 revisit or modify its construction. See Markman Order II at 4-6. Second, one of the embodiments 17 described in the ’633 Patent contemplates a scenario were MPC elements are installed on a 18 destination device prior to loading the Downloadable. See ’633 Patent, Fig. 11; see also id. at 19:65- 19 20. Accordingly, the Court rejects Cisco’s non-infringement arguments to the extent that they 20 require the components Finjan identifies as MPC to be “transmitted” or “communicated.” 21 With that in mind, the Court now turns to each accused components identified as MPC and 22 the parties’ arguments as to whether they are “executable” and “at runtime, monitor[] or intercept[] 23 actually or potentially malicious code operations without modifying the executable code.” 24 3. Kernel Monitor 25 Cisco does not contend in this motion that (or 26 analogous component in ) is not executable code or that it does not monitor or intercept 27 actually or potentially malicious code operations without modifying the executable code. See MSJ 1 mobile” because “ d” and thus is not transmitted. 2 MSJ at 15. Finjan responds that transmittal is not a requirement of claim 14 and even if it were, 3 “Cisco’s ’ still infringes because it is necessarily transmitted when 4 5 ” Opp’n at 6 14 (citing Expert Report of Nenad Medvidovic, Ph.D. Regarding Infringement By Cisco Systems, 7 Inc. of Patent No. 7,647,633 (“Medvidovic Rpt.”) ¶¶ 635, 659, ECF 400-8). 8 As the Court explained above, claim 14 does not require MPC to be transmitted or 9 communicated. Accordingly, the Court DENIES Cisco’s motion for summary judgment as to kernel 10 monitor. 11 4. 12 As for the remaining accused components, Cisco argues that Finjan fails to demonstrate that 13 they satisfy both requirements for the claimed MPC – specifically, that they (1) are executable and 14 (2) monitor or intercept actually or potentially malicious code operations without modifying the 15 executable code. See MSJ at 15-16. Finjan responds that “[e]ach identified MPC is used to create 16 and generate the virtual machines, which are used to monitor and intercept malicious computer 17 operations resulting in a report, thereby comporting with the Court’s construction of MPC.” Opp’n 18 at 15. Finjan goes on to cite to its expert’s report, Cisco’s internal documents, and various technical 19 depositions to describe each of the accused components and why they satisfy the MPC requirements. 20 See Opp’n at 15-18. Cisco’s main objection to Finjan’s theory is that even if “these [accused] items 21 can configure, generate or create a 22 , the claim requirements are not satisfied because the MPC itself must be the 23 executable code that at runtime monitors/intercepts actual or potentially malicious code operations 24 (as construed by the Court). Reply at 9. Cisco insists that it is the that does the 25 monitoring. Id. Finjan concedes that the accused components themselves do not monitor – but 26 argues that they 27 Hr’g Tr. at 108:6-13 1 The Court is not persuaded that Finjan’s theory is inconsistent with the Court’s construction 2 of MPC. To be sure, Finjan’s theory appears to be one step removed from MPC as construed – but 3 the Court’s construction did not specify (and the parties did not ask the Court to do so) how the 4 MPC monitors or intercepts malicious code. A reasonable jury may find that the accused 5 components monitor or intercept malicious code 6 – satisfying the requirements for MPC. That said, the 7 Court has reviewed the voluminous (and largely unhelpful) evidence cited by Finjan to determine 8 whether it has pointed to any evidence that when viewed in the light most favorable to Finjan, would 9 create a triable issue of fact regarding the 10 The Court’s analysis for each component is summarized below. 11 Finjan cites to testimony from Cisco’s fact witness, Dean de Beer, and argues 12 that 13 14 Opp’n at 15 (citing Transcript 15 of Videotaped Deposition of Dean de Beer (“de Beer Dep.”) at 69:11-20, ECF 400-18 16 17 ). Cisco concedes that . MSJ at 15. Cisco also agrees 18 that 19 Reply at 9. Accordingly, the Court is persuaded that a reasonable jury could agree with 20 Finjan that and thus satisfies 21 the requirements for MPC. 22 Finjan cites to an internal Cisco presentation and argues that 23 24 Opp’n at 16 (citing ECF 400-20 at CISCO-FINJAN_00204768.0004). The cited 25 Cisco presentation states that 26 ECF 400-20 at CISCO-FINJAN_00204768.0004. Finjan fails to explain what 27 1 . Accordingly, 2 the Court finds that Finjan has failed to identify any triable issues of fact as to 3 . None of Finjan’s cited evidence supports Finjan’s assertion that 4 5 See Opp’n at 16. 6 For example, Finjan cites to Cisco’s fact witness testimony, reproduced below: 7 8 9 de Beer Dep. at 72:5-8. Finjan also cites to Dr. Medvidovic’s report, where he identifies 10 as MPC without any explanation. See Medvidovic Rpt at ¶ 4332. The cited testimony 11 from Mr. Brozefsky’s deposition (another Cisco fact witness) and the cited internal Cisco document 12 appear to be describing the overall architecture of Threat Grid and – and it is unclear 13 (and Finjan fails to explain) how they relate to application launch scripts or whether application 14 launch scripts create virtual machines – let alone monitor or intercept anything. See Transcript of 15 Videotaped Deposition of Craig Brozefsky (“Brozefsky Dep.”) at 24:16-25:8, ECF 400-32; ECF 16 400-26 at CISCO-FINJAN_00074535.00010, 19, 20. The Court is not persuaded that Finjan has 17 identified any material triable issue of fact with respect to 18 Finjan has failed to cite to evidence to support that 19 Finjan appears to be citing to evidence describing 20 (not accused as MPC) instead of ” (accused as MPC). See 21 Medvidovic Rpt ¶ 4332 (identifying as MPC and as “mobile 22 code executor”). The cited testimony from Mr. Brozefsky identifies 23 Brozefsky 24 Dep. at 38:16-20. This is consistent with Mr. Brozefsky declaration that 25 26 Declaration of Craig Brozefsky in 27 Support of Cisco Systems, Inc.’s Motion for Partial Summary Judgment (“Brozefsky Decl.”) ¶ 10, 1 ECF 382-11. The Court is not persuaded that Finjan has identified any material issues of fact as to 2 whether (a data structure) is executable code – a requirement for MPC under the 3 Court’s construction. 4 Finjan simply argues that is “executable code because it is in the 5 programming language and monitor or intercepts potentially malicious computer 6 operations by creating a virtual environment in Opp’n at 17 (citing Medvidovic Rpt ¶ 7 4341, ECF 400-34 at CISCO-FINJAN_00000721.0002). The cited evidence, however, does not 8 support Finjan’s assertion. The cited Cisco document provides: 9 10 11 12 ECF 400-34 at CISCO-FINJAN_00000721.0002. Dr. Medvidovic references the same Cisco 13 document and makes no mention of creating a virtual environment. See Medvidovic Rpt ¶ 4341. 14 Finjan has not pointed to any evidence that is executable code or that it creates a virtual 15 environment. Thus, Finjan has failed to identify a triable issue of fact as to 16 Finjan argues that Opp’n 17 at 17 (citing Medvidovic Rpt.¶ 461). Finjan further argues that lly 18 Opp’n at 18 (citing 19 400-36 at CISCO-FINJAN_00272162.0008). Cisco does not meaningfully dispute Finjan’s claims 20 but argues that Finjan has no evidence that the commands actually used in Cisco’s (as 21 opposed to the general universe of commands noted in the Finjan cites) are those 22 that Finjan relies on. Reply at 11. Cisco might be correct – but the dispute is a factual one and not 23 properly subject to summary judgment. 24 *** 25 For the reasons stated above, the Court GRANTS Cisco’s motion for summary judgment as 26 to ” accused 27 as MPC. The Court DENIES Cisco’s motion for summary judgment as to 5. Estoppel under Doctrine of Equivalents 1 “[P]rosecution history estoppel limits the broad application of the doctrine of equivalents by 2 barring an equivalents argument for subject matter relinquished when a patent claim is narrowed 3 during prosecution.” Conoco, Inc. v. Energy & Envtl. Int’l, L.C., 460 F.3d 1349, 1363 (Fed. Cir. 4 2006). The Federal Circuit recognizes that “prosecution history estoppel can occur during 5 prosecution in one of two ways, either (1) by making a narrowing amendment to the claim 6 (‘amendment-based estoppel’) or (2) by surrendering claim scope through argument to the patent 7 examiner (‘argument-based estoppel’).” Id. Cisco argues that both occurred here. As an initial 8 matter, the Court notes that the briefing on this issue is sparse. For example, it is unclear which 9 specific DOE theories Cisco seeks to preclude under the amendment-based estoppel theory. In any 10 event, the Court endeavors to address the issues presented. 11 First, Cisco argues that “all claims originally submitted by Finjan were rejected, and then 12 Finjan amended each limitation to which it now applies the DOE.” MSJ at 16. According to Cisco, 13 because “claim 14 was narrowed by amendment for a reasons related to patentability (to overcome 14 the prior art and 101 rejections), there is a presumption that DOE is not available to claim 14[.]” 15 Reply at 12. Finjan responds that “amendments did not introduce new components nor change the 16 scope of the claims” and therefore “there was no surrendering of scope.” Opp’n at 20. 17 Where claims are amended, “the inventor is deemed to concede that the patent does not 18 extend as far as the original claim,” and the patentee has the burden of showing that the amendment 19 does not surrender the particular equivalent in question. Festo Corp. v. Shoketsu Kinzoku Kogyo 20 Kabushiki Co., 535 U.S. 738, 740 (2002). To succeed, then, the patentee must establish that: (1) the 21 equivalent was unforeseeable at the time the claim was drafted; (2) the rationale underlying the 22 amendment bears no more than a tangential relation to the equivalent in question; or (3) the patentee 23 could not reasonably be expected to have described the insubstantial substitute in question. Id. at 24 740–41. 25 26 27 1 The amendments to claim 14 (claim 30 at prosecution) are reproduced below: 2 30. (currently amended) A computer program product, comprising a 3 computer usable medium having a computer readable program code therein, 4 the computer readable program code adapted to be executed for computer security, the pracesserbased method; comprising: 5 providing a system, wherein the system comprises distinct 6 software modules, and wherein the distinct software modules comprise an information re-communicator and a mobile code executor; 7 receiving, at af the’ information re-communicator, 8 downloadable-information including executable code; and causing mobile protection code to be executed by [[a]] the 9 mobile code executor at a downloadable-information destination such that 10 one or more operations of the executable code at the destination, if attempted, will be processed by the mobile protection code. 11 Db ECF 378-19 at FINJAN-CISCO 000890 (amendments underlined and struck through). This x B amendment was in response to the Office Action dated February 25, 2009, where the examiner 4 rejected claim 14 (claim 30 at prosecution) under 35 U.S.C. § 101 and under 35 U.S.C. 102(e) as 5 15 being anticipated by Golan, U.S. Patent 5,974,549. See ECF 378-18 at FINJAN-CISCO 000910, 16 11. “Ifa claim is narrowed for any reason related to patentability, ‘the inventor is deemed to concede 7 that the patent does not extend as far as the original claim.’” Quintal Research Grp., Inc. v. Nintendo 18 of Am., Inc., No. C 13-00888 SBA, 2015 WL 4396464, at *11 (N.D. Cal. July 17, 2015) (quoting 19 Festo, 535 U.S. at 722, 737-38). Thus, a narrowing amendment may occur when a preexisting claim 20 limitation is narrowed by amendment or when a new claim limitation is added by amendment. AngioScore, Inc. v. TriReme Med., Inc., 50 F. Supp. 3d 1276, 1301 (N.D. Cal. 2014) (citation and quotation marks omitted). Here, the overall claim was narrowed because claim limitations were 73 added. Accordingly, the Court agrees with Cisco that the amendment was a narrowing one to overcome a patentability challenge. 95 Next, the Court must consider whether Finjan has rebutted the presumption that it 26 surrendered the equivalent in question. Cisco has not identified the specific equivalent for which it seeks summary judgment. To the extent Cisco is arguing that Finjan’s amendment surrendered 28 equivalents of MPC — due to the rejection based on the Golan reference — the Court is not persuaded. 1 Finjan argues that the amendments were not due to the Golan reference because “Finjan identified 2 the same claim element that existed before the amendment (and, aside from the grammatical change 3 after the amendment) as not being taught by Golan and the examiner agreed.” Opp’n at 20 (citing 4 ECF 378-17 at FINJAN-CISCO 001021). The Court agrees. The element that contains the MPC 5 limitation had no more than a grammatical change and thus the amendment bears “no more than a 6 tangential relation” to the MPC element. See Festo, 535 U.S. at 740. Moreover, it appears that 7 Finjan overcame the Golan rejection by argument – not by amendment. Thus, the Court DENIES 8 Cisco’s motion for summary judgment on the basis of amendment-based estoppel of Finjan’s DOE 9 theories regarding MPC. To the extent that Cisco seeks summary judgment on other DOE theories 10 (unrelated to MPC) the Court finds that the issue is not adequately briefed and declines to rule on it. 11 Second, Cisco argues that “Finjan is estopped by argument-based estoppel” because “Finjan 12 argued clearly and unmistakably during prosecution that its invention was different from the Golan 13 reference because ‘Golan discusses a situation whereby a security monitor is already resident on a 14 client computer.’” MSJ at 17 (citing ECF 378-17 at FINJAN-CISCO 001020; ECF 378-19 at 15 FINJAN-CISCO 000899). Thus, according to Cisco, “by asserting a theory whereby a file is 16 transmitted to an alleged Information-Destination where there is ‘already resident’ something Finjan 17 characterizes as MPC, Finjan attempts to recapture through DOE exactly what it distinguished by 18 argument during prosecution, which it cannot do.” MSJ at 17. Finjan responds that Cisco’s 19 argument-based estoppel theory is “an attempt to reargue claim construction of ‘mobile protection 20 code.’” Opp’n at 20. Finjan also argues that there was no “clear and unmistakable surrender of 21 subject matter” during prosecution. Opp’n at 19. 22 The Court agrees with Finjan that Cisco’s argument-based estoppel theory is an attempt to 23 relitigate the claim construction of “mobile protection code” – where Cisco’s efforts to include 24 “mobile” in the construction were unsuccessful. See Cisco’s Responsive Claim Construction Brief 25 at 1 (citing to prosecution history distinguishing “present invention” from non-mobile, pre-installed 26 protection code at the client), ECF 154 ; see also Markman Order II at 4-6. As the Court explained 27 earlier in this Order, the Court is not persuaded that revisiting claim construction is warranted. 1 Accordingly, the Court DENIES Cisco’s motion for summary judgment on DOE theories 2 regarding MPC. 3 D. Non-infringement of the ’780 Patent 4 1. Background of the ’780 Patent 5 The ’780 patent is directed to a system and a method “for protecting a computer and a 6 network from hostile Downloadables.” ’780 Patent at 1:30-33. Downloadables are executable 7 programs typically requested by Internet browsers or web engines. Id. at 1:50-55. Examples of 8 Downloadables include Java applets, JavaScript scripts, and ActiveX controls. Id. at 1:55-61. The 9 specification explains that computer network security systems “are not configured to recognize 10 computer viruses which have been attached to or configured as Downloadable application 11 programs.” Id. at 1:47-50. To that end, the ’780 patent involves: (1) a security policy, (2) an 12 interface for receiving a Downloadable, and (3) a comparator “for applying the security policy to 13 the Downloadable to determine if the security policy has been violated.” Id. at 2:1-4. Once the 14 system receives a Downloadable, the system uses an ID generator to compute a Downloadable ID 15 by fetching all the components of the Downloadable and performing a hash function on the 16 Downloadable and the fetched components. Id. at 2:12-16. Next, a security policy may indicate 17 which test to perform on the Downloadable, including: 18 (1) a comparison with known hostile and non-hostile Downloadables; (2) a comparison with Downloadables to be blocked or allowed per 19 administrative override; (3) a comparison of the Downloadable security profile data against access control lists; (4) a comparison of 20 a certificate embodied in the Downloadable against trust certificates; and (5) a comparison of the URL from which the Downloadable 21 originated against trust and untrusted URLs. 22 Id. 2:17-26. A local engine will then determine, based on the result of these comparisons, whether 23 to allow or block the Downloadable. Id. 2:26-27. 24 The only asserted independent claim (claim 9) provides: 25 9. A system for generating a Downloadable ID to identify a Downloadable, comprising: 26 a communications engine for obtaining a Downloadable that 27 includes one or more references to software components an ID generator coupled to the communications engine that 1 fetches at least one software component identified by the one or more references, and for performing a hashing function on 2 the Downloadable and the fetched software components to generate a Downloadable ID. 3 ’780 Patent, Claim 9. 4 The Court construed “performing a hashing function on the Downloadable and the fetched 5 software components to generate a Downloadable ID” to mean “performing a hashing function on 6 the Downloadable together with its fetched software components to generate a unique and 7 reproducible ID for that Downloadable.” Markman Order I at 25. Relevant to this motion, the Court 8 has found that the ID generator may perform “one or more” hashing functions to generate “one or 9 more” Downloadable IDs for “one or more” Downloadables. Id. 10 2. AMP Products 11 Cisco argues that it is entitled to summary judgment as to the AMP products because AMP 12 Products hash each file as received and thus, “Finjan cannot satisfy the ‘fetched’ requirement or the 13 ‘together’ requirement of the Court’s construction.” MSJ at 19. Cisco explains 14 15 16 Id. On the other hand, 17 18 ” Id. 19 Finjan does not meaningfully dispute that AMP Products hash files as received, but argues 20 that software components that are “resident in a Downloadable” may nonetheless be “fetched” as 21 required by the claims. Opp’n at 21. According to Finjan, “Dr. Mitzenmacher provided an opinion 22 for each of the accused products (including AMP Products, Cisco Sandboxes, and combinations 23 thereof) discussing ‘hashing HTML files together with JavaScript’ showing that the accused 24 products for the ‘780 Patent infringe because the referenced software components (e.g., JavaScript), 25 that may be ‘inside’ the Downloadable (e.g., HTML or web page) are fetched first in order for them 26 to then be hashed together.” Opp’n at 21. 27 Cisco replies that (1) “[a]ll of Finjan’s ‘AMP’ evidence describes what Threat Grid does 1 after it receives a file (a Downloadable) from AMP” and not the AMP Products on their own and 2 (2) the claims require “‘fetching’ something that is not already in the Downloadable.” Reply at 12- 3 13. 4 As for Cisco’s first argument, the Court has reviewed the specific cites Finjan provided with 5 regard to AMP Products (Opp’n at 21-11 (citing Mitz. Rpt ¶¶ 1295, 1370, 1374, 1394, 1501, 1304))7 6 and has identified one paragraph in which Dr. Mitzenmacher opines that the AMP Products hash 7 files and internal software components together: 8 9 10 11 12 13 Mitz. Rpt ¶ 1394. Accordingly, Cisco’s “no evidence” theory fails. 14 As for Cisco’s substantive argument, the Court finds that Finjan has identified a disputed 15 issue of fact. Specifically, Finjan’s expert opines that an internal software component may be 16 “fetched” – and Cisco disagrees. Cisco dubs the dispute as “a question of claim construction.” 17 Reply at 13 (citing prosecution history and written description of the ’780 Patent). The Court 18 disagrees. The parties do not dispute that fetching must occur – Cisco simply rejects Dr. 19 Mitzenmacher’s opinion that software components may be fetched from within a Downladable. 20 Q. So your opinion is that a downloadable that contains components 21 when downloaded by a device, that device would also be fetching the components that are within that downloadable? 22 A. I’d say that would be one way that it could occur. 23 Deposition of Michael Mitzenmacher at 210:11-16, ECF 400-48. Moreover, as Finjan pointed out 24 at the Hearing, the ’780 Patent contemplated the scenario where the software components are 25 “embodied” in the Downloadable: 26 27 7 To be clear, the Court has not (or could reasonably be expected to have) reviewed the 600+ pages 1 The ID generator 315 preferably prefetches all components embodied in or identified by the code for Downloadable ID generation. For 2 example, the ID generator 315 may prefetch all classes embodied in or identified by the Java TM applet bytecode to generate the 3 Downloadable ID. 4 ’780 Patent, 4:56-61; Hr’g Tr. at 147:6-9 (“Mr. Hannah: The specification in column 4, line 56, it 5 actually specifically addresses this issue in which components are embodied within the 6 Downloadable. The Software components are embodied in the Downloadable.”) 7 *** 8 Accordingly, viewing the evidence in the light most favorable to Finjan, the Court finds that 9 a material issue of fact exists and thus DENIES Cisco’s motion for summary judgment as to AMP 10 Products. 11 3. Threat Grid and 12 Cisco seeks summary judgment of non-infringement as to Threat Grid and on 13 the ground that Finjan identifies no evidence that Threat Grid and perform a hashing 14 function on the Downloadable and fetched software components together. MSJ at 20. As for Threat 15 Grid, Cisco explains that when a file (“sample”) is submitted, Threat Grid generates 16 . MSJ at 20 (citing Brozefsky Decl. ¶ 12). 17 Threat Grid may then execute the sample in a sandbox, which may result in “artifacts” being created 18 and after the execution is completed 19 . MSJ at 20 (citing Brozefsky 20 Decl. ¶¶ 13-14). Based on this description, Cisco argues that “[w]hile the hashes of the 21 ultimately may be stored together, they are not hashed together[.]” MSJ at 20. As for 22 , Cisco argues that Finjan has only identified “an analysis report generated by 23 that includes a number of hashes” but has no evidence that performs a hashing 24 function on the Downloadable and fetched software components together.” MSJ at 20. According 25 to Cisco, summary judgment is warranted because “a ‘collection of hashes’ is not a Downloadable 26 ID.” MSJ at 20 (citing Mitz. Rpt ¶¶ 1365-1366, 1400-1402, 1528-1530). 27 Finjan responds that its infringement theories demonstrate that Cisco’s products “fetch” and 1 opinion for Cisco Sandboxes (like he did for AMP Products) 2 showing that the accused products for the ‘780 Patent infringe because the 3 referenced software components that may be ‘inside’ the Downloadable (e.g., 4 HTML or web page) are fetched first in order for them to then be hashed together.” Id.; see also 5 Opp’n at 22 (citing Mitz Rept ¶¶ 1370, 1374). As the Court concluded above for AMP products, 6 Finjan has identified a material issue of fact as to whether software components may be “fetched” 7 from “inside” the Downloadable. 8 Second, Finjan argues that Threat Grid and hash the Downloadable and the 9 fetched software components together because “a file will be hashed together with its fetched 10 software components and the combined analysis will include a unique Downloadable ID 11 .” Opp’n at 22 (citing Mitz. Rpt ¶¶ 1295, 1299, 1330, 1335, 1339, 1344, 1361, 12 1365, 1381, 1400). The cited paragraphs, however, support Cisco’s explanation that the file and its 13 components are . Finjan’s counsel 14 confirmed at the Hearing that as it comes in to Cisco’s sandboxes and those 15 hashes are then put in a report: 16 Mr. Hannah: …. It’s a single session they call. And so the file comes in, 17 That is all recorded in the same session. All of that is done together. Once that session is 18 complete, ... and when they see the processing is done, then they spit out, as counsel said, a report. 19 Hr’g Tr. at 133:22-133:7. Finjan nonetheless claims that “these are happening 20 together because it’s happening in a single session” . Hr’g 21 Tr. at 144:8-11. 22 The Court finds Finjan’s “sequence of hashes” argument unpersuasive. The storing together 23 of separately generated hashes does not satisfy the “together with” requirement of claim 9, as 24 construed by the Court. First, Finjan’s theory that the “sequence of hashes” are “happening 25 together” because they take place in the “same session” appears nowhere in the cited expert 26 testimony. Second, the claim requires “performing a hashing function on the Downloadable 27 together with its fetched software components to generate a unique and reproducible ID for that 1 Downloadable.” Markman Order I at 25. The Court fails to see how a “sequence of hashes” (created 2 in one session or otherwise) stored in a file or report is any different than simple hashing of files and 3 storing them together – neither of which Finjan invented. To be clear, the Court recognizes that 4 under the Court’s construction, the ID generator may perform “one or more” hashing functions – 5 but that doesn’t change the “together with” requirement, for which Finjan has failed to set forth any 6 evidence. Accordingly, the Court concludes that Finjan’s theory of “sequence of hashes” stored in 7 a file or report does not satisfy the claim requirements. 8 *** 9 Accordingly, with respect to Threat Grid and , the Court (i) DENIES summary 10 judgment as to Finjan’s infringement theory that software components may be fetched from “inside” 11 the Downloadable and then hashed together with the Downloadable and (ii) GRANTS summary 12 judgment as to Finjan’s infringement theory that a “sequence of hashes” stored in a report or file 13 satisfies the “together with” requirements of claim 9. 14 4. Dropper (Dropped Filed) 15 Separately, Cisco challenges Finjan’s infringement theories with regard to dropper (or 16 dropped) files. Cisco explains that dropped files are downloaded in response to a first file being 17 executed. MSJ at 22. Cisco argues that “dropped files” are “separate executable files that are 18 downloaded as a result of the original (e.g., ‘parent’) file executing” and thus, cannot satisfy the 19 claim element “software components required to be executed by the Downloadable.” MSJ at 22. 20 To make this argument, Cisco relies on the nature and functionality of dropper (or dropped) files, 21 but cites to no evidence in support of its factual assertions. Finjan, on the other hand, cites to Dr. 22 Mitzenmacher’s report, in which he describes the operation of dropper (or dropped) files within 23 Threat Grid. Opp’n at 23. On this record, the Court declines to conclude that no material dispute 24 of fact is present and DENIES summary judgment with respect to dropper (or dropped) files on the 25 ground that dropper (or dropped) files are “separate executable files.” 26 5. Estoppel under Doctrine of Equivalents 27 Cisco seeks summary judgment on Finjan’s DOE infringement theory for the ID generator 1 amended during prosecution to distinguish prior art by affirmatively requiring the ID generator to 2 || fetch at least one software component and to perform a hashing function on the Downloadable and 3 the fetched software components. MSJ at 22 (citing ECF 378-14 (780 Patent File History) at 4 || FINJAN-CISCO 000577, 602, 609). Because the amendments to claim 9 narrowed the scope of the 5 claim for purposes of patentability, Cisco argues, Finjan is estopped from asserting a DOE theory 6 || on this element. MSJ at 22. Finjan responds that the amendment only “reworded” the claim 7 || language and did not narrow the scope of the claim because the “fetching” and “hashing” language 8 || was included in the claim prior to the amendment. Opp’n at 24. According Finjan, because the 9 || amendments were not made “to narrow the claim element to overcome prior art, the ID generator is 10 || not subject to prosecution history estoppel.” Id. 11 Claim 9 (claim 11 during prosecution) was amended twice, as demonstrated below: q 12 \ (Currently amended) A system for generating a Downloadable ID to identify 13 a Downloadable, comprising: 5 14 a tommunications engine for obtaining a Downloadable that 6 includes _one_or re_references to software components required by the 2 15 Downloadable; and 5 16 an I generator coupled to the communications engine for fetching], if the Downloadable includes one or more references to a component,| 17 at least one software component identified by the one or more references, and for 18 performing a function jon the Downloadable and [all] the fetched software components [fetched] to fenerate a Downloadable ID. 19 ECF 378-14 at FINJAN-CISCO 000577 (amendments underlined). 20 21 22 23 24 25 26 27 28 1 2 4 J (Currently amended) A system for generating a Downloadable ID to identify 3 a Downloadable, comprising: 4 a communications engine for obtaining a Downloadable that 5 includes one or more references to software Components required to_be executed by the Downloadable; and □ 6 □ that Pebcles an TD generator coupled to the communications engine foe 7 , Seiehing at least one software component identified by the one or more references, g and for performing $metlon on the Downloadable and the fetched software comporients to generate a Downloadable ID. 9 ECF 378-14 at FINJAN-CISCO 000602 (amendments in handwriting). 10 Here, contrary to Finjan’s assertion, the amendment did not simply reword the claim 11 language. The ID generator element was amended to require: (1) fetching of at least one software a 12 component (as opposed to the broader pre-amendment language requiring fetching “at least one 13 component”) and (2) the claimed “function” to be a hashing function. These are narrowing 14 amendments — triggering the amendment-based estoppel on Finjan’s DOE theories regarding ID 15 generator. 16 Moreover, the amendments were made to overcome patentability challenges. The examiner 17 explained that the amended claim was allowed because “[i]t was not found to be taught in the art of Z 18 a downloadable that includes references to software components required to be executed by the 19 downloadable and performing a hashing function on the downloadable and the fetched software 20 component to generate a downloadable ID.” ECF 378-14 at FINJAN-CISCO 000610. Even if the 21 examiner had not identified the amendments as the reason for allowance, when the record lacks 22 explanation for the amendment, courts “presume that the PTO had a substantial reason related to 23 patentability for including the limiting element added by amendment.” Conoco, 460 F.3d at 1363 24 (citation omitted). 25 The burden then shifts to Finjan to show that the amendment does not surrender the particular 26 ID generator equivalent in question. Festo, 535 U.S. at 740. Finjan argues that “‘a function on the 27 Downloadable and all components fetched to generate a Downloadable ID’ as well as wherein the 28 1 function includes a hashing function’ existed prior to any amendments.” Opp’n at 24 (citing to ECF 2 378-14 at FINJAN-CISCO 000577-78). The Court is not persuaded. First, the “software 3 component” limitation was not included in the pre-amendment language. Second, the “hashing 4 function” was included in a separate (dependent) claim – not claim 9 (claim 11 at prosecution). See 5 ECF 378-14 at FINJAN-CISCO 000578 (claim 17). 6 Finally, Finjan argues that “the examiner, not Finjan, added the ‘hashing’ function, thus 7 prosecution history estoppel does not apply because there was no clear and unmistakable disavowal 8 by the patentee.” Opp’n at 24-25. Finjan appears to be conflating the standard for argument-based 9 estoppel (which Cisco has not moved on as to the ID generator) with amendment-based estoppel 10 (which Cisco has moved on). See Conoco, 460 F.3d at 1364 (“Unlike amendment-based estoppel, 11 we do not presume a patentee’s arguments to surrender an entire field of equivalents through simple 12 arguments and explanations to the patent examiner.”). When applying amendment-based estoppel, 13 courts “presume that the patentee surrendered all subject matter between the broader and the 14 narrower language” when an amendment is made for purposes of patentability. Festo, 535 U.S. at 15 739. 16 In sum, Finjan has failed to articulate why the amendments to claim 9 do not surrender the 17 DOE infringement theories it asserts. Accordingly, the Court GRANTS Cisco’s motion for 18 summary judgment on Finjan’s DOE infringement theories as to the ID generator limitation of claim 19 9. 20 E. Pre-Suit Damages 21 Cisco seeks summary judgment on the issue of pre-suit damages because “[n]o admissible 22 evidence exists of Finjan putting Cisco on notice, prior to the filing of the Complaint, that a specific 23 Cisco product infringes a specific Finjan patent, as required under the law to recover pre-suit 24 damages.” MSJ at 23. Finjan concedes that “for purposes of this trial only and preserving all 25 appeals, the start date of damages is the filing of the initial complaint on January 6, 2017.” Opp’n 26 at 25. Because there is no dispute, the Court GRANTS Cisco’s motion for summary judgment and 27 holds that Finjan is not entitled to recover damages prior to the date it filed suit (i.e., January 6, IV. ORDER 1 For the foregoing reasons, the Court: 2 (1) As to Cisco’s motion for summary judgment of non-infringement of the ’154 Patent, 3 a. Cisco’s motion is GRANTED with respect to AMP Products, 4 b. Cisco’s motion is DENIED with respect to URL rewriting feature of the ESA 5 Outbreak Filters, and 6 c. Cisco’s motion is GRANTED with respect to 7 accused as “content processor.” 8 (2) As to Cisco’s motion for summary judgment of non-infringement of the ’633 Patent, 9 a. Cisco’s motion is GRANTED with respect to 10 accused as MPC, 11 b. Cisco’s motion is DENIED with respect to kernel monitor, 12 ” accused as MPC, and 13 c. Cisco’s motion for summary judgment is DENIED with respect to Finjan’s DOE 14 theories regarding MPC. 15 (3) As to Cisco’s motion for summary judgment of non-infringement of the ’780 Patent; 16 a. Cisco’s motion for summary judgment is DENIED with respect to AMP 17 Products, 18 b. Cisco’s motion for summary judgment with respect to Threat Grid and 19 is (i) DENIED as to Finjan’s infringement theory that software 20 components may be fetched from “inside” the Downloadable and then hashed 21 together with the Downloadable and (ii) GRANTED as to Finjan’s infringement 22 theory that a “sequence of hashes” stored in a report or file satisfies the “together 23 with” requirements of claim 9. 24 c. Cisco’s motion for summary judgment is DENIED with respect to dropper (or 25 dropped) files on the ground that dropper (or dropped) files are “separate 26 executable files.” 27 d. Cisco’s motion for summary judgment is GRANTED with respect to Finjan’s 1 DOE theories regarding the ID generator limitation of claim 9. 2 (4) Cisco’s motion for summary judgment on the issue of pre-suit damages is GRANTED. 3 4 IT IS SO ORDERED. 5 6 || Dated: March 20, 2020 kom Lh ham tn) 7 BETH LABSON FREEMAN 8 United States District Judge 9 10 11 a 12 2B 15 16 («17 Z 18 19 20 21 22 23 24 25 26 27 28
Document Info
Docket Number: 5:17-cv-00072
Filed Date: 3/30/2020
Precedential Status: Precedential
Modified Date: 6/20/2024