`
`IN THE UNITED STATES DISTRICT COURT
`
`FOR THE NORTHERN DISTRICT OF CALIFORNIA
`
`FINJAN, INC.,
`Plaintiff,
`
` v.
`JUNIPER NETWORKS, INC.,
`Defendant.
` /
`
`No. C 17-05659 WHA
`
`ORDER GRANTING EARLY
`MOTION FOR SUMMARY
`JUDGMENT ON ’780 PATENT
`
`INTRODUCTION
`In this patent infringement action, each side moves for early summary judgment on one
`asserted claim (of many) among many patents-in-suit. For the reasons stated below, accused
`infringer’s motion for summary judgment of non-infringement is GRANTED. A separate order
`will address the cross motion.
`
`STATEMENT
`The patents at issue relate to malware detection. They relate specifically to protecting
`against potentially malicious “downloadables” — executables (such as Java applets and
`JavaScript) that may be used to deliver malicious code without the user’s knowledge.
`1.
`THE ’780 PATENT.
`United States Patent No. 6,804,780 (the ’780 patent) describes the generation of an ID for
`a downloadable (“Downloadable ID”) in order to match it against previously encountered
`suspect downloadables. This saves the malware-protection system from going through an
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-05659-WHA Document 180 Filed 08/12/18 Page 2 of 11
`
`intensive anti-malware analysis every time that downloadable attempts to enter the user’s
`system. When an unrecognized “Downloadable” knocks on the door, the patented invention is to
`fetch the components called out by the incoming file, then run a hashing function across the
`combined code. This creates a Downloadable ID.
`2.
`OVERVIEW OF ACCUSED PRODUCTS.
`
`
`
`The SRX.
`A.
`Juniper’s SRX Gateways are network appliances and software that act as firewalls to
`protect a computer on a network from receiving malicious content. Once the SRX intercepts an
`incoming file, it determines whether it is a Downloadable type that should be analyzed (such as
`HTML, Microsoft documents, EXE files). If so, it then sends the entire file to the cloud-based
`Sky ATP for analysis (Rubin Decl. ¶ 64; Opp. 4).
`B.
`Sky ATP.
`Sky ATP is a cloud-based scanning system that inspects files with its “Malware Analysis
`Pipeline” to determine the threat level posed by the Downloadable. The Downloadables of
`concern here are what the parties call “dropper” files (a term not explicitly mentioned in the
`specification) that, while executing, surreptitiously attempt to install separate malware, i.e., a
`“dropped” file (Br. 22; Rubin Decl. ¶ 76).
`
`2
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-05659-WHA Document 180 Filed 08/12/18 Page 3 of 11
`
`The Malware Analysis Pipeline in Sky ATP scans an unrecognized Downloadable using
`(1) a conventional antivirus check; (2) static analysis; and (3) dynamic analysis. Static analysis
`involves analyzing the Downloadable’s contents without actually running the file. Dynamic
`analysis, on the other hand, analyzes the Downloadable’s contents by executing and observing
`the file in a safe, simulated environment called a “sandbox.” This multi-stage pipeline analysis
`renders a “verdict,” i.e. how dangerous the file is, which is returned to the SRX the next time it
`encounters the Downloadable (Br. 18; Rubin Decl. ¶ 66).
`3.
`JUNIPER’S MOTION ON CLAIM 1 OF THE ’780 PATENT.
`According to Finjan, Juniper infringes Claim 1 because the SRX obtains Downloadables
`with references to “dropped” software components. The Downloadable is submitted to Sky
`ATP, which dynamically analyzes the Downloadable. During this analysis, Sky ATP allegedly
`fetches referenced dropped components and creates a Downloadable ID, which includes a hash
`of the Downloadable together with its dropped software components (Opp. 1).
`Juniper now moves for summary judgment of non-infringement, arguing that the SRX
`and Sky ATP products do not infringe Claim 1. Discovery relating to this round of early
`summary judgment was taken. Both sides understand how the accused system works.
`This order follows full briefing and oral argument.
`ANALYSIS
`
`LEGAL STANDARD.
`1.
`Summary judgment is proper when there is no genuine dispute of material fact and the
`moving party is entitled to judgment as a matter of law. FRCP 56(a). A genuine dispute of
`material fact is one that “might affect the outcome of the suit under the governing law.”
`Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 247–48 (1986). In deciding a motion for
`summary judgment, the court must accept the non-movant’s non-conclusory evidence and draw
`all justifiable inferences in its favor. Id. at 255.
`INFRINGEMENT (OR NON-INFRINGEMENT).
`2.
`Claim 1 states (’780 patent at 10:23–32):
`A computer-based method for generating a Downloadable ID to
`identify a Downloadable, comprising:
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`3
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-05659-WHA Document 180 Filed 08/12/18 Page 4 of 11
`
`obtaining a Downloadable that includes one or more
`references to software components required to be
`executed by the Downloadable;
`fetching at least one software component identified by
` the one or more references; and
`performing a hashing function on the Downloadable
`and the fetched software components to generate a
`Downloadable ID.
`The contested terms are italicized. Figure 8 of the ’780 patent illustrates this process:
`
`Juniper argues it is entitled to summary judgment of non-infringement as to Claim 1 of
`the ’780 patent because the SRX with Sky ATP do not hash incoming files “together with”
`fetched components to generate a single Downloadable ID (Br. 22–23).
`
`4
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-05659-WHA Document 180 Filed 08/12/18 Page 5 of 11
`
`To determine whether summary judgment of non-infringement (or infringement) is
`warranted, this order must first construe Claim 1 to determine its scope and then determine
`whether the properly construed Claim 1 reads on Juniper’s accused products. See Pitney Bowes,
`Inc. v. Hewlett-Packard Co., 182 F.3d 1298, 1304 (Fed. Cir. 1999).
`Claim terms “are generally given their ordinary and customary meaning,” i.e., “the
`meaning that the term would have to a person of ordinary skill in the art in question at the
`time of the invention.” Phillips v. AWH Corp., 415 F.3d 1303, 1312–13 (Fed. Cir. 2005).
`To properly construe a claim, a court must examine the claim, the rest of the specification, and,
`if in evidence, the prosecution history. Amgen Inc. v. Hoechst Marion Roussel, Inc., 314 F.3d
`1313, 1324 (Fed. Cir. 2003). When legal “experts” offer views on claim construction that
`conflict with each other or with the patent itself, such conflict does not create a question of fact
`or relieve the court of its obligation to construe the claim according to the tenor of the patent.
`Markman v. Westview Instruments, Inc., 52 F.3d 967, 983 (Fed. Cir. 1995).
`Here, the parties dispute the following terms:1
`
`CLAIM TERM
`software components
`required to be executed
`by the Downloadable
`
`performing a hashing
`function on the
`Downloadable and the
`fetched software
`components to generate a
`Downloadable ID
`
`FINJAN
`plain and ordinary meaning
`(software components
`referenced by a Downloadable
`for execution)
`plain and ordinary meaning
`(performing a hashing function
`on the Downloadable together
`with its fetched software
`components to generate a
`Downloadable ID)
`
`JUNIPER
`software components
`that are needed to
`execute the
`Downloadable
`performing a hashing
`function on the
`Downloadable together
`with its fetched software
`components to generate a
`single hash value that
`identifies the contents of
`both the Downloadable
`and the fetched
`components
`
`1 Juniper originally also disputed the term “fetching at least one software component identified by the
`one or more references,” but stated in its reply that “the Court need not construe this term for purposes of this
`Motion” (Reply 3).
`
`5
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-05659-WHA Document 180 Filed 08/12/18 Page 6 of 11
`
`Because this order finds construction of “performing a hashing function on the
`Downloadable and the fetched software components to generate a Downloadable ID”
`dispositive, it need not reach construction of any other term.
`A.
`“Performing a hashing function on the Downloadable
`and the fetched software components to generate a
`Downloadable ID.”
`Both parties agree that “performing a hashing function on the Downloadable and the
`fetched software components” means “performing a hashing function on the Downloadable
`together with its fetched software components” (Reply 3). The parties, however, dispute
`(1) what their agreed-upon construction, i.e. “together with,” actually means and (2) how to
`construe “Downloadable ID,” i.e. whether it must be a single hash value identifying the contents
`of both the Downloadable and fetched components (as Juniper argues) or can consist of multiple
`hash values collectively identifying the Downloadable (as Finjan argues) (id. 3–4).
`Juniper contends its accused system avoids this limitation because it does not hash a
`Downloadable “together with” any fetched components (Br. 16). This order agrees.
`Specifically, the uncontroverted record shows that the accused products hash the original
`Downloadable file and hash separately the fetched (“dropped”) files, i.e. the accused system
`never performs a hashing function on the Downloadable together with its fetched software
`components as required by Claim 1. Accordingly, Juniper’s accused system steers clear of
`Claim 1 of the ’780 patent.
`Finjan seems to argue that Sky ATP meets this limitation because “together with” can
`mean a myriad of things. It asserts that “together with” can mean “together in time,” i.e. the
`downloadable and fetched components are hashed simultaneously but separately (see Reply
`Exh. 1 at 125:10–15). Finjan also asserts that “together with” can occur at different times
`(Dkt. No. 151-6 at 125:3–5). Nothing matters, Finjan seemingly argues, so long as at the end, all
`separate hashes get collected together and stored someplace as one “larger global”
`Downloadable ID (see Reply Exh. 1 at 129:10–130:16). Finjan’s attempt to expand the scope of
`this limitation contradicts the specification and the very advantage this invention purportedly
`offers.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`6
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-05659-WHA Document 180 Filed 08/12/18 Page 7 of 11
`
`Judge Freeman in Finjan, Inc. v. Blue Coat System, Inc., No. 13–03999 BLF, 2015 WL
`3630000, at *5 (N.D. Cal. June 2, 2015), was the first judge to scrutinize the contours of the
`“together with” construction.2 There, the parties similarly stipulated to construing the limitation
`at issue as “performing a hashing function on the downloadable together with its fetched
`components.” Id. at *5. Those parties, however, disputed the scope of “together with” at
`summary judgment stage. The defendant argued its accused product did not infringe this
`limitation because it received independent files and performed a hashing function to each
`individually, never hashing two or more files together. There, Finjan replied that this separation
`still met the limitation because the accused product hashed the files at the same time, even if
`separately (a theory Judge Freeman christened “togetherness in time”), and then combined the
`hashes into a Downloadable ID. Judge Freeman ultimately found that “a hashing function
`performed on a Downloadable ‘together with’ its referenced components must operate across the
`combination of a Downloadable and its fetched components,” id. at *6 (emphasis added), in
`order to “transmute the Downloadable and its components into a unique and reproducible
`‘number or string output.’ ” Ibid. (emphasis in original).
` Finjan seizes upon Judge Freeman’s observation that “the ’780 Patent is not so limited
`that ‘a hashing function’ means a single hash—the overall function of hashing an object or
`combination of objects could potentially be accomplished by a sequence of several hashes or
`computations” to argue that Juniper improperly narrows the claim (Opp. 13–14). In so finding,
`Judge Freeman considered the general rule that indefinite articles “ ‘a’ or ‘an’ can mean ‘one or
`more,’ ” such that the ’780 patent’s hashing function is not limited to a single hash. Blue Coat,
`2015 WL 3630000, at *7 (quoting Baldwin Graphic Systems, Inc. v. Siebert, Inc., 512 F.3d 1338,
`1342 (Fed. Cir. 2008)).
`In the context of the instant case, however, this order holds that the “hashing function”
`in the ’780 patent must derive a single hash. Claim 1 fails to claim a collection of individual
`hashes. While a person of ordinary skill in the art might understand that a Downloadable could
`
`2 The district court only addressed the meaning of “together with” and did not construe
`“Downloadable ID” at that time (as that term was not at issue).
`
`7
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-05659-WHA Document 180 Filed 08/12/18 Page 8 of 11
`
`be identified using a collection of hashes, Claim 1 requires that the ID be reduced to a single
`value (see Br. Exh. 2 at 3; ’780 patent at 10:3–5). The flow and sequence of the claim itself
`strongly suggests the answer — the claimed system inspects the incoming code, fetches
`referenced components, then performs a hashing function on both the Downloadable and fetched
`components to derive “a Downloadable ID.” The specification echoes this view.
`First, the specification states that an ID generator computes a Downloadable ID
`preferably “by fetching all components of the Downloadable and performing a hashing function
`on the Downloadable including the fetched components” (’780 patent at 2:12–16) (emphasis
`added). Figure 8 (above) — “a flowchart illustrating a method 800 for generating a
`Downloadable ID” — and its description further support this interpretation. This method
`provides that the ID generator “in step 820 may fetch some or all components referenced in the
`Downloadable code, and in step 830 includes the fetched components in the Downloadable code”
`(id. at 9:58–65) (emphasis added). The ID generator then “in step 840 performs a hashing
`function on at least a portion of the Downloadable code” (id. at 9:65–67). By following these
`steps, “the Downloadable ID will be the same for the identical Downloadable each time it is
`encountered” (id. at 10:3–5). All of this makes clear that “together with” means that the hashing
`function “must operate across the combination of a Downloadable and its fetched components.”
`See Blue Coat, 2015 WL 3630000, at *6 (emphasis added).
`Second, Finjan’s argument would evade the point of the invention. Perhaps a collection
`of multiple hashes could amount to a Downloadable ID, but that is different from what was
`actually claimed. The problem addressed by this patent was that “[t]he same Downloadable
`may be delivered with some required software components included and others missing” (see Br.
`Exh. 2 at 3). Thus the point of the ’780 patent, as promoted by the inventor himself, was to
`produce the same ID for a given Downloadable “regardless of which software components are
`included with the Downloadable and which software components are only referenced” (ibid.;
`’780 patent at 4:64–66, 10:3–5). In this way, “the same Downloadable is recognized through
`many equivalent guises” (Br. Exh. 2 at 3). In other words, the perceived problem was that the
`malware might arrive attached to or configured as a Downloadable, but this Downloadable could
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`8
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-05659-WHA Document 180 Filed 08/12/18 Page 9 of 11
`
`arrive in whole or in pieces. The perceived solution was to fetch the missing components,
`incorporate them into the executable, and then hash the combination. Accordingly, the same ID
`would result regardless, whether the Downloadable arrived with or without the components.
`Obtaining the same single ID for a specific Downloadable is ensured only if the hashing
`function operates across both the Downloadable and its fetched files in place. As Juniper points
`out, and this order agrees, “the only way for the same ID to be generated is by providing the
`hashing function with the same input” (Br. 4; Rubin Decl. ¶¶ 24–27). Any changes in the hash
`input will change the output. If a given Downloadable includes a software component one time
`but merely references it another time (and thus the ID generator encounters two different inputs),
`different hash values will result. Finjan’s theory of separately hashing and collectively storing
`multiple hashes together as a Downloadable ID could thus potentially yield multiple IDs for the
`same Downloadable, depending on how it is received — defeating the very purported advantage
`of the ’780 patent. This limitation therefore necessitates that a hashing function operate across
`both the original Downloadable file and fetched components together in the manner described by
`Juniper to generate the same ID.
`To repeat, in order to guarantee reproducibility, the hashing function must operate
`across both the Downloadable and fetched components melded together to create the same
`Downloadable ID, regardless of the Downloadable’s permutation. At bottom, this necessarily
`means that “Downloadable ID” entails one hash on the Downloadable and fetched components,
`not a collection of separate hashes as Finjan suggests here. In construing this limitation, the
`PTAB similarly construed “Downloadable ID” as “a single hash value,” finding that there was
`“no persuasive support in the specification or the language of the claims for construing a
`Downloadable ID as ‘one or more’ hash values, that ‘collectively’ identify a Downloadable.”
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2016–00165, Paper 7 at 9 (P.T.A.B. Apr. 21, 2016).
`Thus to this extent, this order perhaps disagrees with Judge Freeman in Blue Coat and Finjan,
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`For the Northern District of California
`
`United States District Court
`
`9
`
`
`
`Case 3:17-cv-05659-WHA Document 180 Filed 08/12/18 Page 10 of 11
`
` Inc. v. Cisco Systems, Inc., No. C 17–00072 BLF, 2018 WL 3537142 (N.D. Cal. July 23, 2018)
`(Judge Beth Labson Freeman) and agrees with the PTAB.3
`Accordingly, this order adopts Juniper’s proposed construction: “performing a hashing
`function on the Downloadable together with its fetched software components to generate a single
`hash value that identifies the contents of both the Downloadable and the fetched components.”
`B.
`Accused Products Do Not Infringe.
`Finjan’s infringement theory is as follows: when the SRX with Sky ATP dynamically
`analyzes an incoming Downloadable, Sky ATP creates subhashes for the incoming
`Downloadable and its “dropped” files (fetched components). These hashes are then stored
`together, constituting a single, global Downloadable ID (see Opp. 20; Mitz. Decl ¶ 91, 98).
`Under this order’s claim construction, however, this infringement theory fails. Finjan provides
`no evidence showing that the SRX with Sky ATP perform “a hashing function across the
`Downloadable together with its fetched software components,” i.e. a hashing function operates
`across the combination of the Downloadable and its fetched components together.
`There is no genuine dispute that the accused products hash a Downloadable, separately
`hash its fetched components, and store those separate hash values together. Finjan does not
`point to any non-conclusory evidence to the contrary. The dropped files are not hashed until the
`Downloadable undergoes dynamic analysis, i.e. after the original Downloadable file is hashed
`when first received (see Mitz. Decl. ¶¶ 74–75, 89; Reply Exh. 1 at 199:18–22). Finjan’s expert
`seemingly confirms that files are indeed separately hashed, explaining that Sky ATP’s “Behavior
`Details . . . demonstrate[s] the hashing that takes place as they identify hashes for” a dropped
`file, which is “separate from the hash computed” for its dropper file (Mitz. Decl. ¶ 86)
`(emphasis added). Thus Finjan has not shown that the SRX and Sky ATP perform a hashing
`function on the downloadable together with its fetched software components.
`
`3 Finjan requests judicial notice of Finjan, Inc. v. Cisco Systems, Inc., No. C 17–00072 BLF, 2018 WL
`3537142 (N.D. Cal. July 23, 2018), where Judge Freeman (who presided over the Blue Coat, 2015 WL 363000
`decision both parties rely on) construed the same limitation. A court may judicially notice a fact that is not
`subject to reasonable dispute because it “can be accurately and readily determined from sources whose accuracy
`cannot reasonably be questioned.” FRE 201(b). Accordingly, Finjan’s request for judicial notice is GRANTED.
`
`10
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-05659-WHA Document 180 Filed 08/12/18 Page 11 of 11
`
`CONCLUSION
`For the foregoing reasons, Juniper’s motion for summary judgment of non-infringement
`is GRANTED.
`
`IT IS SO ORDERED.
`
`Dated: August 9, 2018.
`
`
`WILLIAM ALSUP
`UNITED STATES DISTRICT JUDGE
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`For the Northern District of California
`
`United States District Court
`
`11
`
`