`
`IN THE UNITED STATES DISTRICT COURT
`
`FOR THE NORTHERN DISTRICT OF CALIFORNIA
`
`FINJAN, INC.,
`Plaintiff,
`
` v.
` JUNIPER NETWORK, INC.,
`Defendant.
` /
`
`No. C 17-05659 WHA
`
`ORDER GRANTING IN PART
`EARLY MOTION FOR SUMMARY
`JUDGMENT ON ’494 PATENT
`
`INTRODUCTION
`In this patent infringement action, each side moves for early summary judgment on one
`asserted claim among many. For the reasons stated below, patent owner’s motion is GRANTED
`IN PART.
`
`STATEMENT
`
`THE ’494 PATENT.
`1.
`United States Patent No. 8,677,494 (“the ’494 patent”) relates to malware detection.
`It is generally directed to systems and methods for protecting devices from suspicious
`“Downloadables” — “an executable application program, which is downloaded from a source
`computer and run on the destination computer” (Dkt. No. 126 at 6). These Downloadables may
`be used to deliver malicious code without the user’s knowledge.
`Specifically, the ’494 patent’s claims involve three basic steps: (1) receive a
`Downloadable; (2) scan the Downloadable to generate security profile data (“Downloadable
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-05659-WHA Document 189 Filed 08/31/18 Page 2 of 21
`
`Security Profile (DSP) data”), which includes a list of suspicious computer operations that
`the Downloadable may attempt to perform; and (3) store the security profile in a database
`(’494 patent 21:20–25, 22:8–16).
`2.
`OVERVIEW OF ACCUSED PRODUCTS.
`
`
`
`SRX Gateways.
`A.
`Juniper’s SRX Gateways are network appliances and software that act as firewalls to
`protect a computer on a network from receiving malicious content. Once the SRX intercepts an
`incoming file, it determines whether it is a Downloadable type that should be analyzed (such as
`HTML, Microsoft documents, EXE files). If so, it then sends the entire file to the cloud-based
`Sky ATP for analysis.
`B.
`Sky ATP.
`Sky ATP is a cloud-based scanning system that inspects files with its “Malware
`Analysis Pipeline” to determine the threat level posed by the Downloadable. The Malware
`Analysis Pipeline in Sky ATP scans an unrecognized Downloadable using (1) a conventional
`antivirus check; (2) static analysis; and (3) dynamic analysis. Static analysis involves analyzing
`the Downloadable’s contents without actually running the file. Dynamic analysis, on the other
`hand, analyzes the Downloadable’s contents by executing and observing the file in a safe,
`
`2
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-05659-WHA Document 189 Filed 08/31/18 Page 3 of 21
`
`simulated environment called a “sandbox.” This multi-stage pipeline analysis renders a
`“verdict,” i.e. how dangerous the file is, which is returned to the SRX the next time it
`encounters the Downloadable.
`3.
`FINJAN’S MOTION ON CLAIM 10 OF THE ’494 PATENT.
`According to Finjan, Juniper infringes Claim 10 of the ’494 patent because the accused
`products “receive Downloadables from servers on the Internet, scan these Downloadables using
`dynamic and static analysis to generate a behavioral profile, and store the resulting behavioral
`profile in a results database” (Dkt. No. 98 at 2).
`Finjan now moves for summary judgment of direct infringement of Claim 10 based on
`(1) Juniper’s SRX Gateways used in combination with Sky ATP; and (2) Sky ATP alone (Dkt.
`No. 98 at 1). Juniper opposes on three grounds: (1) non-infringement; (2) invalidity based on
`unpatentable subject matter and indefiniteness; and (3) Finjan’s failure to mark (Dkt. No. 126
`at 1–2). Discovery relating to this round of early summary judgment informed both sides how
`the accused system works. This order follows full briefing and oral argument.
`ANALYSIS
`
`LEGAL STANDARD.
`1.
`Summary judgment is proper when there is no genuine dispute of material fact and the
`moving party is entitled to judgment as a matter of law. FRCP 56(a). A genuine dispute of
`material fact is one that “might affect the outcome of the suit under the governing law.”
`Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 247–48 (1986). In deciding a motion for
`summary judgment, we must accept the non-movant’s non-conclusory evidence and draw all
`justifiable inferences in its favor. Id. at 255.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`For the Northern District of California
`
`United States District Court
`
`3
`
`
`
`Case 3:17-cv-05659-WHA Document 189 Filed 08/31/18 Page 4 of 21
`
`INFRINGEMENT (OR NON-INFRINGEMENT).
`2.
`Claim 10 states (’494 patent at 22:7–16) (emphasis added):
`A system for managing Downloadables, comprising:
`a receiver for receiving an incoming Downloadable;
`a Downloadable scanner coupled with said receiver, for deriving
`security profile data for the Downloadable, including a list of
`suspicious computer operations that may be attempted by the
`Downloadable; and
`a database manager coupled with said Downloadable scanner, for
`storing the Downloadable security profile data in a database.
`To prove infringement, Finjan must show that Juniper’s accused products meet each
`properly construed limitation of Claim 10 either literally or under the doctrine of equivalents.
`See Deering Precision Instruments, LLC v. Vector Distribution Sys., Inc., 347 F.3d 1314, 1324
`(Fed. Cir. 2003). To establish literal infringement, all of the elements of the claim, as correctly
`construed, must be present in the accused products. TechSearch, LLC v. Intel Corp., 286 F.3d
`1360, 1371 (Fed. Cir. 2002). Finjan may also establish infringement under the doctrine of
`equivalents by “showing that the difference between the claimed invention and the accused
`product [is] insubstantial,” including “by showing on a limitation by limitation basis that the
`accused product performs substantially the same function in substantially the same way with
`substantially the same result as each claim limitation of the patented product.” Crown
`Packaging Tech., Inc. v. Rexam Beverage Can Co., 559 F.3d 1308, 1312 (Fed. Cir. 2009).
`To determine whether summary judgment of non-infringement (or infringement) is
`warranted, this order will first construe Claim 10 to determine its scope and then determine
`whether the properly construed Claim 10 reads on Juniper’s accused products. See Pitney
`Bowes, Inc. v. Hewlett-Packard Co., 182 F.3d 1298, 1304 (Fed. Cir. 1999).
`Claim terms “are generally given their ordinary and customary meaning,” i.e., “the
`meaning that the term would have to a person of ordinary skill in the art in question at the
`time of the invention.” Phillips v. AWH Corp., 415 F.3d 1303, 1312–13 (Fed. Cir. 2005).
`Claim construction examines the claim language itself, the specification, and, if in evidence,
`the prosecution history. Amgen Inc. v. Hoechst Marion Roussel, Inc., 314 F.3d 1313, 1324
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`4
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-05659-WHA Document 189 Filed 08/31/18 Page 5 of 21
`
`(Fed. Cir. 2003). When legal “experts” offer views on claim construction that conflict with each
`other or with the patent itself, such conflict does not create a question of fact or relieve the court
`of its obligation to construe the claim according to the tenor of the patent. Markman v. Westview
`Instruments, Inc., 52 F.3d 967, 983 (Fed. Cir. 1995).
`Here, the parties dispute the following terms: (1) “list of suspicious computer
`operations”; (2) “suspicious computer operations”; (3) “scanner”; (4) and “database manager.”
`This order will construe these terms in deciding the issue of infringement.
`A.
`“List of Suspicious Computer Operations.”
`This order construes the limitation “list of suspicious computer operations” as “list of
`computer operations in a received Downloadable that are deemed hostile or potentially hostile.”
`Significantly, the ’494 patent is a continuation of United States patent application Serial
`No. 08/964,388, now United States Patent No. 6,092,194 (the ’194 patent), entitled “System and
`Method for Protecting a Computer and a Network from Hostile Downloadables.” The later
`’494 patent incorporated the ’194 patent by reference. The ’494 patent’s specification itself
`provides no clarity as to the limitations at issue, so this order will look to the earlier ’194 patent’s
`specification for guidance.
`The ’194 patent uses, perhaps confusingly, the term “list” in multiple ways, two of which
`concern the dispute over the term “list of suspicious computer operations.” For our immediate
`purposes, we must distinguish between a pre-existing master list of suspicious computer
`operations versus a shorter list of suspicious computer operations freshly derived from a specific
`Downloadable. This duality of usage within the specification has allowed each side to construe
`the list in Claim 10 in two different ways. This order, however, holds that the list of suspicious
`computer operations referenced in Claim 10 is one derived from the specific Downloadable
`under scrutiny.1
`
`1 The ’194 patent specification further refers to two more lists — “a list of all files to be accessed by
`the Downloadable code” and an “access control list” (’194 patent at 5:53–54, 6:21) — but these lists do not
`contribute to the problem at hand.
`
`5
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-05659-WHA Document 189 Filed 08/31/18 Page 6 of 21
`
`Let’s start with the pre-existing master list. As between the two patents, only the ’194
`patent discloses any embodiment for deriving security profile data. That embodiment is found in
`a description of Figure 7, which illustrates the process for decomposing a Downloadable to
`derive DSP data (’194 patent at 9:24–29) (emphasis added):
`The code scanner . . . resolves a respective command in the machine
`code, and in step 715 determines whether the resolved command is
`suspicious (e.g., whether the command is one of the operations
`identified in the list described above with reference to [Figure] 3). . . .
`[I]f the code scanner in step 715 determines that the resolved command
`is suspect, then the code scanner 325 in step 720 decodes and registers
`the suspicious command . . . as DSP data.
`
`In essence, as described in Figure 7, the code scanner (1) “disassemble[s] the machine
`code of the Downloadable”; (2) “resolves a respective command in the machine code;” and
`(3) “determines whether the resolved command is suspicious” (’194 patent at 9:20–29). If the
`
`6
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-05659-WHA Document 189 Filed 08/31/18 Page 7 of 21
`
`resolved command is determined to be suspicious, then the code scanner (4) “decodes and
`registers the suspicious command . . . as DSP data” (id. at 9:34–37).
`In turn, a description of Figure 3 (which Figure 7 references) also includes the following
`example master list (id. at 5:58–6:4):
`An Example List of Operations Deemed Potentially Hostile
`File operations: READ a file, WRITE a file;
`Network operations: LISTEN on a socket, CONNECT to
` a socket, SEND data, RECEIVE data, VIEW
` INTRANET;
`Registry operations: READ a registry item, WRITE a
` registry item;
`Operating system operations: EXIT WINDOWS, EXIT
` BROWSER, START PROCESS/THREAD, KILL A
` PROCESS/THREAD, CHANGE PROCESS/
` THREAD PRIORITY, DYNAMICALLY LOAD A
` CLASS/ LIBRARY, etc.; and
`Resource usage thresholds; memory, CPU, graphics, etc.
`
`Specifically, a code scanner may identify a computer operation as suspicious by
`checking whether it is on the master “list described above with reference to [Figure] 3” —
`which most conceivably refers to the disclosed “Example List of Operations Deemed
`Potentially Hostile.”
`The adjective “master” is the Court’s own word choice, not the specification’s, but it
`captures the function served by the passages just quoted.
`The second list referenced in the specification is the shorter list compiled of suspicious
`operations derived only from a received Downloadable. In the preferred embodiment, that list
`is generated by comparing the operations in the Downloadable to the master list of suspicious
`operations. When there is a match, that specific operation goes on the second list.
`The description of Figure 3 — which Figure 7 references in connection with
`determining whether a command within a Downloadable is suspicious — further includes the
`following embodiment (’194 patent at 5:50–54):
`The code scanner 325 may generate the DSP data 310 as a list of
`all operations in the Downloadable code which could ever be
`deemed potentially hostile and a list of all files to be accessed by
`the Downloadable code.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`7
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-05659-WHA Document 189 Filed 08/31/18 Page 8 of 21
`
`For example, if the master list contains 200 commands, all predetermined as suspicious,
`the commands in the received Downloadable code would then be checked against this master
`list, resulting in a second list specific to the Downloadable based on the matched hits of, say,
`twenty commands.
`With at least two different “lists” in play in the specification, the question is then,
`which list does Claim 10 refer to? Reading the claim language and specification together as a
`whole, the claimed “list of suspicious computer operations” in Claim 10 refers to a list of
`computer operations found in the received Downloadable code that have been culled out as
`suspicious.
`First, the Claim 10 language itself indicates a list derived for a specific Downloadable,
`not a pre-existing list. This is apparent when the limitation is read in the claim’s context —
`“deriving security profile data for the Downloadable, including a list of suspicious computer
`operations that may be attempted by the Downloadable.” The context of this language
`indicates that the list referenced in Claim 10 is tied to operations found within the
`Downloadable code. This reading is further supported by the term’s parallel usage in Claim 1,
`which more clearly indicates that the “list of suspicious computer operations” is part of the
`security profile data derived specifically for a received Downloadable (see ’494 patent at
`21:20–23).
`Second, the specification supports this construction. For example, the Downloadable
`security profile data, which includes the list at issue, is derived specifically for a received
`Downloadable. The specification says that the Downloadable’s derived security profile data
`can then be compared against “the access control list” (yet another list), which “contains
`criteria indicating whether to pass or fail the Downloadable” (’194 patent at 6:13–23).
`While this important pass-fail step is not itself recited or reached in Claim 10, it illustrates
`that the “list of suspicious computer operations” within the Downloadable security profile data
`is necessarily limited to a specific Downloadable, not the pre-existing master list; otherwise,
`comparison with the access control list would be pointless. Moreover, the specification
`discloses that “the present invention may identify Downloadables that perform operations
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`8
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-05659-WHA Document 189 Filed 08/31/18 Page 9 of 21
`
`deemed suspicious” and that it “may examine the Downloadable code to determine whether the
`code contains any suspicious operations, and thus may allow or block the Downloadable
`accordingly” (id. at 2:32–37).
`This order therefore mostly agrees with Finjan on this limitation, as the purpose of the
`Downloadable security profile data is to look at code within a received Downloadable and
`compile a list tailored to that file (see Tr. 99:6–9). It therefore rejects Juniper’s assertion that
`Claim 10 includes both the pre-existing master list and the subset list of suspicious operations
`found in a Downloadable code (Tr. 100:19–102:4). In so arguing, Juniper embraces a
`construction of this limitation by a panel of the PTAB — “a list of all operations that could
`ever be deemed potentially hostile” — in Symantec Corporation & Blue Coat Systems LLC v.
`Finjan, Inc., IPR2015–01892, Paper No. 58 at 12 (P.T.A.B. Mar. 15, 2017) (Dkt. No. 126 at
`11). The same PTAB panel affirmed this construction in Palo Alto Networks, Inc. & Blue
`Coat Systems LLC v. Finjan, Inc., IPR2016–00159, Paper No. 50 at 33–35 (P.T.A.B. Apr. 11,
`2017). The panel based its construction on the aforementioned embodiment in the ’194 patent
`included in the following description of Figure 3, “list of all operations in the Downloadable
`code which could ever be deemed potentially hostile” (’194 patent at 9:24–29). This
`construction, however, remains dictum, as the Board’s decision did not ultimately turn on its
`adopted construction. See Symantec, IPR2015–01892 Paper No. 58 at 12. Anyway, this order
`disagrees with the panel’s construction.
`
`Using ellipses, Juniper justifies the panel’s dictum by quoting “all operations . . . which
`could ever be deemed potentially hostile” from the aforementioned embodiment, this to assert
`that the claimed list must refer to a pre-existing master list. This, however, is a sleight of hand.
`Counsel’s ellipses delete crucial limiting language, namely “in the Downloadable code,”
`i.e., the ’194 patent actually says “a list of all operations in the Downloadable code which
`could ever be deemed potentially hostile.” Once this language is read in full without ellipses,
`the list refers to what is found within the four corners of the received Downloadable code.
`This cannot refer to the master list. The Court is disappointed that Juniper’s counsel would use
`this sleight of hand. Once read in light of its true scope, this embodiment is fully consistent
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`9
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-05659-WHA Document 189 Filed 08/31/18 Page 10 of 21
`
`with this order’s adopted construction. Nor would it necessarily violate, as Juniper argues, the
`principle that “a claim interpretation that excludes a preferred embodiment from the scope of
`the claim is rarely, if ever, correct.” Accent Packaging, Inc. v. Leggett & Platt, Inc., 707 F.3d
`1318, 1326 (Fed. Cir. 2013) (quoting On-Line Techs., Inc. v. Bodenseewerk Perkin-Elmer
`GmbH, 386 F.3d 1133, 1138 (Fed. Cir. 2004)).
`This order finds that there is no genuine dispute that Juniper’s accused products meet
`this limitation. The accused system’s pre-existing master list, Juniper says, does not flag all
`operations that have been known to be suspicious or potentially hostile, including the example
`operation “CHANGE PROCESS/THREAD PRIORITY” given in the patent (Tr.
`101:22–105:4; Dkt. No. 126 at 24–25). But as discussed above, the ’494 patent does not claim
`the pre-existing list — it only claims the list of computer operations within a specific
`Downloadable deemed hostile or potentially hostile. Juniper’s Malware Analysis Pipeline
`does compile a list of operations within a received Downloadable identified as hostile or
`potentially hostile (Dkt. No. 98, Exh. 11; Cole Decl. ¶¶ 34–37, 41). Juniper offers no evidence
`(under this order’s construction) to the contrary.
`Juniper’s proposed construction would impose a seemingly impossible standard to
`meet. Juniper’s proposed “list of all operations which could ever be deemed potentially
`hostile” would require a list of every operation (not just in the received Downloadable but in
`every possible Downloadable) that has been and could ever be used in a potentially hostile
`manner. As Juniper would have it, this list would have to be universally exhaustive and thus
`impossible to meet, for the imagination of hackers never sleeps in devising new ways to cheat.2
`B.
`“Suspicious Computer Operations.”
`
`This order next rejects Juniper’s contention that the term “suspicious” in this context is
`
`indefinite. “[A] patent is invalid for indefiniteness if its claims, read in light of the
`specification delineating the patent, and the prosecution history, fail to inform, with reasonable
`certainty, those skilled in the art about the scope of the invention.” Nautilus, Inc. v. Biosig
`
`2 For added clarity, this order therefore adopts Finjan’s proposed construction with this modification,
`i.e., “list of computer operations in a received Downloadable that are deemed hostile or potentially hostile.”
`
`10
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-05659-WHA Document 189 Filed 08/31/18 Page 11 of 21
`
`Instruments, Inc., 134 S. Ct. 2120, 2124 (2014). “Indefiniteness must be proven by clear and
`convincing evidence.” Sonix Tech. Co., Ltd. v. Publications Int’l, Ltd., 844 F.3d 1370, 1377
`(Fed. Cir. 2017). Here, Juniper fails to show by clear and convincing evidence that
`determining whether or not a computer operation is “suspicious” is subjective and thus
`inherently certain.
`At issue here are essentially two distinct steps at which a computer operation is
`“deemed” suspicious. First, a human (say, a cyber security engineer) decides which computer
`operations, known to be capable of performing in a hostile manner (such as a WRITE
`command), to put on the pre-existing master list. This step necessarily requires that the human
`deem — this is the subjective part — an operation suspicious. Second, the patented system
`deems (or not) a computer operation in a received Downloadable code suspicious by checking
`it against the master list. If it’s on the master list, too bad — it’s suspicious. If it’s not, great,
`it’s not suspicious.
`Once a human composes the master list, the subjective part is over. That part is not
`covered by the patent. All that is covered is the comparison. This is objective because the
`operation is either on the master list or not.
`Juniper contends that the term “suspicious” is inherently subjective because “there is no
`standard or commonly accepted list of ‘suspicious’ computer operations” and that it requires a
`subjective determination (Dkt. No. 126 at 9–10). It further points to Finjan’s statement in the
`Symantec IPR proceeding that “there is no a priori understanding of what constitutes a
`‘suspicious computer operation.’ ” See Symantec, IPR2015–01892 Paper No. 58 at 9. Juniper
`(and Finjan) is right in arguing that there is no a priori understanding of “suspicious,” as the
`patent itself describes legitimate operations such as WRITE commands as “potentially hostile”
`(Dkt. No. 126 at 9–10; ’194 patent at 5:59).
`But this allegedly subjective inquiry happens in the first step as the master list is being
`compiled. That this initial determination by a human that an operation is suspicious may be an
`inherently subjective exercise, as argued by Juniper, is irrelevant to the definiteness of Claim
`10. That step, important as it may be, is not part of the claimed invention.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`11
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-05659-WHA Document 189 Filed 08/31/18 Page 12 of 21
`
`Again, what is claimed is the objective second step, where an operation found in an
`incoming Downloadable is deemed suspicious because that operation had been included in the
`master list (see ’194 patent at 5:59). As such, Juniper’s reliance on Interval Licensing LLC v.
`AOL, Inc., 766 F.3d 1364, 1371–74 (Fed. Cir. 2014), Datamize, LLC v. Plumtree Software,
`Inc., 417 F.3d 1342 (Fed. Cir. 2005), and International Test Solutions, Inc. v. Mipox
`International Corporation, No. C 16–00791 RS, 2017 WL 1367975, at *4 (N.D. Cal. Apr. 10,
`2017) (Judge Richard Seeborg), is unavailing. Those decisions involved “facially subjective”
`limitations that “provide[d] little guidance” on its own (“unobtrusive manner” in Interval
`Licensing, 766 F.3d at 1371–74 ) or were “completely dependent on a person’s subjective
`opinion” (“aesthetically pleasing” in Datamize, 417 F.3d at 1350).
`Here, on the other hand, “suspicious” as claimed and described in the specification is
`sufficiently definite such that a person of ordinary skill in the art can apply the claim language
`with reasonable certainty. Nautilus, 134 S. Ct. at 2124. As Finjan points out, a person of
`ordinary skill in the art “would be able to apply the claim language” by observing whether an
`accused system uses a pre-existing master list of computer operations “deemed hostile or
`potentially hostile to create a Downloadable security profile that includes a list of operations
`that were deemed suspicious according to the rules of the system” (Dkt. No. 184 at 5–6).
`Accordingly this order finds that Juniper fails to show by clear and convincing evidence that
`this limitation is indefinite.
`Note well that in saving this claim from indefiniteness by excluding the master list from
`the invention, Finjan has made the claim even more abstract than before — a problem we will
`address below.
`“Scanner.”
`C.
`Based on the claim language and specification of the ’494 and ’194 patents, this order
`mostly agrees with Finjan and therefore adopts its proposed construction, with modification.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`For the Northern District of California
`
`United States District Court
`
`12
`
`
`
`Case 3:17-cv-05659-WHA Document 189 Filed 08/31/18 Page 13 of 21
`
`This order construes “scanner” as “software that searches code to identify suspicious patterns
`or suspicious computer operations.”3
`The Claim 10 language and the’194 patent’s specification describe the role of the
`“code scanner” as deriving or resolving the Downloadable Security Profile data of a received
`Downloadable (’494 patent at 22:9–10; ‘194 patent at 5:41–42). The ’194 patent specification
`further explains that the code scanner “determines whether the resolved command is
`suspicious” and “may search the code for any pattern, which is undesirable or suggests that the
`code was written by a hacker” (194 patent at 5:54–57; 9:24–26). The specification thus
`supports this order’s construction of Claim 10’s scanner as software searching code to identify
`suspicious patterns or suspicious computer operations, whether static or dynamic.
`This order rejects Juniper’s attempt to construe this limitation as “a static analyzer that
`uses parsing techniques to decompose the code.” Juniper concentrates its fire on an
`embodiment in the ’194 specification, which describes a “code scanner” that “uses
`conventional parsing techniques to decompose the code . . . of the Downloadable into the DSP
`data” (’194 patent at 5:42–45) (emphasis added). “While claims are to be interpreted in light
`of the specification . . . it does not follow that limitations from the specification may be read
`into the claims.” Comark Comm’ns, Inc. v. Harris Corp., 156 F.3d 1182, 1186 (Fed. Cir.
`1998). Further, courts are “cautioned against limiting the claimed invention to preferred
`embodiments or specific examples in the specification.” Texas Instruments, Inc. v. United
`States Int’l Trade Comm’n, 805 F.2d 1558, 1563 (Fed. Cir. 1986). In fact, the ’194 patent
`elsewhere describes other embodiments of the code scanner, such as “disassembling machine
`code” ’(194 patent at 9:23–24), which renders Juniper’s construction too narrow.
`Juniper points to Finjan’s arguments in Symantec Corporation v. Finjan, Inc.,
`IPR2015–01892, Paper 27 at 29 (P.T.A.B. June 21, 2016) (Patent Owner Response) to set up a
`
`3 Finjan requests judicial notice of Finjan, Inc. v. Cisco Systems, Inc., No. C 17–00072 BLF, 2018 WL
`3537142 (N.D. Cal. July 23, 2018), where Judge Beth Freeman (who presided over the Blue Coat, 2015 WL
`363000 decision both parties rely on) construed the same limitation. A court may judicially notice a fact that is
`not subject to reasonable dispute because it “can be accurately and readily determined from sources whose
`accuracy cannot reasonably be questioned.” FRE 201(b). Accordingly, Finjan’s request for judicial notice is
`GRANTED.
`
`13
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-05659-WHA Document 189 Filed 08/31/18 Page 14 of 21
`
`disclaimer. To distinguish an earlier particular reference, which had described dynamic
`analysis, Finjan argued that the reference taught against the use of scanners (Dkt. No. 126 at 8,
`Exh. 12 at 29). By implication, Juniper asserts Finjan conceded that anything using dynamic
`analysis cannot be a scanner within the meaning of Claim 10. That is, Juniper posits, Finjan
`disclaimed the use of a dynamic analyzer as the claimed scanner. This chain of inferences,
`however, is insufficient to establish disclaimer by Finjan. Even recognizing that “applicants
`rarely submit affirmative disclaimers,” a prosecution disclaimer still requires “clear and
`unambiguous disavowal of claim scope.” Saffran v. Johnson & Johnson, 712 F.3d 549, 559
`(Fed. Cir. 2013) (citations omitted). The prior statement in question made by Finjan did not
`purport to limit the claim language itself, but rather purported to explain away a prior art
`reference. Even if we held Finjan to its statement that the reference taught against use of
`scanners, and even if the reference did use “dynamic analysis,” Juniper cites no Federal Circuit
`authority holding that a patent owner’s statement that a reference taught away from a claim
`limitation rises to the level of disclaimer as to claim scope. Therefore, given that the standard
`for finding a disclaimer is “demanding,” this order is unwilling to hold that “scanner” excludes
`dynamic analysis. Avid Tech., Inc. v. Harmonic, Inc., 812 F.3d 1040, 1045 (Fed. Cir. 2016).
`Under the adopted construction of “scanner,” i.e. “software that searches code to
`identify suspicious patterns or suspicious computer operations,” this order finds that Juniper’s
`accused products meet this limitation. Finjan argues that Juniper’s SRX Gateways with Sky
`ATP, and Sky ATP alone — which includes the Malware Analysis Pipeline involving both
`static and dynamic analyzers — constitute a Downloadable “scanner” (Dkt. No. 98 at 20).
`The evidence shows that the Malware Analysis Pipeline indeed generates a threat level
`“verdict” by searching a received Downloadable’s code to identify suspicious operations or
`patterns (Cole Decl. ¶ 35; Dkt. No. 154, Exh. 5 at 121:11-22). Juniper does not dispute that it
`meets this limitation under this order’s construction and thus does not point to any evidence in
`the record to the contrary. Accordingly, this order finds that Juniper’s accused products meet
`this limitation.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`14
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-05659-WHA Document 189 Filed 08/31/18 Page 15 of 21
`
`“Database Manager.”
`D.
`This order adopts Juniper’s proposed construction, “a program or programs that control
`a database so that the information it contains can be stored, retrieved, updated and sorted,”
`which comes verbatim from Finjan’s own explanation of this limitation in a former IPR
`proceeding.
`Specifically, Juniper’s proposed construction comes from Finjan itself in Palo Alto
`Networks, Inc. & Blue Coat Systems LLC v. Finjan, Inc., IPR2016–00159, Paper No. 50 at 49
`(P.T.A.B. Apr. 11, 2017). To overcome prior art, Finjan explicitly stated that a person of
`ordinary skill in the art “would ‘understand[] the term “database manager” to mean “a program
`or programs that control a database so that the information it contains can be stored, retrieved,
`updated and sorted.’ ” Id. at 49 (alteration in original) (citing Patent Owner’s Response, Paper
`17 at 43–44 (Aug. 12, 2016)). Now Finjan tries to walk back its previous statements, asserting
`that the plain and ordinary meaning already includes Juniper’s interpretation such that
`Juniper’s proposed construction adds unnecessary limitations