Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 1 of 133
`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 1 of 133
`
`EXHIBIT 1
`EXHIBIT 1
`REDACTED VERSION OF
`REDACTED VERSION OF
`DOCUMENT SOUGHT TO BE
`DOCUMENT SOUGHT TO BE
`SEALED
`SEALED
`
`

`

`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 2 of 133
`
`PAUL ANDRE (State Bar No. 196585)
`pandre@kramerlevin.com
`LISA KOBIALKA (State Bar No. 191404)
`lkobialka@kramerlevin.com
`JAMES HANNAH (State Bar No. 237978)
`jhannah@kramerlevin.com
`KRISTOPHER KASTENS (State Bar No. 254797)
`kkastens@kramerlevin.com
`KRAMER LEVIN NAFTALIS & FRANKEL LLP
`990 Marsh Road
`Menlo Park, CA 94025
`Telephone: (650) 752-1700
`Facsimile: (650) 752-1800
`
`Attorneys for Plaintiff
`FINJAN, INC.
`
`IN THE UNITED STATES DISTRICT COURT
`
`FOR THE NORTHERN DISTRICT OF CALIFORNIA
`
`SAN FRANCISCO DIVISION
`
`FINJAN, INC., a Delaware Corporation,
`
`Case No.: 3:17-cv-05659-WHA
`
`Plaintiff,
`
`EXPERT REPORT OF DR. ERIC COLE
`
`v.
`
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`JUNIPER NETWORKS, INC., a Delaware
`Corporation,
`
`Defendant.
`
`COLE EXPERT REPORT
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 3 of 133
`
`ATP further stores the results in, for example, the ResultsDB. The databases include database schemas
`
`to organize the data and serve one or more other applications.
`
`30.
`
`This system provides a number of technical benefits for the customers of Juniper. By
`
`collecting profiles in database, intelligence is gathered and distributed across the entire Juniper network
`
`and allows customers to proactively block threats and reduce samples that lead to false positives. This
`
`allows Juniper and its customers to respond to the most potentially destructive threats while also
`
`reducing costs. Additional evidence of the importance of this technology is the fact that Juniper has
`
`devoted additional resources to increase its use. In fact, Juniper made a strategic decision to purchase
`
`Cyphort to strengthen its focus in this area. Thus, the increased use of this technology demonstrates that
`
`it is an important technology for Juniper and its customers.
`
`31.
`
`Moreover, the technology provides many benefits for the customers of Juniper,
`
`including accuracy as having a database of the results that allows Juniper and its customers to more
`
`accurately identify and neutralize malware designed to evade detection technology.
`
`32.
`
`Users of this system will also see an increase in speed and efficiency because once the
`
`system generates a profile for a given Web page it does not have to undergo this operation again.
`
`Instead, the system can retrieve the stored DSP from the database. This saves on computation time for
`
`having to reanalyze the downloadable via Sky ATP, but also on bandwidth because the system does not
`
`have to send the downloadable to Sky ATP to re-analyze it if the downloadable was already scanned.
`
`33.
`
`Furthermore, the SRX Gateways and Sky ATP allow customers better protection as
`
`malware can be stopped before it reaches the file system of the client computer. This is because the
`
`Internet poses additional security threats, as such content may execute upon entry into a client
`
`computer. Content such as JavaScript and VBScript may be executed by an Internet browser, as soon as
`
`the content is received within a web page. This technology allows the malware you identify to be
`
`blocked at the gateway.
`
`COLE EXPERT REPORT
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`10
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 4 of 133
`
`34.
`
`This technology also provides many benefits for Juniper. For example, integrating the
`
`data resulting from the Sky ATP analysis allows this data to be used for Juniper research and analysis of
`
`the threat picture which can be fed into the Juniper network. It is important for Juniper to have a
`
`continuously updated threat picture because it is must be able to defend and protect its customers. The
`
`integration of cloud technology that stores results of the sandboxing analysis reduces total cost of
`
`security for the customer and allows them to more effectively block threats. It also dramatically reduces
`
`advanced threat payloads resulting in lower capacity and capital costs required for malware inspection
`
`using sandboxing solutions.
`
`35.
`
`Juniper’s Sky ATP includes sandboxing that is used to identify the “zero day threats”
`
`that are seen. FINJAN-JN 005438 at 5439 (“Patent pipeline of technologies to analyze sophisticated
`
`malware, “detonate” files in a controlled sandboxing environment, and identify zero day threats.”).
`
`Based on Juniper’s documentation, I understand that it takes approximately 6-7 minutes for the Sky
`
`ATP sandbox to perform its analysis on a suspect file. FINJAN-JN 044844; FINJAN-JN044744 at
`
`4763-764 (“The majority of the time spent inspecting a file is in dynamic analysis … The file is
`
`uploaded to this environment and is allowed to run for several minutes.”).
`
`COLE EXPERT REPORT
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`11
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 5 of 133
`
`COLE EXPERT REPORT
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`12
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 6 of 133
`
`JNPR_FNJN_29008_00514106 at 137; Id. at174. This analysis includes creating the security profile of
`
`the suspect file. If the data security profile is already in the database because Sky ATP has already seen
`
`the file, then the Sky ATP less than 1 second to make that determination. FINJAN-JN 044844. As
`
`described, the number of servers that would be required to process a file for sandboxing would be 360-
`
`420 times greater (6-7 minutes * 60 seconds) than what is required to serve the file from the database of
`
`results (1 second). This is because the server that would be utilized for only 1 second to serve a
`
`response, will now be occupied for an additional 359-419 seconds. Furthermore, if the file is not
`
`previously known it will also run through the infringing static analysis processing performed in Sky
`
`ATP (in addition to the infringing Sandboxing) meaning that the amount of processing power required
`
`by the Sky ATP would be actually more than 360-420 times what is required using the database look-
`
`up. FINJAN-JN 044844; FINJAN-JN044744 at 4763 (“Basic static analysis is … around 30 seconds”).
`
`Based on my analysis of the Sky ATP system, Juniper enjoys great technical benefits based on its use
`
`of a system that infringes Claim 10 of the ‘494 Patent.
`
`36.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`COLE EXPERT REPORT
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`13
`
`
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 7 of 133
`
`
`
`
`
`
`
`
`
`37.
`
`Furthermore, based on a publication from CNN in 2015, there are approximately
`
`1,000,000 new viruses released every day for attacking networks. In order to protect against this vast
`
`amount of malware given the time constraints of the sandbox analysis, Juniper must use databases so
`
`that malware that has been previously seen does not have to be scanned. For example, if one of
`
`Juniper’s customers sees a new virus in the morning, the virus will already be scanned by the afternoon,
`
`which could protect other Juniper customer, while requiring very little additional processing for Juniper
`
`because it has already performed the processing and saved the results. JNPR-FNJN_29008_00507347
`
`at 7370 (showing that the results the results of Sky ATP are shared through its “Threat Sharing
`
`Ecosystem” for Juniper “Threat Intelligence Pool to identify and prevent malware quickly and
`
`effectively”); FINJAN-JN 005438 (“Once identified, the malware’s signature is recorded in the lookup
`
`cache and widely propagated to stop similar attaches in the future.”); FINJAN-JN 044744 at 4760
`
`(“shared environment ensures that everyone benefits from new threat intelligence in near real-time.”).
`
`However, if Juniper was not able to leverage databases to store the sandbox results, in order to protect
`
`against the threats in 2015, it would have to increase its capacity because each piece of malware would
`
`have to run in a sandbox regardless of whether Juniper had analyzed the malware before.
`VII. OVERVIEW OF THE ACCUSED PRODUCTS
`A. SRX Gateways
`Juniper SRX Gateways are next generation security gateways that provide essential
`
`38.
`
`capabilities to secure a workforce. The SRX Gateways all operate using the Junos operating system.
`
`The SRX Gateways operate as a gateway between the untrusted Internet and a trusted internal network.
`
`FINJAN-JN 005382 at 85. The SRX Gateways receive content (such as Downloaded files) from the
`
`Internet, and depending on what type of content is received, can send the file to Sky ATP for analysis,
`
`and generates a profile which is stored in a database, which includes information such as whether it is
`
`COLE EXPERT REPORT
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`14
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 8 of 133
`
`
`
`VIII. ANALYSIS OF CLAIM 10 OF THE ‘494 PATENT
`A. Overview of Juniper’s Infringement
`43.
`Juniper sells, builds, and operates SRX Gateways and the Sky ATP in the United States.
`
`Juniper infringes Claim 10 of the ‘494 Patent because the combination of the SRX Gateways and Sky
`
`ATP meet every element of the claim and Sky ATP on its own meets every element of the claim. The
`
`SRX Gateways are receivers that receive incoming executable files that an internal computer is
`
`attempting to download (the Downloadable), and based on the file type detected for the file, can submit
`
`the file to Sky ATP for analysis. The software in Sky ATP is also a receiver because it receives files
`
`submitted from SRX Gateways to Sky ATP using the SRX API. Sky ATP includes a Downloadable
`
`scanner in the form of a malware inspection pipeline with static and dynamic analysis components.
`
`Sky ATP uses the malware inspection pipeline to scan a Downloadable and generate a profile for it.
`
`This security profile generated by the malware inspection pipeline includes results from the static and
`
`dynamic analysis that includes a list of suspicious computer operations like creating files, dynamically
`
`determining API calls, and contacting remote servers. Sky ATP stores the results of this scanning in a
`
`database, which includes software for managing this database to store and retrieve information. I
`
`understand that the Court has found that as a matter of law, all elements except for “database” of Claim
`
`10 of the ‘494 Patent were found to be infringed by the Accused Products. However, as a “database
`
`manager” was found to be present, it is necessary that a “database” is also present. I’ve set forth my
`
`analysis demonstrating this.
`44.
`
`Notably, the date of first infringement is around October 2015. JNPR-
`
`FNJN_29002_00172356 (Unit Test Plan regarding Sky ATP); “"Juniper Networks Unveils Advanced
`
`Anti-Malware Cloud Service, Security Management and the Latest Firewalls", Juniper Networks
`
`Newsroom (http://newsroom.juniper.net/press-release/juniper-networks-unveils-latest-security-
`
`innovations).
`B. Preamble of Claim 10 of the ‘494 Patent
`45.
`The preamble of claim 10 of the ‘494 Patent is “[a] system for managing
`
`Downloadables, comprising:”. While I understand that a preamble is only limiting on a claim in certain
`
`COLE EXPERT REPORT
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`
`19
`
`CASE NO. 3:17-cv-05659-WHA
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 9 of 133
`
`
`
`
`
`
`
`
`
`
`
` 
`
`1.
`
`“Database” of the ‘494 Patent
`
`83.
`
`I understand that Court has determined as a matter of law that the Accused Products
`
`include “a database manager coupled with said Downloadable scanner, for storing the Downloadable
`
`security profile data in a …” and the only remaining issue is whether the database manager stores the
`
`security profile in a “database.” For the term database, I have used the plain and ordinary meaning of
`
`the term “database,” which refers to “a collection of interrelated data organized according to a database
`
`schema to serve one or more applications.” This is consistent with my understanding of a database and
`
`has been adopted in cases and Courts. Juniper admits that the results of the malware analysis pipeline
`
`(the “adapters”) is stored in the database of results. Juniper’s Response to Finjan’s Fourth Set of
`
`Interrogatories at 14 (“DynamoDB and Amazon RDS—which do store adapter results …”).
`
`84. Overall, from a technical perspective, it does not make sense for a product or service to
`
`have a database manager without a database. Based on the fact the Court held that the Accused
`
`Products include a database manager, it seems only logical that the Accused Products also contain a
`
`database.
`
`i.
`
`“a collection of interrelated data”
`
`85.
`
`The stored security profile information from the malware analysis pipeline is a
`
`collection of interrelated data because the data stored in the ResultsDB Database relates to security
`
`information for files and also because
`
`
`
` The data stored in the ResultsDB Database is a “collection” of data because it contains data
`
`that was collected through the Sky ATP scanning of files. In fact,
`
`
`
` The results data stored by the ResultsDB is a collection of interrelated
`
`COLE EXPERT REPORT
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`35
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 10 of 133
`
`106.
`
`I also understand that Juniper also argues that “database schema” is limited to “a
`
`description of a database to a database management system (DBMS) in the language provided by the
`
`DBMS.” First, I understand that the Court has not adopted this construction and that it is not required
`
`by the claim. However, even if it were a limitation, Juniper meets this construction as
`
`
`
`
`
`
`
`
`
`I declare under penalty of perjury under the laws of the United States that the foregoing is true
`
`and correct. Executed on September 10, 2018 in Ashburn, Virginia.
`
`Dr. Eric Cole
`
`COLE EXPERT REPORT
`HIGHLY CONFIDENTIAL – SOURCE CODE
`
`46
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 11 of 133
`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 11 of 133
`
`EXHIBIT 2
`EXHIBIT 2
`REDACTED VERSION OF
`REDACTED VERSION OF
`DOCUMENT SOUGHT TO BE
`DOCUMENT SOUGHT TO BE
`SEALED
`SEALED
`
`

`

`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 12 of 133
`
`IN THE UNITED STATES DISTRICT COURT
`
`FOR THE NORTHERN DISTRICT OF CALIFORNIA
`
`Case No. 3:17-cv-05659-WHA
`
`FINJAN, INC.,
`
`Plaintiff,
`
`v.
`
`JUNIPER NETWORKS, INC.,
`
`Defendant.
`
`EXPERT REPORT OF KEVIN M. ARST
`
`September 11, 2018
`
`HIGHLY CONFIDENTIAL – ATTORNEYS’ EYES ONLY
`
`

`

`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 13 of 133
`
`6.1. Finjan, Inc.
`
`Finjan is a wholly-owned subsidiary of Finjan Holdings, Inc. and is the business operating the licensing
`and enforcement of the parent company’s cybersecurity patent portfolio.10 Finjan was founded in 1997 as
`a wholly-owned subsidiary of Finjan Software Ltd. (“FSL”), an Israeli corporation, to cultivate
`proprietary technologies that focused on proactively detecting threats to web and network traffic by
`identifying patterns and behavior of web and network viruses and other malicious code, rather than
`relying on lists of threats known within the web and network security industry.11 Finjan’s “behavior-
`based” approach was summarized by the United States Court of Appeals for the Federal Circuit in
`connection to a patent infringement dispute initiated by the company as follows:
`
`The “behavior-based” approach to virus scanning was pioneered by Finjan and is disclosed in the
`’844 patent’s specification. In contrast to traditional “code-matching” systems, which simply look
`for the presence of known viruses, “behavior-based” scans can analyze a downloadable’s code and
`determine whether it performs potentially dangerous or unwanted operations—such as renaming or
`deleting files. Because security profiles communicate the granular information about potentially
`suspicious code made available by behavior-based scans, they can be used to protect against
`previously unknown viruses as well as “obfuscated code”—known viruses that have been
`cosmetically modified to avoid detection by code-matching virus scans.12
`
`:::
`
`The security profile approach also enables more flexible and nuanced virus filtering. After an
`inspector generates a security profile for a downloadable, a user’s computer can determine
`whether to access that downloadable by reviewing its security profile according to the rules in
`whatever “security policy” is associated with the user. Administrators can easily tailor access by
`applying different security policies to different users or types of users. And having the security
`profile include information about particular potential threats enables administrators to craft
`security policies with highly granular rules and to alter those security policies in response to
`evolving threats.13
`
`Finjan invested heavily in the research and development of its technologies and in protecting its
`innovations by securing patents covering them.14 Following the development of its technologies, FSL,
`together with its subsidiaries, provided secure web gateway solutions – including software and hardware
`– to the enterprise and endpoint markets both directly and through technology partners and/or original
`
`10 Finjan Holdings is a publicly-traded cybersecurity company focused on four businesses: intellectual property
`licensing and enforcement, mobile security application development, advisory services, and investing in
`cybersecurity technologies and intellectual property. See, Finjan Holdings, Inc. Form 10-K for the fiscal year
`ended December 31, 2017, p. 4.
`11 Finjan Holdings, Inc. Form 10-K for the fiscal year ended December 31, 2017, p. 4.
`12 Decision of the U.S. Court of Appeals for the Federal Circuit, Finjan, Inc., v. Blue Coat Systems, Inc., Case No.
`13-cv-03999, January 10, 2018, pp. 6-7. Unknown viruses are also known as “unknown threats” or “zero-day”
`threats. https://blog.finjan.com/zero-day-threats/.
`13 Decision of the U.S. Court of Appeals for the Federal Circuit, Finjan, Inc., v. Blue Coat Systems, Inc., Case No.
`13-cv-03999, January 10, 2018, p. 7.
`14 Finjan Holdings, Inc. Form 10-K for the fiscal year ended December 31, 2017, p. 4. In November 2013 Finjan
`reported that the company Finjan has raised over $65 million in venture financing for R&D investment in the
`Company's software security legacy operating business since its inception. See, https://www.finjan.com/news-
`media/press-releases/detail/114/finjan-holdings-announces-equity-investment-in.
`
`4
`HIGHLY CONFIDENTIAL – ATTORNEYS’ EYES ONLY
`
`

`

`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 14 of 133
`
`equipment manufacturers ("OEMs").15 In 2002, Finjan Software, Inc. (“FSI”), a Delaware corporation,
`was formed to acquire and hold all of the capital stock of Finjan.16 Thereafter, FSI focused its efforts on
`research & development and sales & marketing activities in an effort to bolster its position in the security
`industry and enhance its platform of web / network inspection technologies.17
`
`By 2005, International Data Corporation (“IDC”), a widely referenced provider of market intelligence for
`the information technology, telecommunications, and consumer technology markets, recognized Finjan as
`both “the inventor” of proactive content behavior inspection and “a leading innovator” in the proactive
`content security space:
`
`Finjan Software, the inventor of proactive content behavior inspection, protects organizations using
`its Next Generation of Vital Security Appliance Series of products that provide day-zero defense
`against new, previously unknown attacks by leveraging its proprietary application-level behavior
`blocking technology.18
`
`:::
`
`As a leading innovator in the proactive content security space, Finjan is committed to providing its
`customers with the most advanced technology solutions to ensure day-zero security. Currently,
`Finjan has eight technology patents with various others pending. Finjan's Malicious Code
`Research Center (MCRC) specializes in the discovery and analysis of new vulnerabilities that could
`be exploited for Internet and email attacks. Using this expertise, MCRC researchers contribute to
`the development of Finjan's next-generation products to keep Finjan customers protected from the
`next, yet-to-be-discovered attacks, as well as work with the world's leading software vendors to
`patch their security holes.19
`
`IDC also recognized Finjan’s technologies at the time as cost effective, “best-in-breed” technologies:
`
`Believing that security is best achieved through multiple layers of protection, Finjan's Vital
`Security Appliance Series NG platform offers an integrated best-in-breed solution suite of
`proactive, behavior-based, and traditional security technologies, including proactive malicious
`mobile code and active content defense, traditional antivirus protection, antispam defense, URL
`filtering, HTTPSISSL traffic scanning, digital watermarking, and ORM.20
`
`:::
`
`15 Finjan Holdings, Inc. Form 10-K for the fiscal year ended December 31, 2017, p. 4.
`16 Finjan Holdings, Inc. Form 10-K for the fiscal year ended December 31, 2017, p. 4.
`17 Finjan Holdings, Inc. Form 10-K for the fiscal year ended December 31, 2017, p. 4.
`18 IDC_FINJAN-JN 008896 at 951. (Emphasis added)
`19 IDC_FINJAN-JN 008896 at 951. (Emphasis added)
`20 IDC_FINJAN-JN 008896 at 951. (Emphasis added)
`
`5
`HIGHLY CONFIDENTIAL – ATTORNEYS’ EYES ONLY
`
`

`

`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 15 of 133
`
`The Vital Security Appliance Series NG-5000 and Series NG-8000 are Finjan's next generation
`content security platforms, comprising an advanced set of robust hardware-based security solutions
`for enterprises. Integrating Finjan's patented Next Generation Application-Level Behavior
`Blocking, Vulnerability Anti.dote and Anti-Spyware with best-of-breed antivirus, antispam, and
`URL filtering engines, Finjan's enterprise solutions provide day-zero protection against both
`known and unknown attacks from Web and email traffic. Finjan offers these solutions in a series of
`cost-effective, ready-to-use, high performance appliances. In addition, Finjan offers a dedicated
`Anti-Spyware Gateway Appliance for enterprises that require a standalone antispyware solution
`with minimal management overhead.21
`
`:::
`
`Vital Security Appliance NG-1100 is Finjan's next generation offering for Web security, comprising
`Next Generation Application-Level Behavior Blocking, Vulnerability Anti.dote, Anti-Spyware, and
`best-of-breed third-party antivirus and URL filtering engines. Using combinations of these
`modules, small and medium sized businesses can build an integrated solution based on their
`specific needs.22
`
`IDC identified FSL as the sixth (tie) largest worldwide secure content management product vendors in
`2004:
`
`Figure 1
`Worldwide Secure Content Management Market ($ in Millions): 2003-200423
`
`Finjan’s Vital Security products have received several industry awards, including the Network
`Datastream Protection award in eWEEK’s Seventh Annual Excellence Awards in June 2007 and the
`Excellence in Web Security, Excellence in Anti-Malware, and Excellence in Gateways Awards in the 2007
`Global Product Excellence Awards from the Info Security Products Guide.24
`
`In October 2009, FSI transferred its portfolio of intellectual property to Finjan.25 Thereafter, in
`November 2009, FSI sold certain assets, including certain of its operating subsidiaries, not including
`
`21 IDC_FINJAN-JN 008896 at 950. (Emphasis added)
`22 IDC_FINJAN-JN 008896 at 950. (Emphasis added)
`23 IDC_FINJAN-JN 008896 at 910. In 2004, Finjan was also ranked 15th and 14th in the worldwide antivirus and
`worldwide messaging security markets, respectively. See, IDC_FINJAN-JN 008896 at 914 and 916.
`24 FINJAN-JN 029541 at 541 and 543.
`25 Finjan Holdings, Inc. Form 10-K for the fiscal year ended December 31, 2017, p. 5.
`
`6
`HIGHLY CONFIDENTIAL – ATTORNEYS’ EYES ONLY
`
`

`

`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 16 of 133
`
`
`
`
`
`Finjan, and its sales and marketing assets to M86 Security ("M86").26 Finjan also granted a fully-paid,
`non-exclusive patent license to M86, in consideration for which M86 issued shares of its common stock
`to Finjan and FSI.27 In connection with that transaction, and subsequent to November 2009, FSI and its
`remaining subsidiaries (including Finjan) ceased the development, manufacture, marketing, and sale of its
`products, as well as research conducted through its Malicious Code Research Center as part of a
`confidential non-compete provision.28 Notwithstanding, Finjan retained ownership of its patents and all
`related rights.29 In March 2012, M86 merged with Trustwave Holdings, Inc. ("Trustwave") through
`which M86’s license from Finjan was renewed with Trustwave to include an expanded scope and an
`extension of the aforementioned non-compete for the development of software and hardware security
`products.30
`
`6.1.1. Finjan Licenses Technology
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`26 Finjan Holdings, Inc. Form 10-K for the fiscal year ended December 31, 2017, p. 4.
`27 Finjan Holdings, Inc. Form 10-K for the fiscal year ended December 31, 2017, p. 4.
`28 Finjan Holdings, Inc. Form 10-K for the fiscal year ended December 31, 2017, p. 4.
`29 Finjan Holdings, Inc. Form 10-K for the fiscal year ended December 31, 2017, p. 4.
`30 Finjan Holdings, Inc. Form 10-K for the fiscal year ended December 31, 2017, p. 4.
`
`
`
`
`
`
`
`
`7
`HIGHLY CONFIDENTIAL – ATTORNEYS’ EYES ONLY
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 17 of 133
`
`,
`
`(cid:131)
`
`(cid:131)
`
`36
`
`
`
`
`
`
`
`
`
`8
`8
`HIGHLY CONFIDENTIAL – ATTORNEYS’ EYES ONLY
`HIGHLY CONFIDENTIAL - ATTORNEYS’ EYES ONLY
`
`

`

`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 18 of 133
`
`9
`HIGHLY CONFIDENTIAL – ATTORNEYS’ EYES ONLY
`HIGHLY CONFIDENTIAL - ATTORNEYS’ EYES ONLY
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 19 of 133
`
`10
`HIGHLY CONFIDENTIAL – ATTORNEYS’ EYES ONLY
`HIGHLY CONFIDENTIAL - ATTORNEYS’ EYES ONLY
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 20 of 133
`
`11
`HIGHLY CONFIDENTIAL – ATTORNEYS’ EYES ONLY
`HIGHLY CONFIDENTIAL - ATTORNEYS’ EYES ONLY
`
`

`

`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 21 of 133
`
`
`
`
`
`
`
`6.1.2. Finjan’s Licensing Approach
`
`As illustrated above Finjan’s licensing activities have evolved with the company’s business. Following
`the end of 2017 Finjan described its historical approach to licensing as follows:
`
`
`
`
`
`
`12
`HIGHLY CONFIDENTIAL – ATTORNEYS’ EYES ONLY
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 22 of 133
`
`(cid:131)
`
`Premium – Includes all features provided in the Free and Basic-Threat Feeds licenses, but
`provides deeper analysis. All file types are examined using several analysis techniques to give
`better coverage. Full reporting provides details about the threats found on your network.77
`
`In addition to the Sky ATP license, Juniper requires the following licenses to be installed on devices for
`Sky ATP to work correctly:
`
`(cid:131)
`
`(cid:131)
`
`(cid:131)
`
`(cid:131)
`
`(cid:131)
`
`SRX340 and SRX345 Series devices – Purchase the JSE bundle (which includes AppSecure),
`or purchase the JSB bundle and the AppSecure license separately.
`
`SRX 550m Series devices – Purchase a bundle that includes AppSecure, or purchase the
`AppSecure license separately.
`
`SRX 1500 Series devices – Purchase the JSE bundle (which includes AppSecure).
`
`SRX 5000 Series devices – Purchase a bundle that includes AppSecure, or purchase the
`AppSecure license separately.
`
`vSRX – Purchase a bundle that includes AppSecure, or purchase the AppSecure license
`separately.78
`
`According to Juniper, its SRX and Sky ATP products “each have a substantial number of features that
`contribute to consumer demand, both alone and synergistically in combination with one or more of each
`other and/or other Juniper products and services.” 79
`
`6.3.2. Juniper’s Alleged Use of the ’494 Patent and its Benefits
`
`Dr. Cole described Juniper’s alleged use of the ’494 Patent as follows:
`
`SRX Gateways and Sky ATP acts as a receiver of incoming Downloadables intended for client
`computers. SRX Gateways and Sky ATP generate a security profile that includes a list of suspicious
`operations for Downloadables and stores the profiles in a database. SRX Gateways and Sky ATP
`further stores the results in, for example, the ResultsDB. The databases include database schemas
`to organize the data and serve one or more other applications.80
`
`I understand that through its alleged use of the ’494 Patent, Juniper and its customers realized technical
`and economic benefits described by Dr. Cole as follows:
`
`77 https://www.juniper.net/documentation/en_US/release-independent/sky-atp/topics/reference/general/sky-atp-
`licenses-overview.html.
`78 https://www.juniper.net/documentation/en_US/release-independent/sky-atp/topics/reference/general/sky-atp-
`licenses-overview.html.
`79 Defendant Juniper Networks, Inc.’s Response to Plaintiff Finjan, Inc.’s Second Set of Interrogatories,
`Interrogatory No. 6.
`80 Expert Report of Dr. Cole, September 10, 2018, ¶ 29.
`
`23
`HIGHLY CONFIDENTIAL – ATTORNEYS’ EYES ONLY
`
`

`

`Case 3:17-cv-05659-WHA Document 273 Filed 11/27/18 Page 23 of 133
`
`This system provides a number of technical benefits for the customers of Juniper. By collecting
`profiles in database, intelligence is gathered and distributed across the entire Juniper network and
`allows customers to proactively block threats and reduce samples that lead to false positives. This
`allows Juniper and its customers to respond to the most potentially destructive threats while also
`reducing costs. Additional evidence of the importance of this technology is the fact that Juniper has
`devoted additional resources to increase its use. In fact, Juniper made a strategic decision to
`purchase Cyphort to strengthen its focus in this area. Thus, the increased use of this technology
`demonstrates that it is an important technology for Juniper and its customers.81
`
`:::
`
`Moreover, the technology provides many benefits for the customers of Juniper, including accuracy
`as having a database of the results that allows Juniper and its customers to more accurately
`identify and neutralize malware designed to evade detection technology.82
`
`:::
`
`Users of this system will also see an increase in speed and efficiency because once the system
`generates a profile for a given Web page it does not have to undergo this operation again. Instead,
`the system can retrieve the stored DSP from the database. This saves on computation time for
`having to reanalyze the downloadable via Sky ATP, but also on bandwidth because the system does
`not have to send the downloadable to Sky ATP to re-analyze it if the downloadable was already
`scanned.83
`
`:::
`
`Furthermore, the SRX Gateways and Sky ATP allow customers better protection as malware can be
`stopped before it reaches the file system of the client computer. This is becau