Case 3:17-cv-05659-WHA Document 391 Filed 03/14/19 Page 1 of 17
`
`IRELL & MANELLA LLP
`Jonathan S. Kagan (SBN 166039)
`jkagan@irell.com
`Alan Heinrich (SBN 212782)
`aheinrich@irell.com
`Joshua Glucoft (SBN 301249)
`jglucoft@irell.com
`1800 Avenue of the Stars, Suite 900
`Los Angeles, California 90067-4276
`Telephone: (310) 277-1010
`Facsimile: (310) 203-7199
`
`Rebecca Carson (SBN 254105)
`rcarson@irell.com
`Kevin Wang (SBN 318024)
`kwang@irell.com
`Ingrid Petersen (SBN 313927)
`ipetersen@irell.com
`840 Newport Center Drive, Suite 400
`Newport Beach, California 92660-6324
`Telephone: (949) 760-0991
`Facsimile: (949) 760-5200
`
`Attorneys for Defendant
`JUNIPER NETWORKS, INC.
`
`
`
`
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`SAN FRANCISCO DIVISION
`FINJAN, INC., a Delaware Corporation,
`)
`Case No. 3:17-cv-05659-WHA
`
`)
`
`DEFENDANT JUNIPER NETWORKS,
`Plaintiff,
`)
`INC.’S MOTION TO STRIKE NEW
`
`)
`THEORIES FROM PLAINTIFF FINJAN,
`vs.
`
`)
`INC.’S MOTION FOR SUMMARY
`
`)
`JUDGMENT
`JUNIPER NETWORKS, INC., a Delaware
`)
`Corporation,
`)
`
`)
`)
`)
`
`
`
`Defendant.
`
`
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`IRELL & MANELLA LLP
`A Registered Limited Liability
`Law Partnership Including
`Professional Corporations
`
`10649414
`
`
`
`
`JUNIPER’S MOTION TO STRIKE
`(Case No. 3:17-cv-05659-WHA)
`
`

`

`Case 3:17-cv-05659-WHA Document 391 Filed 03/14/19 Page 2 of 17
`
`NOTICE OF MOTION
`TO ALL PARTIES AND THEIR ATTORNEYS OF RECORD:
`PLEASE TAKE NOTICE that on May 2, 2019, at 8:00 a.m., or as soon thereafter as the
`matter may be heard, in Courtroom 12, 19th Floor, of the San Francisco Courthouse, 450 Golden
`Gate Avenue, San Francisco, California 94102, before the Honorable William Alsup, Defendant
`Juniper Networks, Inc. (“Juniper”) will and hereby does move for an order striking the new
`infringement theories plaintiff Finjan, Inc. (“Finjan”) introduced for the first time in its Motion for
`Early Summary Judgment Regarding Infringement of Claim 1 of U.S. Patent No. 8,141,154 (Dkt.
`No. 369, the “Motion”). This motion is based on: this Notice of Motion; the Memorandum of Points
`and Authorities below; the Declaration of Joshua Glucoft and exhibits attached thereto; all
`documents in the Court’s file; and such other written or oral argument as may be presented at or
`before the time this motion is heard.
`The parties met and conferred regarding this issue but Finjan was unwilling to withdraw its
`previously undisclosed infringement theories and unable to provide specific citations in its
`infringement contentions showing where all of Finjan’s new infringement theories were disclosed.
`STATEMENT OF RELIEF REQUESTED
`Juniper seeks an order striking from Finjan’s Motion and corresponding expert declaration
`all of the new infringement theories that Finjan presented for the first time in its Motion because
`Finjan failed to timely and properly disclose such theories as required under Patent L.R. 3.
`STATEMENT OF ISSUES TO BE DECIDED
`1.
`Whether Finjan disclosed its identification of “http://” as the claimed “first function”
`in its infringement contentions.
`2.
`Whether Finjan disclosed its identification of ATP Appliance’s SmartCore
`component as the claimed “content processor” and chain heuristics engine as the claimed “security
`computer” in its infringement contentions.
`3.
`Whether Finjan disclosed its identification of Sky ATP’s “verdict engine” as the
`claimed “security computer” in its infringement contentions.
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`IRELL & MANELLA LLP
`A Registered Limited Liability
`Law Partnership Including
`Professional Corporations
`
`10649414
`
`
`- 1 -
`
`JUNIPER’S MOTION TO STRIKE
`(Case No. 3:17-cv-05659-WHA)
`
`

`

`Case 3:17-cv-05659-WHA Document 391 Filed 03/14/19 Page 3 of 17
`
`4.
`Whether Finjan disclosed its identification of “whitelisting” and starting/stopping
`file analysis as the claimed “second function” in its infringement contentions.
`5.
`Whether Finjan disclosed its identification of marking an object as “clean” or moving
`an object to “END” state as the claimed “second function” in its infringement contentions.
`6.
`Whether Finjan disclosed its identification of transmitting a verdict that is
`independent of the client computer’s security policy as infringing under the doctrine of equivalents
`in its infringement contentions.
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`IRELL & MANELLA LLP
`A Registered Limited Liability
`Law Partnership Including
`Professional Corporations
`
`10649414
`
`
`- 2 -
`
`JUNIPER’S MOTION TO STRIKE
`(Case No. 3:17-cv-05659-WHA)
`
`

`

`Case 3:17-cv-05659-WHA Document 391 Filed 03/14/19 Page 4 of 17
`
`TABLE OF CONTENTS
`
`
`
`I.
`II.
`III.
`
`IV.
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`IRELL & MANELLA LLP
`A Registered Limited Liability
`Law Partnership Including
`Professional Corporations
`
`10649414
`
`
`Page
`INTRODUCTION ............................................................................................................... 1
`BACKGROUND ON THE ’154 PATENT ........................................................................ 2
`NEW THEORIES ............................................................................................................... 2
`A.
`New Theory No. 1: “Http://” As The Claimed “First Function” ............................ 2
`B.
`New Theory No. 2: “SmartCore” As The Claimed “Content
`Processor” And “Chain Heuristics” As The Claimed “Security
`Computer” In The ATP Appliance Infringement Theory ....................................... 4
`New Theory No. 3: “Verdict Engine” As The Claimed “Security
`Computer” In The Sky ATP Infringement Theory ................................................. 6
`New Theory No. 4: “White listing” And Starting/Stopping File
`Analysis As The Claimed “Second Function” In The Sky ATP
`Infringement Theory ............................................................................................... 7
`New Theory No. 5: Marking An Object As “Clean” And Moving An
`Object To “END” State As The Claimed “Second Function” In The
`ATP Appliance Infringement Theory ..................................................................... 8
`New Theory No. 6: “Safe” As Infringing Under The Doctrine Of
`Equivalents .............................................................................................................. 8
`CONCLUSION ................................................................................................................. 10
`
`E.
`
`F.
`
`C.
`
`D.
`
`- i -
`
`JUNIPER’S MOTION TO STRIKE
`(Case No. 3:17-cv-05659-WHA)
`
`

`

`Case 3:17-cv-05659-WHA Document 391 Filed 03/14/19 Page 5 of 17
`
`
`
`Cases
`
`TABLE OF AUTHORITIES
`
`
`
`Page(s)
`
`Adobe Sys. Inc. v. Wowza Media Sys.,
`No. 11–CV–02243–JST, 2014 WL 709865 (N.D.Cal. Feb. 23, 2014) ......................................11
`
`ASUS Comp. Int’l v. Round Rock Research, LLC,
`No. 12–CV–02099–JST (NC), 2014 WL 1463609 (N.D. Cal. Apr. 11,
`2014) ...........................................................................................................................................11
`
`Finjan, Inc. v. Blue Coat Sys., Inc.,
`No. 13-cv-03999-BLF, 2015 WL 3640694 (N.D. Cal. June 11, 2015) .................................2, 11
`
`Richtek Tech. Corp. v. uPI Semiconductor Corp.,
`No. C 09-05659 WHA, 2016 WL 4269095 (N.D. Cal. Aug. 15, 2016)
`(Alsup, J.) .....................................................................................................................................1
`
`Straight Path IP Group, Inc. v. Apple Inc.,
`No. C 16-03582 WHA, 2017 WL 3967864 (N.D. Cal. Sept. 9, 2017)
`(Alsup, J.) .....................................................................................................................................1
`
`Takeda Pharm. Co., Ltd. v. Twi Pharms., Inc.,
`No. 13-CV-02420-LHK, 2015 WL 1227817 (N.D. Cal. March 17, 2015) ................................11
`
`Rules
`
`Patent Local Rule 3 ............................................................................................................................2
`
`Patent Local Rule 3-1(c) ....................................................................................................................1
`
`Patent Local Rule 4 ..........................................................................................................................11
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`IRELL & MANELLA LLP
`A Registered Limited Liability
`Law Partnership Including
`Professional Corporations
`
`10649414
`
`
`- ii -
`
`JUNIPER’S MOTION TO STRIKE
`(Case No. 3:17-cv-05659-WHA)
`
`

`

`Case 3:17-cv-05659-WHA Document 391 Filed 03/14/19 Page 6 of 17
`
`I.
`
`MEMORANDUM OF POINTS AND AUTHORITIES
`INTRODUCTION
`Juniper respectfully requests that this Court strike from Finjan’s Motion for Summary
`Judgment (Dkt. No. 369, unredacted at Dkt. No. 368-4, the “Motion”) and the corresponding expert
`declaration of Dr. Michael Mitzenmacher six new infringement theories that Finjan did not disclose
`in its infringement contentions as required under Patent Local Rule 3-1(c).
`Patent L.R. 3-1(c) requires that a patent owner provide accused infringers with infringement
`contentions that include a “chart identifying specifically where and how each limitation of each
`asserted claim is found within each Accused Instrumentality.” “The rules are designed to require
`parties to crystallize their theories of the case early in the litigation and to adhere to those theories
`once they have been disclosed.” Richtek Tech. Corp. v. uPI Semiconductor Corp., No. C 09-05659
`WHA, 2016 WL 4269095, at *1 (N.D. Cal. Aug. 15, 2016) (Alsup, J.) (emphasis added) (quoting
`Atmel Corp. v. Info. Storage Devices, Inc., No. 95-1987, 1998 WL 775115, at *2 (N.D. Cal. Nov.
`5, 1998) (quotation marks omitted)). The rules “prevent a ‘shifting sands’ approach to patent
`litigation,” id., and bars patent owners from presenting new infringement theories during summary
`judgment: “[Plaintiff] will not, however, be allowed to argue on summary judgment or at trial that
`[defendant] directly infringes under the doctrine of equivalents using any theory that has not been
`adequately disclosed in the infringement contentions pursuant to our Patent Local Rules.” Straight
`Path IP Group, Inc. v. Apple Inc., No. C 16-03582 WHA, 2017 WL 3967864, at *3 (N.D. Cal. Sept.
`9, 2017) (Alsup, J.).
`Notwithstanding the prohibition against introducing new infringement theories on summary
`judgment, Finjan’s Motion presents a bevy of previously undisclosed theories about what
`components of the accused Juniper products correspond to multiple limitations in Claim 1 of the
`’154 Patent, including the claimed “first function,” “content processor,” “security computer,” and
`“second function.” Finjan has also presented a new, previously undisclosed theory under the
`doctrine of equivalents. Juniper respectfully requests that the Court strike from Finjan’s Motion and
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`IRELL & MANELLA LLP
`A Registered Limited Liability
`Law Partnership Including
`Professional Corporations
`
`10649414
`
`
`
`- 1 -
`
`MEMORANDUM OF POINTS AND AUTHORITIES
`ISO JUNIPER’S MOTION TO STRIKE
`(Case No. 3:17-cv-05659-WHA)
`
`

`

`Case 3:17-cv-05659-WHA Document 391 Filed 03/14/19 Page 7 of 17
`
`corresponding expert declaration these previously undisclosed theories.1 See, e.g., Finjan, Inc. v.
`Blue Coat Sys., Inc., No. 13-cv-03999-BLF, 2015 WL 3640694, at *3-4 (N.D. Cal. June 11, 2015)
`(striking a “different theory” in Finjan’s expert’s report that relied on a “different component” than
`the one identified in Finjan’s infringement contentions).
`II.
`BACKGROUND ON THE ’154 PATENT
`The text of Claim 1 of the ’154 Patent is presented in full below. The bold terms are ones
`for which Finjan introduced a new theory in its Motion that it did not disclose in its infringement
`contentions:
`
`1. A system for protecting a computer from dynamically
`generated malicious content, comprising:
`
`a content processor (i) for processing content received over
`a network, the content including a call to a first function, and the call
`including an input, and (ii) for invoking a second function with the
`input, only if a security computer indicates that such invocation is
`safe;
`
`a transmitter for transmitting the input to the security
`computer for inspection, when the first function is invoked; and
`
`a receiver for receiving an indicator from the security
`computer whether it is safe to invoke the second function with the
`input.
`
`Ex. 4 (’154 Patent). A more complete overview of the ’154 Patent is presented in Juniper’s
`concurrently filed opposition to Finjan’s motion for summary judgment.
`III. NEW THEORIES
`A.
`New Theory No. 1: “Http://” As The Claimed “First Function”
`
`One of the infringement theories Finjan advances in its Motion identifies “http://” as the
`claimed “first function.” Dkt. No. 368-4 at 10, 16, 20. Finjan, however, did not identify this
`infringement theory in its infringement contentions.
`
`
`1 Juniper addresses herein only certain of the new theories presented by Finjan in its Motion that
`Finjan did not disclose in its infringement contentions. Juniper does not admit that any other
`infringement theories presented in Finjan’s Motion that are not addressed herein were timely or
`properly disclosed as required under Patent L.R. 3, nor does Juniper agree that Finjan may amend
`its infringement contentions in any manner.
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`IRELL & MANELLA LLP
`A Registered Limited Liability
`Law Partnership Including
`Professional Corporations
`
`10649414
`
`
`
`- 2 -
`
`MEMORANDUM OF POINTS AND AUTHORITIES
`ISO JUNIPER’S MOTION TO STRIKE
`(Case No. 3:17-cv-05659-WHA)
`
`

`

`Case 3:17-cv-05659-WHA Document 391 Filed 03/14/19 Page 8 of 17
`
`For each accused product (SRX, Sky ATP and ATP Appliance), Finjan’s Motion advances
`one infringement theory where the claimed “first function” is “denoted by [the] ‘http://’ prefix and
`[the] input is the address of a site (such as ‘example.com/malware.exe’) as indicated through a[]
`URL or IP address or the file hosted at the URL/IP address.” Dkt. No. 368-6 (Mitzenmacher Dec.)
`at ¶ 22; see also Dkt. No. 368-4 (Motion) at 10 (SRX), 16 (Sky ATP) and 20 (ATP Appliance). But,
`while Finjan’s infringement contentions mention the term “http” in connection with the “first
`function,” it is clear in each instance (each of which is excerpted in full below) that Finjan did not
`refer to a function with an “http://” prefix and is instead referring to other function calls which can
`be embedded in HTTP (i.e., web) communications:
`“Examples of the first functions are JavaScript and iframes that can
`be embedded in HTTP communications and are used to obfuscate or
`hide redirects to download malicious code/shellcode/payloads from a
`compromised webpage, such as ‘drive-by downloads.’”
`
`Ex. 1 (SRX) at 2 (emphasis added); Ex. 2 (Sky ATP) at 4 (identical disclosure); Ex. 3 (ATP
`Appliance) at 2 (identical disclosure).
`“This web or HTTP content can include a call to a first function,
`where the call to a first function can be a number of different
`in JavaScript (e.g. eval, unescape,
`function calls written
`document.write, OnLoad, OnClick, OnMouseover, OnChange) and
`other functions that are used for obfuscation, redirection, heap
`spraying, (e.g. NOP slide), payload (e.g. ROP, download execute
`malware).”
`
`Ex. 1 (SRX) at 2 (emphasis added); Ex. 2 (Sky ATP) at 4 (identical disclosure); Ex. 3 (ATP
`Appliance) at 2 (identical disclosure).
`“In another example, the first functions (stated above) are used to
`conceal the intent to invoke a second function with the input (e.g.
`scripts or embedded malicious iframe in order to obfuscate the
`malicious
`link or URI, such as document.write(‘<iframe
`src=‘http://cool.cn/in.cgi?’width=1 height =1 style =‘visibility:
`hidden’></iframe>’).”
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`IRELL & MANELLA LLP
`A Registered Limited Liability
`Law Partnership Including
`Professional Corporations
`
`10649414
`
`
`
`- 3 -
`
`MEMORANDUM OF POINTS AND AUTHORITIES
`ISO JUNIPER’S MOTION TO STRIKE
`(Case No. 3:17-cv-05659-WHA)
`
`

`

`Case 3:17-cv-05659-WHA Document 391 Filed 03/14/19 Page 9 of 17
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`Ex. 1 (SRX) at 3 (emphasis added); Ex. 2 (Sky ATP) at 5 (identical disclosure); Ex. 3(ATP
`Appliance) at 3 (identical disclosure).2 And, while Finjan uses the letters “http” in other sections of
`its infringement contentions, those additional references are limited to the claimed “second
`function” or the input to that second function. See, e.g., Ex. 1 at 4 (“The content processor will
`invoke a second function (e.g., HTTP’s file download) with the input (e.g., URL) if the security
`computer indicates that such invocation is safe.” (emphasis added)). Finjan’s infringement
`contentions simply do not disclose a theory wherein the “http://” prefix is the claimed “first
`function.”3
`B.
`
`New Theory No. 2: “SmartCore” As The Claimed “Content Processor” And
`“Chain Heuristics” As The Claimed “Security Computer” In The ATP
`Appliance Infringement Theory
`With respect to the accused ATP Appliance product, Finjan’s Motion identifies the
`SmartCore component as the claimed “content processor” and the chain heuristics engine as one of
`the claimed “security computers.” This is another new theory that Finjan did not disclose in its
`infringement contentions.
`Finjan’s infringement contentions for the ATP Appliance unequivocally identify ATP
`Appliance’s SmartCore component as the claimed “security computer” that receives an input to
`inspect for safety and then transmits an indication of safety back to the claimed “content processor.”
`See Ex. 3 at 7 (“SmartCore security computer”) (emphasis added); see also id. at 1 (“transmit the
`input to a SmartCore component[] of an ATP Appliance, which operates as a security computer”),
`2 (“SmartCore technology [will] return a result that indicates whether the content is safe to invoke”),
`4 (“ATP Appliances interface with a security computer, including the SmartCore analytics engine”),
`
`
`2 Finjan’s infringement contentions never use the term “prefix,” let alone refer to an http “prefix”
`as the claimed “first function.” See generally Ex. 1 (SRX); Ex. 2 (Sky ATP); Ex. 3 (ATP Appliance).
`3 Finjan’s expert, Dr. Mitzenmacher, also discusses certain “HTTP functions” that are associated
`with HTTP, namely the “get” method (Dkt. No. 368-6 at ¶ 13) and the “post” method (id. at ¶ 68).
`But the terms “HTTP function,” “get” and “post” never even appear in any of Finjan’s infringement
`contentions (see generally Exs. 1, 2 and 3). Therefore, any infringement theory relying on “HTTP
`functions” that are associated with HTTP, such as “get” or “post,” are also new and should be
`stricken.
`
`
`IRELL & MANELLA LLP
`A Registered Limited Liability
`Law Partnership Including
`Professional Corporations
`
`10649414
`
`
`
`- 4 -
`
`MEMORANDUM OF POINTS AND AUTHORITIES
`ISO JUNIPER’S MOTION TO STRIKE
`(Case No. 3:17-cv-05659-WHA)
`
`

`

`Case 3:17-cv-05659-WHA Document 391 Filed 03/14/19 Page 10 of 17
`
`5 (“ATP Appliances will perform a second function only if the SmartCore components determine
`that the invoking this function is safe.”). Finjan’s infringement contentions also identify the ATP
`Appliance’s “chain heuristics” engine as part of the claimed “content processor” that is used to
`invoke the second function if the SmartCore security computer indicates that such invocation is safe:
`“ATP Appliances invoke a second function with this input, only if
`ATP Appliances indicate that such invocation is safe. In particular,
`ATP Appliances will utilizing using [sic] chain heuristics to identify
`malicious traffic, including identifiers of web pages being directed to
`dubious links. ATP Appliances use this information to perform
`browser behavior analysis in a SmartCore security computer . . . .”
`
`Ex. 3 at 6-7 (emphasis added). Thus, Finjan’s infringement contentions make clear that ATP
`Appliance’s “chain heuristics” engine is part of the claimed “content processor” that transmits the
`input to the SmartCore acting as the claimed “security computer,” which in turn checks if it is safe
`for the ATP Appliance “content processor” (which includes the chain heuristics engine) to invoke
`the second function with the input. See id.
`Finjan’s motion for summary judgment swaps these theories, however, turning the
`SmartCore component into the claimed “content processor” and the “chain heuristics” engine into
`the claimed “security computer.” See Dkt. 368-4 at, e.g., 20 (“The ATP Appliance’s SmartCore is
`a content processor” and “ATP Appliance uses two different security computers that indicate
`whether invoking a second function with the input is safe: . . . a chain heuristics engine . . . .”)
`(emphasis added). These changes were made in tandem because when Finjan changed the
`SmartCore component from acting as the “security computer” in its infringement contentions to the
`“content processor” in its motion for summary judgment, Finjan’s Motion needed to identify a new
`security computer to take the place previously occupied by the SmartCore component. The
`following table presents Finjan’s flipped position side by side:
`
`
`
`Infringement Contentions
`(Ex. 3)
`
`Motion for Summary Judgment
`(Dkt. No. 368-4 at 20)
`
`SmartCore
`
`• “SmartCore security computer”
`(p. 7)
`
`• “The ATP Appliance’s SmartCore
`is a content processor”
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`IRELL & MANELLA LLP
`A Registered Limited Liability
`Law Partnership Including
`Professional Corporations
`
`10649414
`
`
`
`- 5 -
`
`MEMORANDUM OF POINTS AND AUTHORITIES
`ISO JUNIPER’S MOTION TO STRIKE
`(Case No. 3:17-cv-05659-WHA)
`
`

`

`Case 3:17-cv-05659-WHA Document 391 Filed 03/14/19 Page 11 of 17
`
`Chain
`Heuristics
`
`• “The ATP Appliance uses two
`different security computers that
`indicate whether invoking a second
`function with the input is safe:
`(1) Cyphort’s Reputation Server
`and (2) a chain heuristics engine”
`
`• “ATP Appliances invoke a second
`function with this input, only if
`ATP Appliances indicate that such
`invocation is safe. In particular,
`ATP Appliances will utilizing
`using [sic] chain heuristics to
`identify malicious traffic,
`including identifiers of web pages
`being directed to dubious links.
`ATP Appliances use this
`information to perform browser
`behavior analysis in a SmartCore
`security computer” (p. 6-7)
`The allegations in Finjan’s motion for summary judgment that the “chain heuristics” engine
`comprises the claimed “security computer” and that the SmartCore component comprises the
`claimed “content processor” is thus a new theory not found in Finjan’s infringement contentions.
`C.
`New Theory No. 3: “Verdict Engine” As The Claimed “Security Computer” In
`The Sky ATP Infringement Theory
`
`Finjan’s Motion’s infringement theory against the accused Sky ATP service identifies a new
`“security computer” that was not previously identified in Finjan’s infringement contentions.
`Specifically, Finjan’s Motion identifies the “Verdict Engine” as one of two potential “security
`computers” in the Sky ATP infringement scenario. See Dkt. No. 368-4 at 16 (“Verdict Engine as
`a security computer” (emphasis added)). But Finjan’s infringement contentions related to Sky ATP
`never even use the term “verdict engine,” much less identify it as the required “security computer.”
`See generally Ex. 2. Rather, Finjan’s infringement contentions related to Sky ATP identify
`completely different components as being the claimed “security computer,” none of which are
`“verdict engines”: “security computer including spotlight secure cloud service, C&C, GeoIP, cache,
`AV, or static analysis, additional dynamic analysis, and/or YARA.” Id. at 7. Finjan’s infringement
`contentions thus expressly identify a number of components that allegedly comprise the claimed
`“security computer” in Sky ATP, but none of them are part of Sky ATP’s “verdict engine.” Finjan
`cannot introduce this new theory on summary judgment.
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`IRELL & MANELLA LLP
`A Registered Limited Liability
`Law Partnership Including
`Professional Corporations
`
`10649414
`
`
`
`- 6 -
`
`MEMORANDUM OF POINTS AND AUTHORITIES
`ISO JUNIPER’S MOTION TO STRIKE
`(Case No. 3:17-cv-05659-WHA)
`
`

`

`Case 3:17-cv-05659-WHA Document 391 Filed 03/14/19 Page 12 of 17
`
`D.
`
`New Theory No. 4: “White listing” And Starting/Stopping File Analysis As
`The Claimed “Second Function” In The Sky ATP Infringement Theory
`
`Finjan’s Motion also identifies two new “second functions” with respect to the Sky ATP
`infringement theory that Finjan did not previously disclose in its infringement contentions.
`Specifically, Finjan’s Motion identifies the following two potential “second functions”: (1) “adding
`the URL/IP address or the file hash to the white list” (Dkt. No. 368-4 at 16), and (2) functions that
`start or stop the analysis of a file (Dkt. No. 368-4 at 16-174). But as shown below in the complete
`description of the alleged “second function” in Finjan’s Sky ATP infringement contentions, Finjan
`simply did not disclose adding anything to a white list, nor did Finjan disclose starting or stopping
`the analysis of a file:
`Second functions are typically a subsequent function that causes a
`download from the same URL such as connecting to or download files
`from a remote command and control (CnC) server using
`HTTPSendRequest, InternetReadFile with the input (e.g. URL, IP,
`file). The content processor will invoke a second function (e.g.
`HTTPS file download) with the input (e.g. URL) if the security
`computer indicates that such invocation is safe.
`
`Second functions include sending results to a protected computer for
`automatically downloading from an obfuscated remote location
`and/or launching concealed input using certain combinations of
`JavaScript, iFrame injections and/or PDF (e.g. OpenAction or
`Launch). Such examples include JavaScript and OpenAction
`functions within PDFs for launching or downloading code for
`exploiting vulnerabilities within Adobe Reader and Adobe Acrobat
`such as malicious JavaScript, shellcode, drive-by download,
`droppers, installers and malicious binaries. Examples of such
`functions include URLDownloadToFile() for dropping malicious
`binaries; heap spraying functions including memory-related functions
`using PROCESS_MEMORY_COUNTERS; JavaScript functions in
`PDF for connecting to the Internet or making a network connection
`such as app.mailmsg() and app.launchURL(), as well as CONNECT-
`related and LISTEN-related functions; functions for executing
`
`
`4 A “second function with the input, which in this example is either an ‘early exit’ from scanning
`the sample (i.e., the sample is safe, stop scanning), invoking a subsequent processing (i.e., the
`sample appears to be safe but will need more testing), or to mark the sample as done.” Dkt.
`No. 368-4 at 17; see also Dkt. No. 368-4 at 16 (“invoke the second function . . . to stop the analysis
`on the input without going further”).
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`IRELL & MANELLA LLP
`A Registered Limited Liability
`Law Partnership Including
`Professional Corporations
`
`10649414
`
`
`
`- 7 -
`
`MEMORANDUM OF POINTS AND AUTHORITIES
`ISO JUNIPER’S MOTION TO STRIKE
`(Case No. 3:17-cv-05659-WHA)
`
`

`

`Case 3:17-cv-05659-WHA Document 391 Filed 03/14/19 Page 13 of 17
`
`malware via DLL injection such as CreateRemoteThread(); and
`functions for executing dropped malware, such as NtCreateProcess().
`
`See Ex. 2 at 5-6. Indeed, the term “white list” does not even appear in Finjan’s infringement
`contentions related to Sky ATP, nor do the terms “start,” “subsequent processing,” “exit,” “stop,”
`“done,” “finish,” or “terminate.” See generally Ex. 2. The identification of (i) adding anything to
`a “white list” and (ii) starting or stopping the analysis of a file as comprising the claimed “second
`function” are thus new, previously undisclosed theories.
`E.
`New Theory No. 5: Marking An Object As “Clean” And Moving An Object To
`“END” State As The Claimed “Second Function” In The ATP Appliance
`Infringement Theory
`Finjan’s Motion also advances two new infringement theories for the “second functions”
`with respect to the ATP Appliance. In particular, Finjan’s Motion identifies the following two
`potential “second functions”: (1) “moving the object to ‘END’ state,” and (2) “marking the object
`as ‘clean.’” Dkt. No. 368-4 at 21. However, Finjan’s infringement contentions related to the ATP
`Appliance do not even use the terms “end,” “state,” “clean,” or any alternatives for these terms that
`convey the same notion. See generally Ex. 3. Instead, Finjan’s infringement contentions identify
`the exact same “second functions” for the ATP Appliance that Finjan identified in its Sky ATP
`infringement contentions, which are quoted above in full. These contentions do not include moving
`an object to an “end” state or marking an object as “clean.” See Ex. 3 at 3-4. Therefore, as with
`Sky ATP, the identification of (i) moving an object to an “end” state and (ii) marking an object
`“clean” as comprising the claimed “second function” are new theories not found in Finjan’s
`infringement contentions.
`F.
`New Theory No. 6: “Safe” As Infringing Under The Doctrine Of Equivalents
`Finjan also presents a new doctrine of equivalents (“DOE”) theory in its Motion. Claim 1
`of the ’154 Patent requires that the security computer transmit to the content processor an indication
`that it is “safe” to invoke the second function. Juniper proposed a construction of “safe” that is
`identical to the express definition of the term in the specification: “the input’s security profile does
`not violate the client computer’s security policy.” ‘154 Patent at 14:52-54; see also id. at, e.g.,
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`IRELL & MANELLA LLP
`A Registered Limited Liability
`Law Partnership Including
`Professional Corporations
`
`10649414
`
`
`
`- 8 -
`
`MEMORANDUM OF POINTS AND AUTHORITIES
`ISO JUNIPER’S MOTION TO STRIKE
`(Case No. 3:17-cv-05659-WHA)
`
`

`

`Case 3:17-cv-05659-WHA Document 391 Filed 03/14/19 Page 14 of 17
`
`11:41-43; Dkt. No. 182 at 23-25 (claim construction brief regarding the construction of the term).
`In its Motion, Finjan proposes a DOE argument for the “safe” limitation in the event that the Court
`adopts Juniper’s construction, arguing that a risk level score (known as a “verdict”) that is not a
`comparison against a client computer’s security policy is equivalent to a determination of what is
`“safe.” See Dkt. No. 368-4 at 24-25. Finjan did not present this DOE theory in its infringement
`contentions.
`Finjan’s DOE allegations in its infringement contentions are effectively identical across all
`of the accused products and is reproduced below in its entirety, using Finjan’s SRX infringement
`contentions as an example:
`“SRX Gateways meet this element under the doctrine of equivalents.
`SRX Gateways perform the same function because they receiving
`incoming content inspect the content using an engine, such as
`antivirus, static analysis, and dynamic analysis, for scanning, and
`proceed with the function calls of the content is determined safe. This
`is the same function as the claim element, which receives content,
`uses a security computer to determine if the invocation is safe, and
`invokes a second function with the input. In this way, the function of
`having the content received, inspected by the engine and determined
`sa