Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 1 of 56
`
`
`
`PAUL ANDRE (State Bar No. 196585)
`pandre@kramerlevin.com
`LISA KOBIALKA (State Bar No. 191404)
`lkobialka@kramerlevin.com
`JAMES HANNAH (State Bar No. 237978)
`jhannah@kramerlevin.com
`KRAMER LEVIN NAFTALIS & FRANKEL LLP
`990 Marsh Road
`Menlo Park, CA 94025
`Telephone: (650) 752-1700
`Facsimile: (650) 752-1800
`
`Attorneys for Plaintiff
`FINJAN, INC.
`
`
`IN THE UNITED STATES DISTRICT COURT
`
`FOR THE NORTHERN DISTRICT OF CALIFORNIA
`
`FINJAN, INC., a Delaware Corporation,
`
`
`
`
`
`
`Plaintiff,
`
`v.
`
`
`JUNIPER NETWORKS, INC., a Delaware
`Corporation,
`
`
`Defendant.
`
`
`
`
`
`
`Case No.: 3:17-cv-05659-WHA
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`DEMAND FOR JURY TRIAL
`
`
`
`____________________________________________________________________________________
`FIRST AMENDED COMPLAINT
`CASE NO. 3:17-cv-05659-WHA
`FOR PATENT INFRINGEMENT
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 2 of 56
`
`
`
`COMPLAINT FOR PATENT INFRINGEMENT
`
`Plaintiff Finjan, Inc. (“Finjan”) files this Complaint for Patent Infringement and Demand for
`
`Jury Trial against Juniper Networks, Inc. (“Defendant” or “Juniper”) and alleges as follows:
`
`THE PARTIES
`
`1.
`
`Finjan is a Delaware Corporation with its principal place of business at 2000 University
`
`Avenue, Suite 600, E. Palo Alto, California 94303.
`2.
`
`Defendant is a Delaware Corporation with its headquarters and principal place of
`
`business at 1133 Innovation Way, Sunnyvale, California 94089. Defendant may be served through its
`
`agent for service of process, CT Corporation System, at 818 W. 7th Street, Suite 930, Los Angeles,
`
`California 90017.
`
`JURISDICTION AND VENUE
`
`3.
`
`This action arises under the Patent Act, 35 U.S.C. § 101 et seq. This Court has original
`
`jurisdiction over this controversy pursuant to 28 U.S.C. §§ 1331 and 1338.
`4.
`5.
`
`This Court has personal jurisdiction over Defendant. Upon information and belief,
`
`Venue is proper in this Court pursuant to 28 U.S.C. §§ 1391(b) and (c) and/or 1400(b).
`
`Defendant is headquartered and has its principal place of business in this District (Sunnyvale,
`
`California). Defendant also regularly and continuously does business in this District and has infringed,
`
`and continues to do so, in this District. In addition, this Court has personal jurisdiction over Defendant
`
`because minimum contacts have been established with this forum and the exercise of jurisdiction
`
`would not offend traditional notions of fair play and substantial justice.
`
`INTRADISTRICT ASSIGNMENT
`
`6.
`
`Pursuant to Local Rule 3-2(c), Intellectual Property Actions are assigned on a district-
`
`wide basis.
`
`
`
`
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`1
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 3 of 56
`
`
`
`FINJAN’S INNOVATIONS
`
`7.
`
`Finjan was founded in 1997 as a wholly-owned subsidiary of Finjan Software Ltd., an
`
`Israeli corporation. In 1998, Finjan moved its headquarters to San Jose, California. Finjan was a
`
`pioneer in developing proactive security technologies capable of detecting previously unknown and
`
`emerging online security threats, recognized today under the umbrella term “malware.” These
`
`technologies protect networks and endpoints by identifying suspicious patterns and behaviors of
`
`content delivered over the Internet. Finjan has been awarded, and continues to prosecute, numerous
`
`patents covering innovations in the United States and around the world resulting directly from Finjan’s
`
`more than decades-long research and development efforts, supported by a dozen inventors and over
`
`$65 million in R&D investments.
`8.
`
`Finjan built and sold software, including application program interfaces (APIs) and
`
`appliances for network security, using these patented technologies. These products and related
`
`customers continue to be supported by Finjan’s licensing partners. At its height, Finjan employed
`
`nearly 150 employees around the world building and selling security products and operating the
`
`Malicious Code Research Center, through which it frequently published research regarding network
`
`security and current threats on the Internet. Finjan’s pioneering approach to online security drew
`
`equity investments from two major software and technology companies, the first in 2005 followed by
`
`the second in 2006. Finjan generated millions of dollars in product sales and related services and
`
`support revenues through 2009, when it spun off certain hardware and technology assets in a merger.
`
`Pursuant to this merger, Finjan was bound to a non-compete and confidentiality agreement, under
`
`which it could not make or sell a competing product or disclose the existence of the non-compete
`
`clause. Finjan became a publicly traded company in June 2013, capitalized with $30 million. After
`
`Finjan’s obligations under the non-compete and confidentiality agreement expired in March 2015,
`
`Finjan re-entered the development and production sector of secure mobile products for the consumer
`
`market.
`
`
`
`
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`2
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 4 of 56
`
`
`
`FINJAN’S ASSERTED PATENTS
`
`9.
`
`On November 28, 2000, U.S. Patent No. 6,154,844 (“the ‘844 Patent”), titled SYSTEM
`
`AND METHOD FOR ATTACHING A DOWNLOADABLE SECURITY PROFILE TO A
`
`DOWNLOADABLE, was issued to Shlomo Touboul and Nachshon Gal. A true and correct copy of
`
`the ‘844 Patent is attached to this Complaint as Exhibit 1 and is incorporated by reference herein.
`10.
`
`All rights, title, and interest in the ‘844 Patent have been assigned to Finjan, who is the
`
`sole owner of the ‘844 Patent. Finjan has been the sole owner of the ‘844 Patent since its issuance.
`11.
`
`The ‘844 Patent is generally directed toward computer networks, and more particularly,
`
`provides a system that protects devices connected to the Internet from undesirable operations from
`
`web-based content. One of the ways this is accomplished is by linking a security profile to such web-
`
`based content to facilitate the protection of computers and networks from malicious web-based
`
`content.
`12.
`
`On October 12, 2004, U.S. Patent No. 6,804,780 (“the ‘780 Patent”), titled SYSTEM
`
`AND METHOD FOR PROTECTING A COMPUTER AND A NETWORK FROM HOSTILE
`
`DOWNLOADABLES, was issued to Shlomo Touboul. A true and correct copy of the ‘780 Patent is
`
`attached to this Complaint as Exhibit 2 and is incorporated by reference herein.
`13.
`
`All rights, title, and interest in the ‘780 Patent have been assigned to Finjan, who is the
`
`sole owner of the ‘780 Patent. Finjan has been the sole owner of the ‘780 Patent since its issuance.
`14.
`
`The ‘780 Patent is generally directed toward methods and systems for generating a
`
`Downloadable ID. By generating an identification for each examined Downloadable, the system may
`
`allow for the Downloadable to be recognized without reevaluation. Such recognition increases
`
`efficiency while also saving valuable resources, such as memory and computing power.
`15.
`
`On January 12, 2010, U.S. Patent No. 7,647,633 (“the ‘633 Patent”), titled
`
`MALICIOUS MOBILE CODE RUNTIME MONITORING SYSTEM AND METHODS, was issued
`
`to Yigal Mordechai Edery, Nimrod Itzhak Vered, David R. Kroll, and Shlomo Touboul. A true and
`
`correct copy of the ‘633 Patent is attached to this Complaint as Exhibit 3 and is incorporated by
`
`reference herein.
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`3
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 5 of 56
`
`
`
`16.
`
`All rights, title, and interest in the ‘633 Patent have been assigned to Finjan, who is the
`
`sole owner of the ‘633 Patent. Finjan has been the sole owner of the ‘633 Patent since its issuance.
`17.
`
`The ‘633 Patent is generally directed toward computer networks and, more particularly,
`
`provides a system that protects devices connected to the Internet from undesirable operations from
`
`web-based content. One of the ways this is accomplished is by determining whether any part of such
`
`web-based content can be executed and then trapping such content and neutralizing possible harmful
`
`effects using mobile protection code.
`18.
`
`On November 3, 2009, U.S. Patent No. 7,613,926 (“the ‘926 Patent”), titled METHOD
`
`AND SYSTEM FOR PROTECTING A COMPUTER AND A NETWORK FROM HOSTILE
`
`DOWNLOADABLES, was issued to Yigal Mordechai Edery, Nimrod Itzhak Vered, David R. Kroll,
`
`and Shlomo Touboul. A true and correct copy of the ‘926 Patent is attached to this Complaint as
`
`Exhibit 4 and is incorporated by reference herein.
`19.
`
`All rights, title, and interest in the ‘926 Patent have been assigned to Finjan, who is the
`
`sole owner of the ‘926 Patent. Finjan has been the sole owner of the ‘926 Patent since its issuance.
`20.
`
`The ‘926 Patent is generally directed toward methods and systems for protecting a
`
`computer and a network from hostile downloadables. One of the ways this is accomplished is by
`
`performing hashing on a downloadable in order to generate a downloadable ID, retrieving security
`
`profile data, and transmitting an appended downloadable or transmitting the downloadable with a
`
`representation of the downloadable security profile data.
`21.
`
`On March 20, 2012, U.S. Patent No. 8,141,154 (“the ‘154 Patent”), titled SYSTEM
`
`AND METHOD FOR INSPECTING DYNAMICALLY GENERATED EXECUTABLE CODE, was
`
`issued to David Gruzman and Yuval Ben-Itzhak. A true and correct copy of the ‘154 Patent is attached
`
`to this Complaint as Exhibit 5 and is incorporated by reference herein.
`22.
`
`All rights, title, and interest in the ‘154 Patent have been assigned to Finjan, who is the
`
`sole owner of the ‘154 Patent. Finjan has been the sole owner of the ‘154 Patent since its issuance.
`23.
`
`The ‘154 Patent is generally directed toward a gateway computer protecting a client
`
`computer from dynamically generated malicious content. One of the ways this is accomplished is by
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`4
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 6 of 56
`
`
`
`using a content processor to process a first function and invoke a second function if a security
`
`computer indicates that it is safe to invoke the second function.
`24.
`
`On March 18, 2014, U.S. Patent No. 8,677,494 (“the ‘494 Patent”), titled MALICIOUS
`
`MOBILE CODE RUNTIME MONITORING SYSTEM AND METHODS, was issued to Yigal
`
`Mordechai Edery, Nimrod Itzhak Vered, David R. Kroll, and Shlomo Touboul. A true and correct
`
`copy of the ‘494 Patent is attached to this Complaint as Exhibit 6 and is incorporated by reference
`
`herein.
`
`25.
`
`All rights, title, and interest in the ‘494 Patent have been assigned to Finjan, who is the
`
`sole owner of the ‘494 Patent. Finjan has been the sole owner of the ‘494 Patent since its issuance.
`26.
`
`The ‘494 Patent is generally directed toward a method and system for deriving security
`
`profiles and storing the security profiles. One of the ways this is accomplished is by deriving a
`
`security profile for a downloadable, which includes a list of suspicious computer operations, and
`
`storing the security profile in a database.
`27.
`
`The ‘844 Patent, the ‘780 Patent, the ‘633 Patent, the ‘926 Patent, the ‘154 Patent, the
`
`‘494 Patent, as described in paragraphs 9-27 above, are collectively referred to as the “Asserted
`
`Patents” herein.
`
`FINJAN’S NOTICE OF INFRINGEMENT TO DEFENDANT
`
`28.
`
`Finjan and Defendant’s patent discussions date back to June 2014. Finjan contacted
`
`Defendant on or about June 10, 2014, regarding a potential license to Finjan’s patents.
`29.
`
`On or about July 2, 2014, Finjan provided Defendant with an exemplary claim chart
`
`detailing how Defendant’s products relate to U.S. Patent Number 6,965,968 (the “‘968 Patent”). In the
`
`email attaching that exemplary claim chart, Finjan told Defendant: “We believe a license to Finjan’s
`
`patent portfolio could be beneficial to some [of] Juniper’s security products and services. Besides, we
`
`could also explore possible common interests relating to other patent collaborations such as co-
`
`investments or M&A activities in technology companies.” Finjan also offered to provide Defendant
`
`with additional exemplary claim charts, under a non-disclosure agreement, so that Defendant could
`
`evaluate Finjan’s patent portfolio.
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`5
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 7 of 56
`
`
`
`30.
`
`On or about January 12, 2015, Finjan met with Defendant’s Senior Director of IP,
`
`Litigation and Strategy regarding Defendant’s products and how they relate to Finjan’s patents. Finjan
`
`again offered to enter into a non-disclosure agreement, so that Defendant could evaluate Finjan’s
`
`patent portfolio in detail, but Defendant declined to enter into a non-disclosure agreement at that time.
`31.
`
`On or about February 13, 2015, Defendant sent a letter to Finjan listing ten patents that
`
`Defendant believed would be considered “prior art” to the ‘968 Patent. Finjan contacted Defendant
`
`again on February 18, 2015, and February 20, 2015, in an attempt to follow up on Defendant’s letter,
`
`but Defendant declined to respond to Finjan’s February 20, 2015, email.
`32.
`
`Having heard no response from Defendant’s Senior Director of IP, Litigation and
`
`Strategy, on or about September 30, 2015, Finjan sent a letter to Defendant distinguishing the ten
`
`patents that Defendant had identified as potential “prior art” and stating how those ten patents were not
`
`relevant to the ‘968 Patent. Again, Defendant’s Senior Director of IP, Litigation and Strategy declined
`
`to respond to Finjan’s letter.
`33.
`
`On or about October 15, 2015, Finjan contacted Defendant’s Deputy General Counsel
`
`to discuss Defendant’s products and how they read on Finjan’s patents. Defendant’s Deputy General
`
`Counsel referred Finjan back to Defendant’s Senior Director of IP, Litigation and Strategy to continue
`
`licensing discussions.
`34.
`
`On or about November 24, 2015, Finjan spoke again with Defendant’s Senior Director
`
`of IP, Litigation and Strategy by telephone, to discuss Defendant’s products and how they relate to
`
`Finjan’s patents. During that telephone call, Defendant’s Senior Director of IP, Litigation and Strategy
`
`indicated that he did not think Finjan was worth Defendant’s time and he expressed no interest in
`
`understanding the analysis that Finjan had prepared regarding Defendant’s products and how they
`
`relate to Finjan’s patents. Defendant’s Senior Director of IP, Litigation and Strategy also repeatedly
`
`turned that telephone conversation toward the topic of litigation, referenced his own hypothetical
`
`deposition, refused to sign an non-disclosure agreement, and stated that if Finjan shared any more
`
`exemplary claim charts with him, he would share them with other entities.
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`6
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 8 of 56
`
`
`
`35.
`
`On or about February 2, 2016, Finjan contacted Defendant’s Deputy General Counsel
`
`again to express concern that Defendant did not seem to be taking Finjan’s efforts to engage in
`
`licensing discussions seriously, and to discuss how Defendant’s products related to Finjan’s patents.
`36.
`
`Despite Finjan’s earnest and consistent efforts since June 2014, Defendant has refused
`
`to take a license to Finjan’s patents. At no time has Defendant provided any explanation as to how any
`
`of the Accused Products do not infringe any of the Asserted Patents.
`
`JUNIPER
`
`37.
`
`Defendant makes, uses, sells, offers for sale, and/or imports into the United States and
`
`this District products and services that utilize the SRX Series Services Gateways, Sky Advanced
`
`Threat Prevention (“Sky ATP”), and Junos Space Security Director products. See:
`
`http://www.juniper.net/us/en/products-services/security/srx-series/;
`
`http://www.juniper.net/us/en/products-services/security/sky-advanced-threat-prevention/;
`
`https://www.juniper.net/us/en/products-services/security/advanced-threat-prevention-appliance/; and
`
`http://www.juniper.net/us/en/products-services/security/security-director/, attached hereto as Exhibits
`
`9-12.
`
`SRX Gateways
`
`38.
`
`Defendant’s SRX Series Services Gateways are Defendant’s next-generation gateway
`
`platforms designed for small, medium, and large enterprises. Defendant’s SRX Gateways include the:
`
`SRX110; SRX220; SRX300; SRX550; SRX1400; SRX1500; SRX3400; SRX3600; SRX4000;
`
`SRX5400; SRX5600; and SRX5800 gateway appliances, as well as the vSRX Virtual Firewall and
`
`cSRX Container Firewall (collectively, “SRX Gateways”). See http://www.juniper.net/us/en/products-
`
`services/security/srx-series/, attached hereto as Exhibit 9. SRX Gateways perform malware detection
`
`by processing network traffic using static and dynamic analysis. SRX Gateways integrate with
`
`Defendant’s Sky ATP service for malware detection and with Junos Space Security Director to
`
`maintain databases and manage security policies across the network.
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`7
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 9 of 56
`
`
`
`
`See http://www.juniper.net/assets/us/en/local/pdf/datasheets/1000281-en.pdf at 3, attached hereto as
`Exhibit 13.
`
`
`
`See http://www.juniper.net/assets/us/en/local/pdf/datasheets/1000489-en.pdf at 2, attached hereto as
`Exhibit 14.
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`8
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 10 of 56
`
`
`
`
`
`
`See http://www.juniper.net/assets/us/en/local/pdf/datasheets/1000281-en.pdf at 3 and 6-7, attached
`hereto as Exhibit 14.
`
`
`
`Sky ATP
`
`39.
`
`Defendant’s Sky ATP is a cloud-based service that is integrated with SRX Gateways to
`
`provide “complete advanced malware protection” and deliver “a dynamic anti-malware solution that
`
`can adapt to an ever-changing threat landscape.” http://www.juniper.net/us/en/products-
`
`services/security/sky-advanced-threat-prevention/, attached hereto as Exhibit 10;
`
`https://www.youtube.com/watch?v=efXR9F1WM80. As shown below, SRX Gateway’s integrate with
`
`Sky ATP to deliver inspection, inline malware blocking, and actionable reporting.
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`9
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 11 of 56
`
`
`
`Sky ATP Admin Manual at 8, attached hereto as Exhibit 15.
`40.
`
`Sky ATP analyzes network traffic and extracts suspicious code for analysis across a
`
`broad range of files contained within this network traffic. Sky ATP uses a pipeline approach to
`
`analyzing malware using cache lookups, traditional antivirus scanning, static analysis, and dynamic
`
`
`
`analysis using a sandbox.
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`10
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 12 of 56
`
`
`
`Sky ATP Admin Manual at 9, attached hereto as Exhibit 15.
`41.
`
`As shown below, Sky ATP creates a file hash of incoming downloadables (using
`
`SHA256) and stores the hash value in a database.
`
`
`
`Sky ATP Admin Manual at 9, attached hereto as Exhibit 15.
`42.
`
`Sky ATP uses static analysis to examine files for suspicious operations, such as
`
`modifying the Windows registry or creating a file. The output of the static analysis performed by Sky
`
`ATP is a security profile that is fed into Juniper’s systems to protect an internal network and/or to
`
`allow for further analysis or intelligence.
`
`
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`11
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 13 of 56
`
`
`
`Sky ATP Admin Manual at 10, attached hereto as Exhibit 15.
`43.
`
`Sky ATP also uses dynamic analysis (e.g., sandboxing) to monitor and “record” the
`
`activity of a downloadable, including suspicious operations indicative of malware. The output of the
`
`dynamic analysis performed by Sky ATP is a security profile that is fed into Juniper’s systems to
`
`protect an internal network and/or allow for further analysis or intelligence.
`
`
`
`Sky ATP Admin Manual at 10, attached hereto as Exhibit 15.
`44.
`
`The security profiles are fed into Juniper’s systems to generate a “threat level” for each
`
`
`
`downloadable.
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`12
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 14 of 56
`
`
`
`
`
`Sky ATP Admin Manual at 11, attached hereto as Exhibit 15.
`
`Junos Space Security Director
`
`45.
`
`Defendant’s Junos Space Security Director provides security policy management
`
`through a centralized interface that gives administrators security management and policy control,
`
`network-wide. Junos Space Security Director integrates with Sky ATP, storing and using information
`
`gathered and reported by Sky ATP to learn about and respond to new threats. With this information,
`
`Junos Space Security Director automatically updates policies and deploys new enforcements, thereby
`
`quarantining and tracking infected hosts to stop the progress of threats.
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`
`
`13
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 15 of 56
`
`
`
`http://www.juniper.net/assets/us/en/local/pdf/datasheets/1000332-en.pdf), at 1, attached hereto as
`Exhibit 16.
`
`ATP Appliance
`
`46.
`
`Defendant’s ATP Appliance is an hardware appliance and associated software that can
`
`integrate with SRX Gateways to provide analysis of for potential malware through static analysis,
`
`dynamic payload analysis through sandboxing, and machine learning and behavioral analysis.
`
`1000627-en.pdf at 2, attached hereto as Exhibit 29. ATP Appliance inspects downloaded traffic across
`
`multiple vectors like web and email. ATP Appliance will analyze multiple executable file types to
`
`identify exploits. ATP Appliance also correlates events across kill chain stages to monitor threat
`
`progress and risk, calculating a score based on threat severity, threat progress, asset value, and other
`
`contextual data.
`
`
`
`3510633-en.pdf at 4, attached hereto as Exhibit 30.
`JUNIPER’S INFRINGEMENT OF FINJAN’S PATENTS
`
`47.
`
`Defendant has been and is now infringing, and will continue to infringe, the ‘844
`
`Patent, the ‘780 Patent, the ‘633 Patent, the ‘926 Patent, the ‘154 Patent, and the ‘494 Patent
`
`(collectively, the “Asserted Patents”) in this Judicial District and elsewhere in the United States by,
`
`among other things, making, using, importing, selling, and/or offering for sale the SRX Gateways, Sky
`
`ATP, ATP Appliance, and Junos Space Security Director products.
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`14
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 16 of 56
`
`
`
`COUNT I
`(Direct Infringement of the ‘844 Patent pursuant to 35 U.S.C. § 271(a))
`Finjan repeats, realleges, and incorporates by reference, as if fully set forth herein, the
`
`48.
`
`allegations of the preceding paragraphs, as set forth above.
`49.
`
`Defendant has infringed Claims 1, 15, and 41 of the ‘844 Patent in violation of 35
`
`U.S.C. § 271(a).
`50.
`
`Defendant’s infringement is based upon literal infringement or infringement under the
`
`doctrine of equivalents, or both.
`51.
`
`Defendant’s acts of making, using, importing, selling, and/or offering for sale infringing
`
`products and services have been without the permission, consent, authorization, or license of Finjan.
`52.
`
`Defendant’s infringement includes the manufacture, use, sale, importation and/or offer
`
`for sale of Defendant’s products and services, including the SRX Gateways and also the SRX
`
`Gateways using Sky ATP and ATP Appliance, or Sky ATP and ATP Appliances alone, or in
`
`combination with Junos Space Security Director (collectively, the “‘844 Accused Products”).
`53.
`
`The ‘844 Accused Products embody the patented invention of the ‘844 Patent and
`
`infringe the ‘844 Patent because they practice a method of receiving by an inspector a downloadable,
`
`generating by the inspector (e.g., Sky ATP’s and ATP Appliance’s static and dynamic analyzers) a first
`
`downloadable security profile that identifies suspicious code in the received downloadable, and linking
`
`by the inspector the first downloadable security profile to the downloadable before a web server makes
`
`the downloadable available to web clients. See Sky ATP Admin Manual at 9-11, attached hereto as
`
`Exhibit 15. For example, as shown below, the ‘844 Accused Products provide gateway security to end
`
`users, where incoming downloadables (e.g., PDFs with JavaScript, EXE files, or JavaScript embedded
`
`within an HTML file) are received by the ‘844 Products.
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`15
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 17 of 56
`
`
`
`
`
`
`
`See http://www.juniper.net/documentation/en_US/release-independent/sky-atp/topics/concept/sky-atp-
`about.html at 3-4, attached hereto as Exhibit 18.
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`16
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 18 of 56
`
`
`
`54.
`
`Sky ATP generates a downloadable security profile that analyzes suspicious behavior
`
`and captures a list of suspicious computer operations that are performed by the downloadable.
`
`https://www.youtube.com/watch?v=1QmXh8nDIYg.
`
`
`
`
`
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`17
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 19 of 56
`
`
`
`See https://www.juniper.net/documentation/en_US/release-independent/sky-atp/topics/concept/sky-
`atp-malware-analyze.html at 2, attached hereto as Exhibit 19.
`55.
`For example, Sky ATP identifies registry operations and certain suspicious operations
`
`captured during dynamic and static analysis of the downloadable.
`
`
`
`See https://www.juniper.net/documentation/en_US/release-independent/sky-atp/topics/concept/sky-
`atp-malware-analyze.html at 1-2, attached hereto as Exhibit 19.
`56.
`Sky ATP links the downloadable security profile to the downloadable before it is made
`
`available to the client. For example, Sky ATP uses rules to determine a “verdict” on whether the
`
`content is malicious, and links the downloadable security profile to the downloadable to prevent access
`
`to the downloadable via a blocking mechanism.
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`18
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 20 of 56
`
`
`
`See https://www.juniper.net/documentation/en_US/release-independent/sky-atp/topics/concept/sky-
`atp-malware-analyze.html at 1, attached hereto as Exhibit 19.
`
`
`
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`19
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 21 of 56
`
`
`
`
`
`https://www.youtube.com/watch?v=1QmXh8nDIYg.
`57.
`SRX Gateways also infringe the ‘844 Patent without the use of Sky ATP, because they
`
`receive downloadables, inspect the downloadables to determine if they contain suspicious code or
`
`“potentially malicious content,” generate a first downloadable security profile that identifies the
`
`“potentially malicious content,” and link that first downloadable security profile to the downloadable
`
`before it is made available to a client (e.g., “SRX extracts potentially malicious objects and files” and
`
`“SRX blocks known malicious file downloads”). For example, as shown below, SRX Gateways
`
`receive downloadables, perform a full packet inspection on the downloadables, and apply security
`
`policies based on that inspection.
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`20
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 22 of 56
`
`
`
`
`See http://www.juniper.net/assets/us/en/local/pdf/datasheets/1000281-en.pdf at 3, attached hereto as
`Exhibit 13.
`
`
`See http://www.juniper.net/assets/us/en/local/pdf/datasheets/1000489-en.pdf at 2, attached hereto as
`Exhibit 14.
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`21
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 23 of 56
`
`
`
`58.
`
`SRX Gateways identify “attack objects,” which are downloadables that contain patterns
`
`of known attacks that can be used to compromise a network. SRX Gateways generate and log a first
`
`downloadable security profile called a “signature” that identifies the attack objects or suspicious code.
`
`
`https://www.juniper.net/documentation/en_US/junos-space15.2/topics/task/operational/junos-space-
`ips-signature-creating.html, attached hereto as Exhibit 20.
`
`https://www.juniper.net/documentation/en_US/junos-space15.1/topics/task/operational/junos-space-
`security-design-ips-signature-creating.html, attached hereto as Exhibit 25.
`
`
`59.
`
`SRX Gateways link that first downloadable security profile or signature to the
`
`downloadable before it is made available to a client (e.g., “SRX blocks known malicious file
`
`
`
`downloads”).
`
`
`
`
`22
`
`CASE NO. 3:17-cv-05659-WHA
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 24 of 56
`
`
`
`
`
`See http://www.juniper.net/assets/us/en/local/pdf/datasheets/1000281-en.pdf at 6-7, attached hereto as
`Exhibit 13.
`
`FIRST AMENDED COMPLAINT
`FOR PATENT INFRINGEMENT
`
`23
`
`CASE NO. 3:17-cv-05659-WHA
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 3:17-cv-05659-WHA Document 88 Filed 05/18/18 Page 25 of 56
`
`
`
`See https://www.youtube.com/watch?v=1QmXh8nDIYg.
`60.
`
`Similarly, Defendant infringes the ‘844 Patent through its use of the ATP Appliance,
`
`which downloads files to create a profile using static analysis, dynamic payload analysis with a
`
`sandbox, machine learning, and behavioral analysis to identify suspicious code in the received
`
`downloadable, and then links these files to a hash ID so that the file c