`
`
`
`PAUL ANDRE (State Bar No. 196585)
`pandre@kramerlevin.com
`LISA KOBIALKA (State Bar No. 191404)
`lkobialka@kramerlevin.com
`JAMES HANNAH (State Bar No. 237978)
`jhannah@kramerlevin.com
`KRAMER LEVIN NAFTALIS & FRANKEL LLP
`990 Marsh Road
`Menlo Park, CA 94025
`Telephone: (650) 752-1700
`Facsimile: (650) 752-1800
`
`Attorneys for Plaintiff
`FINJAN, INC.
`
`
`IN THE UNITED STATES DISTRICT COURT
`
`FOR THE NORTHERN DISTRICT OF CALIFORNIA
`
`FINJAN, INC., a Delaware Corporation,
`
`
`
`
`
`
`Plaintiff,
`
`v.
`
`
`QUALYS INC., a Delaware Corporation,
`
`
`Defendant.
`
`
`
`
`
`
`Case No.:
`
`COMPLAINT FOR PATENT
`INFRINGEMENT
`
`DEMAND FOR JURY TRIAL
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`____________________________________________________________________________________
`COMPLAINT FOR PATENT INFRINGEMENT
`CASE NO.
`
`
`
`Case 4:18-cv-07229-YGR Document 1 Filed 11/29/18 Page 2 of 109
`
`
`
`COMPLAINT FOR PATENT INFRINGEMENT
`
`Plaintiff Finjan, Inc. (“Finjan”) files this Complaint for Patent Infringement and Demand for
`
`Jury Trial against Qualys Inc. (“Defendant” or “Qualys”) and alleges as follows:
`
`THE PARTIES
`
`1.
`
`Finjan is a Delaware Corporation with its principal place of business at 2000 University
`
`Avenue, Suite 600, E. Palo Alto, California 94303.
`2.
`
`Upon information and belief, Qualys Inc. is a Delaware Corporation with its principle
`
`place of business at 919 E. Hillsdale Boulevard, 4th Floor, Foster City, California 94404.
`
`JURISDICTION AND VENUE
`
`3.
`
`This action arises under the Patent Act, 35 U.S.C. § 101 et seq. This Court has original
`
`jurisdiction over this controversy pursuant to 28 U.S.C. §§ 1331 and 1338.
`4.
`5.
`
`This Court has personal jurisdiction over Defendant. Defendant regularly and
`
`Venue is proper in this Court pursuant to 28 U.S.C. §§ 1391(b) and (c) and/or 1400(b).
`
`continuously does business in this District and has infringed or induced infringement, and continues to
`
`do so, in this District. Upon information and belief, Defendant maintains an office within this District
`
`in Foster City, California. Upon information and belief, Defendant’s office in Foster City is a regular
`
`and established place of business and its principal place of business. In addition, the Court has
`
`personal jurisdiction over Defendant because minimum contacts have been established with the forum
`
`and the exercise of jurisdiction would not offend traditional notions of fair play and substantial justice.
`
`INTRADISTRICT ASSIGNMENT
`
`6.
`
`Pursuant to Local Rule 3-2(c), Intellectual Property Actions are assigned on a district-
`
`wide basis.
`
`FINJAN’S INNOVATIONS
`
`7.
`
`Finjan was founded in 1997 as a wholly-owned subsidiary of Finjan Software Ltd., an
`
`Israeli corporation. In 1998, Finjan moved its headquarters to San Jose, California. Finjan was a
`
`pioneer in developing proactive security technologies capable of detecting previously unknown and
`
`emerging online security threats, recognized today under the umbrella term “malware.” These
`
`COMPLAINT FOR PATENT INFRINGEMENT
`
`1
`
`CASE NO.
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 1 Filed 11/29/18 Page 3 of 109
`
`
`
`technologies protect networks and endpoints by identifying suspicious patterns and behaviors of
`
`content delivered over the Internet. The United States Patent and Trademark Office (“USPTO”)
`
`awarded to Finjan, and Finjan continues to prosecute, numerous patents covering innovations in the
`
`United States and around the world resulting directly from Finjan’s more than decades-long research
`
`and development efforts, supported by a dozen inventors and over $65 million in R&D investments.
`8.
`
`Finjan built and sold software, including application program interfaces (APIs) and
`
`appliances for network security, using these patented technologies. These products and related
`
`customers continue to be supported by Finjan’s licensing partners. At its height, Finjan employed
`
`nearly 150 employees around the world building and selling security products and operating the
`
`Malicious Code Research Center, through which it frequently published research regarding network
`
`security and current threats on the Internet. Finjan’s pioneering approach to online security drew
`
`equity investments from two major software and technology companies, the first in 2005 followed by
`
`the second in 2006. Finjan generated millions of dollars in product sales and related services and
`
`support revenues through 2009, when it spun off certain hardware and technology assets in a merger.
`
`Pursuant to this merger, Finjan was bound to a non-compete and confidentiality agreement, under
`
`which it could not make or sell a competing product or disclose the existence of the non-compete
`
`clause. Finjan became a publicly traded company in June 2013, capitalized with $30 million. After
`
`Finjan’s obligations under the non-compete and confidentiality agreement expired in March 2015,
`
`Finjan re-entered the development and production sector of secure mobile products for the consumer
`
`market.
`
`FINJAN’S ASSERTED PATENTS
`
`9.
`
`On November 28, 2000, the USPTO issued to Shlomo Touboul and Nachshon Gal U.S.
`
`Patent No. 6,154,844 (“the ‘844 Patent”), titled “SYSTEM AND METHOD FOR ATTACHING A
`
`DOWNLOADABLE SECURITY PROFILE TO A DOWNLOADABLE.” A true and correct copy of
`
`the ‘844 Patent is attached to this Complaint as Exhibit 1 and is incorporated by reference herein.
`10.
`
`All rights, title, and interest in the ‘844 Patent have been assigned to Finjan, who is the
`
`sole owner of the ‘844 Patent. Finjan has been the sole owner of the ‘844 Patent since its issuance.
`
`COMPLAINT FOR PATENT INFRINGEMENT
`
`2
`
`CASE NO.
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 1 Filed 11/29/18 Page 4 of 109
`
`
`
`11.
`
`The ‘844 Patent is generally directed towards computer networks, and more
`
`particularly, provides a system that protects devices connected to the Internet from undesirable
`
`operations from web-based content. One of the ways this is accomplished is by linking a security
`
`profile to such web-based content to facilitate the protection of computers and networks from
`
`malicious web-based content. The ‘844 Patent discloses and specifically claims inventive concepts
`
`that represent significant improvements over conventional network security technology that was
`
`available at the time of filing of the ‘844 Patent and are more than just generic software components
`
`performing conventional activities.
`12.
`
`On March 18, 2014, the USPTO issued to Yigal Mordechai Edery, Nimrod Itzhak
`
`Vered, David R. Kroll, and Shlomo Touboul U.S. Patent No. 8,677,494 (“the ‘494 Patent”), titled
`
`“MALICIOUS MOBILE CODE RUNTIME MONITORING SYSTEM AND METHODS.” A true
`
`and correct copy of the ‘494 Patent is attached to this Complaint as Exhibit 2 and is incorporated by
`
`reference herein.
`13.
`
`All rights, title, and interest in the ‘494 Patent have been assigned to Finjan, who is the
`
`sole owner of the ‘494 Patent. Finjan has been the sole owner of the ‘494 Patent since its issuance.
`14.
`
`The ‘494 Patent is generally directed towards a method and system for deriving security
`
`profiles and storing the security profiles. One of the ways this is accomplished is by deriving a
`
`security profile for a downloadable, which includes a list of suspicious computer operations, and
`
`storing the security profile in a database. The ‘494 Patent discloses and specifically claims inventive
`
`concepts that represent significant improvements over conventional network security technology that
`
`was available at the time of filing of the ‘494 Patent and are more than just generic software
`
`components performing conventional activities.
`15.
`
`On July 5, 2011, the USPTO issued to Moshe Rubin, Moshe Matitya, Artem Melnick,
`
`Shlomo Touboul, Alexander Yermakov and Amit Shaked U.S. Patent No. 7,975,305 (“the ‘305
`
`Patent”), titled “METHOD AND SYSTEM FOR ADAPTIVE RULE-BASED CONTENT
`
`SCANNERS FOR DESKTOP COMPUTERS.” A true and correct copy of the ‘305 Patent is attached
`
`to this Complaint as Exhibit 3 and is incorporated by reference herein.
`
`COMPLAINT FOR PATENT INFRINGEMENT
`
`3
`
`CASE NO.
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 1 Filed 11/29/18 Page 5 of 109
`
`
`
`16.
`
`All rights, title, and interest in the ‘305 Patent have been assigned to Finjan, who is the
`
`sole owner of the ‘305 Patent. Finjan has been the sole owner of the ‘305 Patent since its issuance.
`17.
`
`The ‘305 Patent is generally directed towards network security and, in particular, rule
`
`based scanning of web-based content for exploits. One of the ways this is accomplished is by using
`
`parser and analyzer rules to describe computer exploits as patterns of types of tokens. Additionally,
`
`the system provides a way to keep these rules updated. The ‘305 Patent discloses and specifically
`
`claims inventive concepts that represent significant improvements over conventional network security
`
`technology that was available at the time of filing of the ‘305 Patent and are more than just generic
`
`software components performing conventional activities.
`18.
`
`On July 17, 2012, the USPTO issued to Moshe Rubin, Moshe Matitya, Artem Melnick,
`
`Shlomo Touboul, Alexander Yermakov and Amit Shaked U.S. Patent No. 8,225,408 (“the ‘408
`
`Patent”), titled “METHOD AND SYSTEM FOR ADAPTIVE RULE-BASED CONTENT
`
`SCANNERS.” A true and correct copy of the ‘408 Patent is attached to this Complaint as Exhibit 4
`
`and is incorporated by reference herein.
`19.
`
`All rights, title, and interest in the ‘408 Patent have been assigned to Finjan, who is the
`
`sole owner of the ‘408 Patent. Finjan has been the sole owner of the ‘408 Patent since its issuance.
`20.
`
`The ‘408 Patent is generally directed towards network security and, in particular, rule
`
`based scanning of web-based content for a variety of exploits written in different programming
`
`languages. One of the ways this is accomplished is by expressing the exploits as patterns of tokens.
`
`Additionally, the disclosed system provides a way to analyze these exploits by using a parse tree. The
`
`‘408 Patent discloses and specifically claims inventive concepts that represent significant
`
`improvements over conventional network security technology that was available at the time of filing of
`
`the ‘408 Patent and are more than just generic software components performing conventional
`
`activities.
`21.
`
`On November 15, 2005, the USPTO issued to Shlomo Touboul U.S. Patent No.
`
`6,965,968 (“the ‘968 Patent”), titled “POLICY-BASED CACHING.” A true and correct copy of the
`
`‘968 Patent is attached to this Complaint as Exhibit 5 and is incorporated by reference herein.
`
`COMPLAINT FOR PATENT INFRINGEMENT
`
`4
`
`CASE NO.
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 1 Filed 11/29/18 Page 6 of 109
`
`
`
`22.
`
`All rights, title, and interest in the ‘968 Patent have been assigned to Finjan, who is the
`
`sole owner of the ‘968 Patent. Finjan has been the sole owner of the ‘968 Patent since its issuance.
`23.
`
`The ‘968 Patent is generally directed towards methods and systems for enabling policy-
`
`based cache management to determine if digital content is allowable relative to a policy. One of the
`
`ways this is accomplished is scanning digital content to derive a content profile and determining
`
`whether the digital content is allowable for a policy based on the content profile. The ‘968 Patent
`
`discloses and specifically claims inventive concepts that represent significant improvements over
`
`conventional network security technology that was available at the time of filing of the ‘968 Patent and
`
`are more than just generic software components performing conventional activities.
`24.
`
`On August 26, 2008, the USPTO issued to Shlomo Touboul U.S. Patent No. 7,418,731
`
`(“the ‘731 Patent”), titled “METHOD AND SYSTEM FOR CACHING AT SECURE GATEWAYS.”
`
`A true and correct copy of the ‘731 Patent is attached to this Complaint as Exhibit 6 and is
`
`incorporated by reference herein.
`25.
`
`All rights, title, and interest in the ‘731 Patent have been assigned to Finjan, who is the
`
`sole owner of the ‘731 Patent. Finjan has been the sole owner of the ‘731 Patent since its issuance.
`26.
`
`The ‘731 Patent is generally directed towards methods and systems for providing an
`
`efficient security system. One of the ways this is accomplished is by implementing a variety of caches
`
`to increase performance of the system. The ‘731 Patent discloses and specifically claims inventive
`
`concepts that represent significant improvements over conventional network security technology that
`
`was available at the time of filing of the ‘731 Patent and are more than just generic software
`
`components performing conventional activities.
`27.
`
`On March 20, 2012, the USPTO issued to David Gruzman and Yuval Ben-Itzhak U.S.
`
`Patent No. 8,141,154 (“the ‘154 Patent”), titled “SYSTEM AND METHOD FOR INSPECTING
`
`DYNAMICALLY GENERATED EXECUTABLE CODE.” A true and correct copy of the ‘154
`
`Patent is attached to this Complaint as Exhibit 7 and is incorporated by reference herein.
`28.
`
`All rights, title, and interest in the ‘154 Patent have been assigned to Finjan, who is the
`
`sole owner of the ‘154 Patent. Finjan has been the sole owner of the ‘154 Patent since its issuance.
`
`COMPLAINT FOR PATENT INFRINGEMENT
`
`5
`
`CASE NO.
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 1 Filed 11/29/18 Page 7 of 109
`
`
`
`29.
`
`The ‘154 Patent is generally directed towards methods and systems for providing an
`
`efficient security system. One of the ways this is accomplished is by implementing a variety of caches
`
`to increase performance of the system. The ‘154 Patent discloses and specifically claims inventive
`
`concepts that represent significant improvements over conventional network security technology that
`
`was available at the time of filing of the ‘154 Patent and are more than just generic software
`
`components performing conventional activities.
`30.
`
`The patents in paragraphs 9-29 are collectively referred to as the “Asserted Patents.”
`
`FINJAN’S NOTICE OF INFRINGEMENT TO DEFENDANT
`
`31.
`
`Defendant is well aware of Finjan’s patents, including the Asserted Patents, and has
`
`continued its infringing activity, despite this knowledge, for years. Finjan gave written notice to
`
`Defendant of its infringement of Finjan’s patents by letter dated November 12, 2015, which
`
`specifically identified Finjan’s ‘844, ‘494, ‘305, ‘968, and ‘154 Patents. This letter also identified
`
`many of Defendant’s infringing products including how Defendant’s Malware Detection Systems
`
`(MDS), Web Application Firewall (WAF), Web Application Scanner (WAS), and Vulnerability (VM)
`
`solutions including Qualys Cloud Platform products infringe various of Finjan’s Asserted Patents. See
`
`November 12, 2015 Letter from Finjan to Qualys, attached hereto as Exhibit 23.
`32.
`
`Finjan also gave Defendant another letter on or about December 7, 2017, in which
`
`Finjan described to Defendant how the Accused Products variously infringe Finjan’s patents, including
`
`at least Finjan’s ‘844, ‘494, ‘305, and ‘968 Patents. See December 7, 2017 Letter from Finjan to
`
`Qualys, attached hereto as Exhibit 24.
`33.
`
`Thus, despite Finjan’s best efforts to inform Defendant that its products infringe
`
`Finjan’s patents and to engage Defendant in good-faith licensing discussions, Defendant refused to
`
`take a license to Finjan’s patents. As shown above, Defendant knew that it infringed the Asserted
`
`Patents well before Finjan filed this action, and Defendant acted egregiously and willfully in that it
`
`continued to infringe Finjan’s patents and, on information and belief, took no action to avoid
`
`infringement. Instead, Defendant continued to develop additional technologies and products that
`
`COMPLAINT FOR PATENT INFRINGEMENT
`
`6
`
`CASE NO.
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 1 Filed 11/29/18 Page 8 of 109
`
`
`
`infringe the Asserted Patents. As such, Defendant has continued to willfully, wantonly, and
`
`deliberately engage in acts of infringement of the Asserted Patents.
`
`DEFENDANT’S INFRINGING PRODUCTS AND TECHNOLOGIES
`
`34.
`
`Defendant makes, uses, sells, offers for sale, and imports into the United States and this
`
`District infringing products and services that utilize Vulnerability Management, Threat Protection,
`
`Continuous Monitoring, Indicators of Compromise, Container Security, Web App Firewall, Web App
`
`Scanning, and Compliance Monitoring, including Qualys Cloud Platform products (collectively, the
`
`“Accused Products”).
`35.
`
`Qualys’ products are all interrelated through the Qualys Cloud Platform. The Qualys
`
`Cloud Platform integrates Qualys’ detection and analytic technologies across various product
`
`offerings, briefly described below.
`
`Vulnerability Management (VM)
`
`36.
`
`Qualys VM continuously scans and identifies vulnerabilities with high-precision
`
`accuracy, protecting IT assets on premises, in the cloud, and at mobile endpoints. Its executive
`
`dashboard displays an overview of security posture and access to remediation details. VM generates
`
`custom, role-based reports for multiple stakeholders, including automatic security documentation for
`
`compliance auditors. Additionally, Qualys VM offers vulnerability management for hybrid IT
`
`environments.
`37.
`
`In addition to scanners, VM also works with Qualys Cloud Agents, extending its
`
`network coverage to assets that cannot be scanned. The lightweight, all-purpose, self-updating agents
`
`reside on the assets they monitor so they do not require scan windows, credentials, or firewall changes,
`
`and vulnerabilities can be found with minimal network impact. When VM is paired with Continuous
`
`Monitoring (CM), InfoSec teams are proactively alerted about potential threats so problems can be
`
`tackled before turning into breaches. Alerts can be tailored to notify about general or specific changes.
`
`Threat Protection
`
`38.
`
`Threat Protection continuously correlates external threat information against a
`
`vulnerabilities and IT asset inventory, leveraging Qualys Cloud Platform’s back-end engine to
`
`COMPLAINT FOR PATENT INFRINGEMENT
`
`7
`
`CASE NO.
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 1 Filed 11/29/18 Page 9 of 109
`
`
`
`automate this large-scale and intensive data analysis process and alert which threats pose the greatest
`
`risk at any given time. As Qualys engineers continuously validate and rate new threats from internal
`
`and external sources, Threat Protections’ Live Threat Intelligence Feed displays the latest vulnerability
`
`disclosures and maps them to impacted IT assets.
`39.
`
`A single, dynamic dashboard includes customizable views, graphs and charts to provide
`
`a clear and comprehensive view of the threat landscape at a glance in real time. Multiple dashboard
`
`views can be created to break down vulnerabilities by real-time threat indicator types, such as zero-day
`
`exploits. Further, Threat Protection’s search engine can sort, filter, drill down and fine-tune results for
`
`specific assets and vulnerabilities by crafting ad hoc queries with multiple variables and criteria.
`
`Queries can be saved and turned into dashboard widgets, which can display trend graphs for up to 90
`
`days.
`
`Continuous Monitoring (CM)
`
`40.
`
`CM works in tandem with VM to discover hosts and digital certificates, organize assets
`
`by business or technology function, and be alerted as soon as vulnerabilities appear on the global
`
`perimeter from a single console. CM acts as a sentinel in the cloud, constantly monitoring the network
`
`for changes that could put the network at risk. CM automates monitoring of the global perimeter,
`
`tracking systems in the global network, wherever they are.
`41.
`
`CM can identify and proactively address potential problems. Alerts can be tailored for
`
`a wide variety of conditions impacting systems, certificates, ports, services and software. Each rule
`
`can be configured to detect common, general changes or tuned to very specific circumstances.
`
`Different recipients can be assigned for each alert, so that the appropriate person is notified. The
`
`dashboard displays the network’s big-picture status at a glance, giving a graphical representation of
`
`recent activity to spot anomalies. Important alerts can be flagged and trivial ones can be hid. Specific
`
`alerts and their corresponding details can be found using CM’s search engine.
`
`Indicators of Compromise (IOC)
`
`42.
`
`Qualys IOC uses the Cloud Agent’s non-intrusive data collection and delta processing
`
`techniques to transparently capture endpoint activity information from assets on and off the network
`
`COMPLAINT FOR PATENT INFRINGEMENT
`
`8
`
`CASE NO.
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 1 Filed 11/29/18 Page 10 of 109
`
`
`
`that is more performant than query-based approaches or log collectors. Customers can use pre-defined
`
`threat hunting rules and easily import indicators of compromise artifacts into widgets, dashboards, and
`
`saved searches to quickly verify threat intelligence, scale of infections, first-infected asset (“Patient
`
`Zero”), and timeline of compromises.
`43.
`
`Threat hunting, suspicious activity detection, and OpenIOC processing are performed in
`
`the Qualys Cloud Platform on billions of active and past system events, and coupled with threat
`
`intelligence data from Qualys Malware Labs to identify malware infections (indicators of compromise)
`
`and threat actor actions (indicators of activity).
`44.
`
`Qualys IOC creates a Single View of the Asset, showing threat hunting details unified
`
`with other Qualys Cloud Apps for hardware and software inventory, vulnerability posture, policy
`
`compliance controls, and file integrity monitoring change alerts for on-premise servers, cloud
`
`instances, and off-net remote endpoints. A single user interface significantly reduces the time required
`
`for incident responders and security analysts to hunt, investigate, detect, and respond to threats before
`
`breach or compromise can occur.
`
`Container Security (CS)
`
`45.
`
`Qualys Container Security gives complete visibility of container hosts wherever they
`
`are in the global IT environment, on premises and in clouds. It gathers comprehensive topographic
`
`information about container projects — images, image registries, and containers spun from the images.
`
`The complete inventory and security posture from containers to hosts are viewable from dynamic,
`
`customizable dashboards.
`46. With Qualys CS, security teams can enforce policies to block the use of images that
`
`have specific vulnerabilities, or that have vulnerabilities above a certain severity threshold.
`
`Developers can do continuous vulnerability detection and remediation in the DevOps pipeline by
`
`deploying plugins for CI/CD tools like Jenkins or Bamboo, or via REST APIs.
`47.
`
`Qualys CS can search for images that have high-severity vulnerabilities, unapproved
`
`packages, and older or test release tags. Their impact can be assessed by identifying all containers —
`
`active or dormant — that use the unapproved, vulnerable images. Qualys CS helps determine if these
`
`COMPLAINT FOR PATENT INFRINGEMENT
`
`9
`
`CASE NO.
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 1 Filed 11/29/18 Page 11 of 109
`
`
`
`images are cached on different hosts, and identifies all the containers on exposed vulnerable network
`
`ports running with privileges, which could lead to attacks.
`48.
`
`Qualys CS scans, protects, and secures the running containers. Qualys CS also detects
`
`containers drifting from the parent image, breaking the immutable behavior with a different
`
`vulnerability posture and software configuration. Qualys CS also features policy-based orchestration
`
`to stop containers vulnerable images from being spun up in Kubernetes clusters. Qualys CS can drill
`
`down to the host level to identify vulnerabilities and patch compliance to understand how the host
`
`impacts the containers.
`
`Web App Firewall (WAF)
`49. WAF can deploy virtual patches for confirmed vulnerabilities and can be managed from
`
`a centralized portal. With no special hardware to buy nor maintain, Qualys WAF’s virtual appliance
`
`can be deployed and scaled up quickly on premises using VMware, Hyper-V or Docker, and in public
`
`cloud platforms, such as AWS, Azure or Google Cloud Platform. WAF continuously communicates
`
`with the Qualys Cloud Platform, tracking configuration changes and sending it the latest security
`
`events.
`50. WAF gives complete visibility into its data for continuous monitoring, risk assessments
`
`and remediation plans. A dashboard summarizes website traffic information and security event trends
`
`that include detailed threat information, suspicious activity, and actionable insights into the threat data.
`
`WAF continuously indexes security events into local Elasticsearch or Splunk clusters, making data
`
`instantly discoverable.
`51. WAF protects web apps using security policies backed by Qualys’ security intelligence,
`
`and one-click responses to security events. Security needs can be addressed with simple, customizable
`
`and reusable policies and rules. Qualys’ out-of-the-box policies are designed for popular platforms
`
`such as WordPress, Joomla, Drupal, Outlook Web Application and Sharepoint. It also includes generic
`
`templates for unknown applications and frameworks.
`
`COMPLAINT FOR PATENT INFRINGEMENT
`
`10
`
`CASE NO.
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 1 Filed 11/29/18 Page 12 of 109
`
`
`
`Web App Scanning (WAS)
`52. WAS finds and catalogs all web apps in the network, including new and unknown ones,
`
`and scales from a handful of apps to thousands. Qualys WAS tags applications with labels to control
`
`reporting and limit access to scan data. WAS’ dynamic deep scanning covers all apps on the
`
`perimeter, in the internal environment and under active development, and even APIs that support
`
`mobile devices. It also covers public cloud instances, and gives instant visibility of vulnerabilities like
`
`SQLi and XSS. With programmatic scanning of SOAP and REST API services, WAS tests IoT
`
`services and APIs used by mobile apps and modern mobile architectures.
`53. WAS can insert security into application development and deployment in DevSecOps
`
`environments. WAS detects code security issues early and often, tests for quality assurance and
`
`generates comprehensive reports. With its tight Qualys WAF integration, WAS continuously monitors
`
`and virtually patches production apps. WAS scans an organization’s websites, and identifies and
`
`reports infections, including zero-day threats via behavioral analysis. Detailed malware infection
`
`reports accompany infected code for remediation. A central dashboard displays scan activity, infected
`
`pages and malware infection trends, and lets users initiate actions directly from its interface. Malware
`
`detection functionality is provided via an optional add-on.
`
`Compliance Monitoring
`
`54.
`
`Qualys’ Compliance Monitoring Solutions include Policy Compliance, Security
`
`Assessment Questionnaire, and PCI. Compliance Monitoring ensures that the organization must
`
`enforce internal policies, comply with external regulatory mandates, and assess the risk of doing
`
`business with vendors and other third parties. Compliance Monitoring uses a cloud-based solution to
`
`automate assessment of security and compliance controls in order to demonstrate a repeatable and
`
`trackable process to auditors and stakeholders.
`
`DEFENDANT’S WILLFUL INFRINGEMENT OF FINJAN’S PATENTS
`
`55.
`
`Defendant has infringed the ‘844, ‘494, ‘305, ‘408, ‘968, ‘731, and ‘154 Patents
`
`(collectively, the “Asserted Patents”) and continues to infringe the ‘305, ‘408, ‘968, ‘731 and ‘154
`
`COMPLAINT FOR PATENT INFRINGEMENT
`
`11
`
`CASE NO.
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 1 Filed 11/29/18 Page 13 of 109
`
`
`
`Patents in this Judicial District and elsewhere in the United States by, among other things, making,
`
`using, importing, selling, and offering for sale the Accused Products.
`56.
`
`In addition to directly infringing the Asserted Patents under 35 U.S.C. § 271(a),
`
`Defendant indirectly infringed the ‘844, ‘494, ‘305, ‘408, ‘968 and ‘731 Patents and continues to
`
`indirectly infringe the ‘305, ‘408, ‘968 and ‘731 Patents by instructing, directing, and requiring others,
`
`including its customers, purchasers, users, and developers, to perform all or some of the steps of the
`
`method claims, either literally or under the doctrine of equivalents.
`
`COUNT I
`(Direct Infringement of the ‘844 Patent pursuant to 35 U.S.C. § 271(a))
`Finjan repeats, realleges, and incorporates by reference, as if fully set forth herein, the
`
`57.
`
`allegations of the preceding paragraphs, as set forth above.
`58.
`59.
`
`Defendant infringed Claims 1-44 of the ‘844 Patent in violation of 35 U.S.C. § 271(a).
`
`Defendant’s infringement is based upon literal infringement or, in the alternative,
`
`infringement under the doctrine of equivalents.
`60.
`
`Defendant’s acts of making, using, importing, selling, and offering for sale infringing
`
`products and services were without the permission, consent, authorization, or license of Finjan.
`61.
`
`Defendant’s infringement included the manufacture, use, sale, importation and offer for
`
`sale of Defendant’s products and services that utilize Vulnerability Management, Threat Protection,
`
`Continuous Monitoring, Indicators of Compromise, Container Security, Web App Firewall, Web App
`
`Scanning, and Compliance Monitoring, including Qualys Cloud Platform products (collectively, “the
`
`‘844 Accused Products”).
`62.
`
`The ‘844 Accused Products practiced the patented invention of the ‘844 Patent and
`
`infringed the ‘844 Patent because they made or used the system and performed the steps of receiving a
`
`downloadable by an inspector, generating, by the inspector, a downloadable security profile that
`
`identifies suspicious code in the received downloadable, and linking, by the inspector, the
`
`downloadable security profile to the downloadable before a web server makes the downloadable
`
`available to web clients.
`
`COMPLAINT FOR PATENT INFRINGEMENT
`
`12
`
`CASE NO.
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Case 4:18-cv-07229-YGR Document 1 Filed 11/29/18 Page 14 of 109
`
`
`
`63.
`
`To the extent the ‘844 Accused Products used a system that includes modules,
`
`components or software owned by third parties, the ‘844 Accused Products still infringed the ‘844
`
`Patent because Defendant is vicariously liable for the use of the patented system by controlling the
`
`entire system and deriving a benefit from the use of every element of the entire system. Similarly, to
`
`the extent Defendant’s customers performed a step or steps of the patented method or the ‘844
`
`Accused Products incorporated third parties’ modules, components or software that performed one or
`
`more patented steps, Defendant’s ‘844 Accused Products still infringed the ‘844 Patent because the
`
`‘844 Accused Products condition receipt by the third parties of a benefit upon performance of a step or
`
`steps of the patented method and establish the manner or timing of that performance.
`64.
`
`The ‘844 Accused Products include an inspector that receives Downloadables for
`
`scanning.
`
`
`QualysGuard Web Application Security presentation at 30, attached hereto as Exhibit 8.
`
`COMPLAINT FOR PATENT INFRINGEMENT
`
`13
`
`CASE NO.
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`