Case 5:17-cv-04467-BLF Document 320-2 Filed 12/02/20 Page 1 of 35
`Case 5:17-cv-04467-BLF Document 320-2 Filed 12/02/20 Page 1 of 35
`
`
`
`EXHIBIT 1
`EXHIBIT 1
`
`
`
`

`

`
`
`Case 5:17-cv-00072-BLF Document 499 Filed 03/30/20 Page 1 of 34Case 5:17-cv-04467-BLF Document 320-2 Filed 12/02/20 Page 2 of 35
`
`Redacted
`
`UNITED STATES DISTRICT COURT
`
`NORTHERN DISTRICT OF CALIFORNIA
`
`SAN JOSE DIVISION
`
`FINJAN, INC.,
`
`Case No. 17-cv-00072-BLF
`
`Plaintiff,
`
`v.
`
`CISCO SYSTEMS INC.,
`
`ORDER GRANTING IN PART AND
`DENYING IN PART CISCO’S MOTION
`FOR PARTIAL SUMMARY
`JUDGMENT OF NON-
`INFRINGEMENT
`
`Defendant.
`
`[Re: ECF 378]
`
` Plaintiff Finjan, Inc. (“Finjan”) brings this patent infringement lawsuit against Defendant
`
`Cisco Systems, Inc. (“Cisco”), alleging infringement of five of Finjan’s patents directed to computer
`
`and network security: U.S. Patent Nos. 6,154,844 (the “’844 Patent”); 6,804,780 (the “’780 patent”);
`
`7,647,633 (the “’633 patent”); 8,141,154 (the “’154 patent”); and 8,677,494 (the “’494 patent”).
`
`Cisco seeks summary judgment of non-infringement on 3 of the 5 asserted patents: the ’154 Patent,
`
`the ’633 Patent, and the ’780 Patent. Cisco also seeks summary judgment of no pre-suit damages.
`
`The Court heard oral arguments on January 9, 2020 (the “Hearing”).
`
`I.
`
`THE ACCUSED PRODUCTS
`
`The infringement allegations subject to Cisco’s motion for summary judgment primarily
`
`relate to Cisco’s Advanced Malware Protection (“AMP”) products under the following categories:
`
`(1) AMP Gateway/Cloud Products (for Enterprise) and AMP for Endpoints (collectively, “AMP
`
`Products”) and (2) Talos (or its component,
`
` and Threat Grid (collectively “Cisco
`
`Sandboxes”). Cisco Systems, Inc.’s Motion for Partial Summary Judgment (“MSJ”) at 1, ECF 382-
`
`3 (redacted version filed at ECF 378); Plaintiff Finjan, Inc.’s Opposition to Defendant Cisco
`
`Systems, Inc.’s Motion for Partial Summary Judgment (“Opp’n”) at 1-2, ECF 400-4 (redacted
`
`version filed at ECF 401). The AMP Products screen incoming files that are intended for a user’s
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`

`

`
`
`Case 5:17-cv-00072-BLF Document 499 Filed 03/30/20 Page 2 of 34Case 5:17-cv-04467-BLF Document 320-2 Filed 12/02/20 Page 3 of 35
`
`
`
`device for malicious content. MSJ at 1.
`
`For the AMP Gateway Products, a requested file is processed as follows:
`
`
`
`
`
`
`
`
`
`
`
`
`
` MSJ at 2. The AMP appliance may also send a copy of an unknown file to Cisco’s
`
`“sandboxes,” known as Threat Grid and
`
` Id. AMP for Endpoints operates similarly
`
`to AMP Gateway, except it runs on client (end-user) devices instead of running at a gateway. Id.
`
`Finjan also accuses the “URL rewriting” feature within the Cisco E-mail Security Appliance
`
`(“ESA”) with respect to the ’154 Patent only. MSJ at 2; Opp’n at 2. Cisco’s ESA products screen
`
`incoming emails for malicious content before they are delivered to a user’s inbox.
`
`II. LEGAL STANDARD
`
`Federal Rule of Civil Procedure 56 governs motions for summary judgment. Summary
`
`judgment is appropriate if the evidence and all reasonable inferences in the light most favorable to
`
`the nonmoving party “show that there is no genuine issue as to any material fact and that the moving
`
`party is entitled to a judgment as a matter of law.” Celotex Corp. v. Catrett, 477 U.S. 317, 322
`
`(1986). Rule 56 authorizes a court to grant “partial summary judgment” to dispose of less than the
`
`entire case and even just portions of a claim or defense. See Fed. R. Civ. P. advisory committee’s
`
`note, 2010 amendments.
`
`The moving party bears the burden of showing there is no material factual dispute, by
`
`“identifying for the court the portions of the materials on file that it believes demonstrate the absence
`
`of any genuine issue of material fact.” T.W. Elec. Serv. Inc. v. Pac. Elec. Contractors Ass’n, 809
`
`F.2d 626, 630 (9th Cir. 1987). In judging evidence at the summary judgment stage, the Court “does
`
`not assess credibility or weigh the evidence, but simply determines whether there is a genuine factual
`
`issue for trial.” House v. Bell, 547 U.S. 518, 559-60 (2006). A fact is “material” if it “might affect
`
`the outcome of the suit under the governing law,” and a dispute as to a material fact is “genuine” if
`
`2
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`

`

`
`
`Case 5:17-cv-00072-BLF Document 499 Filed 03/30/20 Page 3 of 34Case 5:17-cv-04467-BLF Document 320-2 Filed 12/02/20 Page 4 of 35
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`there is sufficient evidence for a reasonable trier of fact to decide in favor of the nonmoving party.
`
`Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986).
`
`In cases like this, where the nonmoving party will bear the burden of proof at trial on a
`
`dispositive issue (e.g., patent infringement), the nonmoving party must “go beyond the pleadings
`
`and by her own affidavits, or by the ‘depositions, answers to interrogatories, and admissions on file,’
`
`designate ‘specific facts showing that there is a genuine issue for trial.’” Celotex, 477 U.S. at 324.
`
`For a court to find that a genuine dispute of material fact exists, “there must be enough doubt for a
`
`reasonable trier of fact to find for the [non-moving party].” Corales v. Bennett, 567 F.3d 554, 562
`
`(9th Cir. 2009). In considering all motions for summary judgment, “[t]he evidence of the non-
`
`movant is to be believed, and all justifiable inferences are to be drawn in his favor.” Anderson, 477
`
`U.S. at 255; see also Matsushita Elec. Indus. Co. v. Zenith Radio Corp., 475 U.S. 574, 587 (1986).
`
`III. DISCUSSION
`
`A. The Parties’ Dispute Regarding Finjan’s Expert Reports on Infringement
`
`As an initial matter, the Court addresses a procedural dispute regarding Finjan’s expert
`
`reports on infringement. Finjan’s infringement theories in this case have been the subject of
`
`extensive motion practice. On April 18, 2019, Finjan moved to supplement (or amend) its
`
`infringement contentions pursuant to Local Patent Rule 3-6. ECF 231. On June 11, 2019,
`
`Magistrate Judge van Keulen denied Finjan’s motion and rejected its assertion that it was simply
`
`adding the codenames of particular components to its previous contentions regarding the associated
`
`functionality. ECF 274 at 6-7. Finjan sought relief from Judge van Keulen’s order, which this Court
`
`denied on July 17, 2019. ECF 304 at 3-4. Finjan served its expert infringement reports – which
`
`included the codenames in dispute – and Cisco moved to strike. ECF 312. The Court granted
`
`Cisco’s motion and directed Finjan’s experts to “redraft their reports to remove the disallowed
`
`terminology and Talos-only allegations, and to ensure that their opinions track the disclosures in
`
`Finjan’s operative infringement contentions.” ECF 397 at 7. At the Hearing, the parties informed
`
`the Court that they had not yet finalized the revised infringement expert reports. See Transcript of
`
`Proceedings Before the Honorable Beth Labson Freeman on January 9, 2020 (“Hr’g Tr.”) at 49:18-
`
`50:21, ECF 419.
`
`3
`
`Northern District of California
`
`United States District Court
`
`

`

`
`
`Case 5:17-cv-00072-BLF Document 499 Filed 03/30/20 Page 4 of 34Case 5:17-cv-04467-BLF Document 320-2 Filed 12/02/20 Page 5 of 35
`
`
`
`As a result, the basis for Cisco’s present motion for summary judgment is Finjan’s now-
`
`stricken expert reports that include the disallowed codenames. In several instances, Cisco seeks
`
`summary judgment on the ground that that the accused codenames have been stricken and thus,
`
`cannot be relied upon to show infringement. The Court rejects those arguments wholesale without
`
`prejudice. As the Court explained at the Hearing, the Court struck certain codenames from Finjan’s
`
`expert reports – but not the experts’ opinions generally. Hr’g Tr. at 50:22-51:6. The Court further
`
`allowed Finjan to amend its reports and substitute the disallowed codenames with functionalities
`
`that were included in Finjan’s infringement contentions. As of the date of this Order, the Court is
`
`not aware of any amended expert reports. Accordingly, the Court decides on Cisco’s motion for
`
`summary judgment under the assumption that the codenames used in the expert reports (and the
`
`parties’ briefing) have a corresponding functionality in the infringement contentions and thus, are
`
`still in the case. If, however, Finjan is unable to show that the functionalities corresponding to the
`
`codenames were included in its operating infringement contentions, the Court would entertain that
`
`dispute in a motion in limine. See Hr’g Tr. at 159:14-17.
`
`B. Non-infringement of the ’154 Patent
`
`1. Background of the ’154 Patent
`
`The ’154 patent is directed to a system and a method “for protecting a client computer from
`
`dynamically generated malicious content[.]” ’154 Patent at Abstract. Conventional reactive anti-
`
`virus applications perform file scans looking for a virus’s signature against a list known virus
`
`signatures kept on a signature file and thus, cannot protect against first time viruses or if a user’s
`
`signature file is out of date. ’154 Patent at 1:25-31, id. at 2:32-37. Proactive anti-virus application,
`
`on the other hand, use “a methodology known as ‘behavioral analysis’ to analyze computer content
`
`for the presence of viruses.” Id. at 1:56-58.
`
`Dynamic virus generation occurs at runtime where dynamically generated HTML contains
`
`malicious JavaScript code. ’154 Patent at 3:53-64. For example the JavaScript function
`
`document.write() is used to generate dynamic HTML at runtime. Id. at 3:53-57. Malicious code
`
`inserted in a document.write() function would not be caught prior to runtime because the malicious
`
`code is not present in the content prior to runtime. Id. at 3:65-4:4. To this point, the ’154 Patent
`
`4
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`

`

`
`
`Case 5:17-cv-00072-BLF Document 499 Filed 03/30/20 Page 5 of 34Case 5:17-cv-04467-BLF Document 320-2 Filed 12/02/20 Page 6 of 35
`
`
`
`concerns a “new behavioral analysis technology [that] affords protection against dynamically
`
`generated malicious code, in addition to conventional computer viruses that are statically
`
`generated.” Id. at 4:31-34.
`
`The basic setup of the ’154 Patent involves three components: (1) gateway computer
`
`including a content modifier, (2) client computer including a content processor, and (3) security
`
`computer including an inspector, a database of client security policies, and an input modifier. ’154
`
`Patent at 9:5-11. A preferred embodiment describes a gateway computer that receives content
`
`including a call to an original function and an input. Id. at 5:6-9. The gateway computer then
`
`substitutes the call to the original function with a corresponding call to a substitute function, which
`
`operates to send the input to a security computer for inspection. Id. at 5:10-15. The gateway
`
`computer transmits the “modified content from the gateway computer to the client computer,
`
`processing the modified content at the client computer.” Id. at 5:13-15. The client computer then
`
`transmits “the input to the security computer for inspection when the substitute function is invoked.”
`
`Id. at 5:15-17. The security computer first determines “whether it is safe for the client computer to
`
`invoke the original function with the input.” Id. at 5:17-19. The security computer then transmits
`
`“an indicator of whether it is safe for the client computer to invoke the original function with the
`
`input,” to the client computer. Id. at 5:19-22. The client computer invokes the original function
`
`“only if the indicator received from the security computer indicates that such invocation is safe.”
`
`Id. at 5:22-24.
`
`Claim 1 (the only asserted independent claim of the ’154 Patent) provides:
`
` A
`
` system for protecting a computer from dynamically generated
`malicious content, comprising:
`
`
`a content processor (i) for processing content received over a
`network, the content including a call to a first function, and
`the call including an input, and (ii) for invoking a second
`function with the input, only if a security computer indicates
`that such invocation is safe;
`
` a
`
` transmitter for transmitting the input to the security
`computer for inspection, when the first function is invoked;
`and
`
` a
`
` receiver for receiving an indicator from the security
`computer whether it is safe to invoke the second function with
`
`5
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`

`

`
`
`Case 5:17-cv-00072-BLF Document 499 Filed 03/30/20 Page 6 of 34Case 5:17-cv-04467-BLF Document 320-2 Filed 12/02/20 Page 7 of 35
`
`
`
`the input.
`
`’154 patent, 17:32-44.
`
`The Court construed “first function / second function” as “substitute function / original
`
`function, which is different than the first function.” Order Construing Claims in U.S. Patent Nos.
`
`6,154,844; 6,804,780; 7,647,633; 8,141,154; 8,677,494 (“Markman Order I”) at 35, ECF 134.
`
`2. AMP Products
`
`The non-infringement dispute raised in Cisco’s motion for summary judgment is centered
`
`on whether the AMP Products satisfy the claimed “content” that includes a “call to a first [i.e.,
`
`substitute] function” as construed by the Court.1 Cisco argues that it is entitled to summary
`
`judgment as to the accused AMP Products because “AMP does not substitute calls to functions into
`
`any content that it receives.” MSJ at 5. According to Cisco, (1)
`
`2)
`
`
`
`
`
`
`
`
`
`infringement analysis, Cisco argues, “both the ‘substitute function’ and the ‘original function’ can
`
`exist within the content as it was originally created,” which in turn “renders the word ‘substitute’
`
` Id. at 5-6. Under Finjan’s
`
`meaningless.” Id. at 6.
`
`Finjan responds that claim 1, under the Court’s claim construction, does “not require that the
`
`system have a gateway or a content modifier.” Opp’n at 3. Relying on that premise, Finjan argues
`
`that it has demonstrated that there is a “substitute” function (or first function) which is different
`
`from the “second function.” Id. The allegedly infringing example that Finjan provides is that “there
`
`are scenarios where the hacker or some other process modifies the original content by inserting a
`
`substitute function in place of the original function.” Id. (citing Expert Report of Michael
`
`Mitzenmacher, Ph.D. Regarding Infringement by Cisco Systems, Inc. of Patent Nos. 6,804,780 and
`
`
`1 In its moving papers, Cisco argued that Finjan’s infringement expert, Dr. Mitzenmacher, relied on
`an incorrect interpretation of the Court’s claim construction. MSJ at 4-5. As the briefing progressed,
`however, it appears that the parties no longer present a claim construction dispute. See Opp’n at 4,
`Reply at 2, Hr’g Tr. at 57:1-20, ECF 419. Thus, the Court need not address this argument.
`6
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`

`

`
`
`Case 5:17-cv-00072-BLF Document 499 Filed 03/30/20 Page 7 of 34Case 5:17-cv-04467-BLF Document 320-2 Filed 12/02/20 Page 8 of 35
`
`
`
`8,141,154 (“Mitz. Rpt”) ¶ 1934, ECF 400-6). At the Hearing, Finjan provided the same example.
`
`See Hr’g Tr. at 59:19-25.
`
`The Court is not persuaded by Finjan’s arguments because they are inconsistent with the
`
`patent’s specification and the Court’s Markman Order. Under Finjan’s theory, the “substitute
`
`function” can be supplied by an external actor (e.g., a hacker) outside the control of any accused
`
`product. See Hr’g Tr. at 63:13-18. This theory is contrary to how the ’154 Patent describes the
`
`invention. According to the ’154 Patent’s own language:
`
`To enable the client computer to pass function inputs to the security
`computer and suspend processing of content pending replies from the
`security computer, the present invention operates by replacing
`original function calls with substitute function calls within the
`content, at a gateway computer, prior to the content being received
`at the client computer.
`
`’154 Patent at 4:55-60 (emphasis added). It is the “invention” that replaces the “original” function
`
`with a “substitute” function – not an external factor such as a hacker. As Judge Alsup explained in
`
`Finjan’s case against Juniper, a “substitute function” supplied by an external system “ultimately
`
`amounts to the original content initially received by the claimed system” and not a “substitute”
`
`function. Finjan, Inc. v. Juniper Networks, Inc., No. C 17-05659 WHA, 2019 WL 3302717, at *2
`
`(N.D. Cal. July 23, 2019).
`
`Finjan’s “hacker” theory is also inconsistent with the Court’s construction of “first
`
`function/second function.” It is true that claim 1 does not recite or claim a “gateway that modifies
`
`content.” See Markman Order I at 38. But, in construing “first function” to mean “substitute
`
`function,” the Court acknowledged that the content received by the “content processor” includes a
`
`call to “substitute function” — which replaced the “original function” at the (unclaimed) gateway.
`
`See Markman Order I at 38 (“[T]he specification clearly discloses a content modifier in the gateway
`
`that modifies original content to replace the original function with the substitute function.”) (citing
`
`’154 Patent at 9:13–28). The Court explained that “a person of ordinary skill in the art would
`
`understand that the ‘first function’ corresponds to the substitute function in light of the claim
`
`language and the specification.” Markman Order at 38. Thus, the Court’s claim construction
`
`7
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`

`

`
`
`Case 5:17-cv-00072-BLF Document 499 Filed 03/30/20 Page 8 of 34Case 5:17-cv-04467-BLF Document 320-2 Filed 12/02/20 Page 9 of 35
`
`
`
`requires the “original function” be replaced by the “substitute function.”2 To hold otherwise, renders
`
`the word “substitute” in the Court’s construction meaningless.
`
`To support its position, Cisco cites to Judge Alsup’s decision in Finjan’s case against
`
`Juniper, finding that the “the substitute function exists only after the original content is modified at
`
`the gateway computer.” Finjan, Inc. v. Juniper Networks, Inc., 387 F. Supp. 3d 1004, 1011 (N.D.
`
`Cal. 2019) (citing ’154 Patent at 9:13–28). To be clear, Judge Alsup was tasked with construing the
`
`term “content processor” – which this Court had no occasion to construe. See id. at 1010-13. That
`
`said, the Court finds Judge Alsup’s analysis well-reasoned and supported by the ’154 Patent’s
`
`specification explaining that “the present invention operates by replacing original function calls with
`
`substitute function calls within the content, at a gateway computer, prior to the content being
`
`received at the client computer.” ’154 Patent at 4:55-60.
`
`In addition, the Court finds Finjan’s “hacker” theory contrary to the Federal Circuit’s
`
`understanding of claim 1. The Federal Circuit explained:
`
`The ’154 patent has four independent claims (1, 4, 6, and 10), each
`reciting a system or software program that executes a substitute
`function. The substitute function inspects the input to an original
`function to determine if executing the original function with the input
`violates a security policy.
`…
`In the language of the ’154 patent, the “first function” is the inspection
`step in which the content is assessed for safety, and the “second
`function” is when, having been deemed safe, the content is actually
`run.
`
`Palo Alto Networks, Inc. v. Finjan, Inc., 752 F. App’x 1017, 1018 (Fed. Cir. 2018). The Court is
`
`not persuaded that a hacker’s code “inspects the input” to “determine if executing the original
`
`function with the input violates a security policy” or operate as “the inspection step.” See id.3 In
`
`sum, the Court finds that Finjan’s “hacker” infringement theory fails to meet the requirements of
`
`
`2 The Court notes that in its case against Proofpoint, Finjan made such an argument to address claim
`construction of the same disputed term (i.e., first function/second function). See Finjan, Inc., v.
`Proofpoint, Inc., No. 13-CV-05808-HSG, 2015 WL 7770208, at *8 (N.D. Cal. Dec. 3, 2015) (“Plaintiff
`notes that . . . the original function is replaced by the substitute function at the gateway, before the
`security computer receives the content.”) (emphasis in original).
`
` 3
`
` The Court notes that Judge Alsup similarly rejected Finjan’s “hacker” theory. See Finjan, Inc. v.
`Juniper Networks, Inc., 2019 WL 3302717, at *2.
`
`
`8
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`

`

`
`
`Case 5:17-cv-00072-BLF Document 499 Filed 03/30/20 Page 9 of 34Case 5:17-cv-04467-BLF Document 320-2 Filed 12/02/20 Page 10 of 35
`
`
`
`claim 1.
`
`Next, Finjan asserts that there are other disputed issues of fact that preclude summary
`
`judgment. Opp’n at 5. The Court addresses and rejects each purported dispute below.
`
`First, Finjan argues that “Cisco’s non-infringement arguments for the AMP Products only
`
`address when the AMP Cloud is the identified security computer, such that Cisco is not seeking
`
`summary disposition for AMP Products in combination with Threat Grid and
`
` and when
`
`they are the security computer.” Opp’n at 4-5. Cisco responds that it, in fact, “seeks summary
`
`judgment on all accused products, and the identity of the ‘security computer’ is irrelevant to the
`
`issues” because “the AMP Products never receive ‘content’ with a call to a substitute function” –
`
`irrespective of what Finjan accuses as the “security computer.” Cisco Systems, Inc.’s Reply in
`
`Support of Its Motion for Partial Summary Judgment (“Reply”) at 1, ECF 407-3 (redacted version
`
`filed at ECF 408). The Court agrees with Cisco. As discussed above, Finjan has not identified
`
`“content” including “a call to a substitute function” in the AMP Products – making the identity of
`
`the security computer irrelevant.
`
`Second, Finjan claims that Cisco’s declarants4 and Finjan’s expert disagree as to whether
`
`AMP Products substitute functions. Without explaining how Dr. Mitzenmacher’s cited examples
`
`show that AMP “substitutes calls into the content that it receives,” Finjan string cites to several
`
`paragraphs in Dr. Mitzenmacher’s expert report and his deposition transcript. See Opp’n at 5 (citing
`
`Mitz. Rpt ¶¶ 1678, 1917, 1919, 2001-2004; see also Ex. 3, 8/30/19 Mitz. Tr. at 110:21-111:13).
`
`Cisco replies that “those paragraphs do not explain how a call to any function was substituted into
`
`the content, nor how any such call results in transmitting an input to a security computer for
`
`inspection, and ¶¶1917 and 1919 do not even relate to AMP.” Reply at 3. The Court agrees with
`
`
`4 In support of its motion for summary judgment, Cisco relies on declarations from 8 of its
`employees, describing the operation and features of Cisco’s products. See ECF 382-11, ECF 382-
`13, ECF 382-15, ECF 382-17, ECF 382-19, ECF 382-21, ECF 382-23, ECF 382-25. Finjan
`criticizes Cisco’s reliance on those fact declarations because the declarants “did not appear to have
`read or understood the ‘154 Patent and the Court’s Claim Construction[.]” Opp’n at 5. Cisco
`responds that the declarations simply cover “product operation [that] is undisputed in all material
`respects.” Reply at 1. The Court is not aware of any authority (and Finjan has not cited to any) that
`would prohibit Cisco from relying on fact witnesses’ testimony regarding the operation of its
`products – and thus, rejects Finjan’s complaints regarding the employee declarations.
`9
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`

`

`
`
`Case 5:17-cv-00072-BLF Document 499 Filed 03/30/20 Page 10 of 34Case 5:17-cv-04467-BLF Document 320-2 Filed 12/02/20 Page 11 of 35
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Cisco. Paragraphs 1917 and 1919 of Dr. Mitzenmacher’s report discuss Cisco’s ESA with Outbreak
`
`Filters and not AMP Products. See Mitz. Rpt ¶¶ 1917, 1919. The remaining cited paragraphs simply
`
`name various features as “substitute function” but fail to describe (and so does Finjan in its
`
`Opposition brief) how AMP Products do any sort of substitution. See Mitz. Rpt ¶¶ 1678, 2001-
`
`2004. As for Dr. Mitzenmacher’s deposition testimony, he testified:
`
`Do you think -- let me strike that. Is it your opinion that a
`Q.
`Cisco product reading content could insert a function into the content?
`…
`I’m not exactly clear what you’re meaning, but in the manner
`A.
`I described, like, it is, you know, changing the interpretation of a
`function to do something other than what the function would be doing
`without the Cisco product.
`So it’s inserting something in the process somewhere, so I would view
`that as a -- a change in the interpretation of the content.
`
`Transcript of Videotaped Deposition of Michael Mitzenmacher Ph.D. (“Mitz. Dep.”) at 111:14-25,
`
`ECF 400-10. Finjan fails to explain how and why Dr. Mitzenmacher’s testimony regarding “change
`
`in the interpretation of the content” means that AMP Products substitute calls into the content they
`
`receive. Finjan relies on an implausible inference from Dr. Mitzenmacher’s testimony that it fails
`
`to explain in sufficient detail for the Court to credit its argument.
`
`Third, Finjan argues that “Dr. Mitzenmacher provides examples of first functions that the
`
`AMP Products receive.” Opp’n at 5 (citing Mitz. Rpt ¶¶ 1934-1947, 1966, 1996-98, 2042, 2046-
`
`47). Cisco replies that “none of those paragraphs explain how a call to any of the functions he
`
`identifies was substituted into the content, much less how it would result in transmitting an input to
`
`a security computer for inspection, when invoked.” Reply at 3. Again, the Court agrees with Cisco.
`
`First, to the extent the string cited paragraphs relate to Finjan’s theory that a hacker (or other
`
`malicious content) provides the substitute function, the Court has rejected that theory. The
`
`remaining paragraphs appear to discuss generally the AMP Products receiving “a call to a first
`
`function” but do not explain how the AMP Products supply the “substitute function.” See Mitz. Rpt
`
`¶¶ 1966, 1996-98, 2042, 2046-47.
`
`Fourth, Finjan argues that there is material dispute as to whether AMP Products only send
`
`hash values to the AMP Cloud – as opposed to other inputs such as URLs. Opp’n at 5 (citing Mitz.
`
`Rpt ¶¶ 2043-45). Cisco replies that “[w]hatever the ‘AMP Cloud receive[s]’ does not impact
`
`10
`
`Northern District of California
`
`United States District Court
`
`

`

`
`
`Case 5:17-cv-00072-BLF Document 499 Filed 03/30/20 Page 11 of 34Case 5:17-cv-04467-BLF Document 320-2 Filed 12/02/20 Page 12 of 35
`
`
`
`whether a substitute function call in the received content sends the input to the AMP Cloud when
`
`invoked, which is the issue.” Reply at 3. The Court agrees. The issue is whether the AMP products
`
`receive content including a call to a “substitute function” as construed by the Court – not the type
`
`of content AMP receives.
`
`***
`
`Accordingly, the Court finds that Finjan has failed to identify any material disputed facts as
`
`to the AMP Products. Cisco’s Motion for Summary Judgment is GRANTED with respect to non-
`
`infringement of the asserted claims of the ’154 Patent by AMP Products.
`
`3. Email Security Appliance
`
`a. URL Rewriting
`
`Uniform resource locator (“URL”) rewriting is a feature of Cisco’s Outbreak Filters,
`
`available on Cisco’s ESA or Cloud Email Security (“CES”). MSJ at 8; see also Mitz. Rpt ¶ 2130.
`
`The parties do not dispute the overall functionality of URL rewriting – when Outbreak Filters
`
`receive an incoming email, they may “rewrite” a URL within the received email, where the rewritten
`
`URL includes an additional address to a Cisco proxy server. Declaration of Don Owens in Support
`
`of Cisco Systems, Inc.’s Motion for Partial Summary Judgment (“Owens Decl.”) ¶¶ 4, 6-7, ECF
`
`382-21; Mitz. Rpt ¶ 2130. Once the user clicks on the rewritten URL, the user’s request will flow
`
`through the proxy server and be evaluated for potentially malicious content. Owens Decl. ¶¶ 8, 10-
`
`12; Mitz. Rpt ¶ 2130; see also Hr’g Tr. at 72:9-15.
`
`Cisco acknowledges that Finjan “identifies some sort of ‘substitution’” as to the URL
`
`rewriting feature – namely, the rewritten URL is a substitute for the original URL. MSJ at 7. Still,
`
`Cisco argues that Finjan’s infringement theories fail because “Finjan cannot satisfy the requirements
`
`of claim 1 that the ‘incoming content’ have (i) a call to a first function, (ii) a second function (which
`
`is different than the first function), and (iii) an ‘input’ that is the same for both.” Id. According to
`
`Cisco, Finjan’s infringement theory amounts to the original URL (e.g., cnn.com) corresponding to
`
`“original function,” and “input to the original function” – while the rewritten URL must satisfy both
`
`the “substitute function” and “the call to the substitute function.” Id. at 7-8. Moreover, Cisco argues
`
`that a URL is simply an address and thus, is neither a function nor a call to a function. Id. at 8.
`
`11
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`

`

`
`
`Case 5:17-cv-00072-BLF Document 499 Filed 03/30/20 Page 12 of 34Case 5:17-cv-04467-BLF Document 320-2 Filed 12/02/20 Page 13 of 35
`
`
`
`Finjan responds that its expert “identified a mountain of evidence demonstrating that Cisco’s
`
`ESA receives content with a call to a first (substitute) function, which complies with the Court’s
`
`claim construction.” Opp’n at 7 (citing Mitz. Rpt at ¶¶ 2115-2214). Specifically, Finjan identifies
`
`(1) emails as received “content”, (2) the processing of the rewritten URL as “call to first function”,
`
`(3) URL address to the original content (e.g., cnn.com) as “input” sent to the security computer, and
`
`(4) the call to “http://” which calls a “GET” function to process a URL address as the “original
`
`function” invoked when the security computer determines that the input is safe. Opp’n at 7 (citing
`
`Mitz. Rpt ¶¶ 2130, 2122, 2311, 2335, 2340, 2347-48, 2154). Finjan further argues that Cisco
`
`“confuses and conflates the original URL address (i.e., youtube.com) with a call to process the
`
`rewritten function (http://secure-web.cisco.com/auth=).” Opp’n at 8. According to Finjan, the latter
`
`“calls functionality on the identified security computer to perform an authentication and provide a
`
`response.”
`
`The Court finds that the parties’ dispute concerning the manner in which Cisco’s URL
`
`rewriting feature utilizes URL functionality precludes summary judgment. Specifically, the parties
`
`dispute whether a URL (or a portion thereof) can be a “function,” or a “call to function” – with
`
`Cisco arguing that URLs are nothing more than addresses and Finjan responding that the processing
`
`of a URL can be a function. Rendering all inferences in Finjan’s favor, a reasonable jury could find
`
`that “http://” (calling a GET function) satisfies the “original function” claimed because it is invoked
`
`when the security computer determines that the input (original URL such as cnn.com) is safe or that
`
`the processing of the rewritten URL is a “call