Case 1:18-cv-01519-MN Document 194 Filed 10/09/20 Page 1 of 8 PageID #: 6724
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE DISTRICT OF DELAWARE
`
`FINJAN LLC, a Delaware Limited Liability
`Company,
`
`Plaintiff,
`
`v.
`
`RAPID7, INC., a Delaware Corporation
`and RAPID7 LLC, a Delaware Limited
`Liability Company,
`
`Defendants.
`
`C.A. No. 1:18-cv-01519-MN
`
`Jury Trial Demanded
`
`REDACTED VERSION
`(Filed on October 9, 2020)
`
`LETTER TO THE HONORABLE MARYELLEN NOREIKA
`REGARDING MOTION FOR PARTIAL SUMMARY JUDGMENT
`
`Richard L. Renck (No. 3893)
`DUANE MORRIS LLP
`222 Delaware Avenue, Suite 1600
`Wilmington, DE 19801-1659
`Tel.: (302) 657-4900
`Fax: (302) 657-4901
`RLRenck@duanemorris.com
`
`Counsel for Defendants
`Rapid7, Inc. and Rapid7 LLC
`
`Sealed Version
`Dated: October 2, 2020
`
`*OF COUNSEL:
`L. Norwood Jameson
`Matthew C. Gaudet
`David C. Dotson
`John R. Gibson
`Robin McGrath
`Jennifer H. Forte
`DUANE MORRIS LLP
`1075 Peachtree Street NE, Suite 2000
`Atlanta, GA 30309
`Tel.: (404) 253-6900
`wjameson@duanemorris.com
`mcgaudet@duanemorris.com
`dcdotson@duanemorris.com
`
`Jarrad M. Gunther
`Joseph A. Powers
`DUANE MORRIS LLP
`30 South 17th St.
`Philadelphia, PA 19103-4196
`Tel.: (215) 979-1837
`jmgunther@duanemorris.com
`japowers@duanemorris.com
`
`

`

`Case 1:18-cv-01519-MN Document 194 Filed 10/09/20 Page 2 of 8 PageID #: 6725
`
`Jordana Garellek
`DUANE MORRIS LLP
`1540 Broadway
`New York, NY 10036-4086
`Tel.: (212) 471-1829
`jgarellek@duanemorris.com
`
`*admitted pro hac vice
`
`2
`
`

`

`Case 1:18-cv-01519-MN Document 194 Filed 10/09/20 Page 3 of 8 PageID #: 6726
`
`RICHARD L. RENCK
`E-MAIL: RLRenck@duanemorris.com
`
`October 2, 2020
`
`VIA ECF
`
`REDACTED VERSION
`
`The Honorable Judge Maryellen Noreika
`844 N. King Street, Unit 19, Room 4324
`Wilmington, DE 19801-3555
`Re: Finjan LLC v. Rapid7, Inc. and Rapid7 LLC, Case No. 18-1519-MN (D. Del.)
`
`Dear Judge Noreika:
`
`Defendants Rapid7, Inc. and Rapid7 LLC (collectively, “Rapid7”) respectfully seek
`permission to file a motion for partial summary judgment of non-infringement regarding all but
`one accused product, for one asserted patent. Rapid7’s products are in entirely different areas of
`cybersecurity than the asserted patents. Accordingly, there are fundamental and irreconcilable
`differences between Rapid7’s products and the asserted patents.
`Finjan’s patents are about determining whether a file sent to a user is malware, i.e., a file
`that will create or exploit a vulnerability on the user’s network or applications. Thus, the emphasis
`is on analyzing the incoming file. Many companies offer such products (and Finjan has already
`sued or licensed most of them), but Rapid7 is not one of them. Rapid7 is in a completely different
`part of the computer security market. Rapid7’s products predominantly examine the user’s
`computer network or applications to identify “vulnerabilities,” which are areas that are potentially
`vulnerable to attack by malware/malicious code, as explained by both Finjan’s expert Dr.
`Medvidovic and Rapid7’s expert Dr. Almeroth.
`
`
`
`
`
`
`As explained below, Finjan attempts to fit a square peg in a round hole asserting its patents (related
`to inspecting incoming files for malware) against Rapid7’s products (which predominantly inspect
`a customer’s network or own web application to determine if they are vulnerable to attack).
`The asserted Patents in this case are U.S. 8,677,494 (’494 Patent); 8,079,086 (’086 Patent);
`8,141,154 (’154 Patent); 7,757,289 (’289 Patent); 7,975,305 (’305 Patent); 8,225,408 (’408
`Patent); and 7,613,918 (’918 Patent). D.I. 1-1. The relevant accused products are InsightVM,
`Nexpose, InsightAppSec, AppSpider, InsightIDR, and Metasploit. For purposes of Rapid7’s
`proposed motion, InsightVM and Nexpose (collectively “Nexpose”) operate the same way, and
`InsightAppSec and AppSpider (collectively, “AppSpider”) operate the same way (although
`InsightVM and InsightAppSec are not at issue for the ’494 and ’086 Patents). Accused
`functionality relevant to the various products and asserted patents is discussed below.
`’305, ’408, ’494, ’086 Patents – Nexpose, AppSpider, and Metasploit Products
`Each of these patents relates to detecting malware. The ’305 Patent asserted claim requires
`receiving an “incoming Downloadable” and scanning it “to recognize potential computer exploits
`DUANE MORRIS LLP
`
`222 DELAWARE AVENUE, SUITE 1600 WILMINGTON, DE 19801-1659
`
`PHONE: +1 302 657 4900 FAX: +1 302 657 4901
`
`

`

`Case 1:18-cv-01519-MN Document 194 Filed 10/09/20 Page 4 of 8 PageID #: 6727
`
`The Honorable Judge Maryellen Noreika
`October 2, 2020
`Page 2
`therewithin . . . computer exploits being portions of program code that are malicious.” D.I. 1-
`1, ’305 Patent, cl. 25. The ’408 Patent asserted claims similarly require “indicating [. . .] the
`presence of potential exploits within the incoming stream” of program code, again specifying that
`“exploits” are “portions of program code that are malicious.” D.I. 1-1, ’408 Patent, cl. 1, 4, 22,
`29. Similarly, all asserted claims of the ’494 Patent, and asserted claims 1, 4, 17, and 24 of the
`’086 Patent require receiving an “incoming Downloadable” and “deriving security profile data for
`the Downloadable, including a list of suspicious computer operations that may be attempted
`by the Downloadable.” D.I. 1-1, ’494 Patent, cl. 1;’086 Patent cl. 1, 4, 17, 24. Asserted claim 42
`of the ’086 Patent requires receiving an “incoming Downloadable” and “retrieving security profile
`data . . . including a list of suspicious computer operations that may be attempted by the
`Downloadable”. D.I. 1-1, ’086 Patent, cl. 42. The Court construed “list of suspicious operations”
`in the ’494 and ’086 Patents as “list of computer operations derived from a received
`Downloadable that are deemed hostile or potentially hostile.” D.I. 123 at 2. The Court construed
`“Downloadable” as “an executable application program, which is downloaded from a source
`computer and run on a destination computer.” Id. at 1.
`It is undisputed that that Nexpose and AppSpider identify vulnerabilities within a
`customer’s network or a customer’s web applications. Ex. C, Green Tr. 58:14-17; Ex. D,
`Giakouminakis Tr. 55:15-23. Likewise, it is undisputed that Metasploit is a penetration testing
`tool that tests a customer’s network or applications through the use of attack modules to verify
`vulnerabilities on the customer’s network or applications. Ex. E, Cook Tr. 19:13-20:17, 24:18-
`25:22. The issue at summary judgment is a legal question for the Court: whether vulnerabilities
`can satisfy the asserted claims’ requirements relating to identifying potentially malicious program
`code (’305 and ’408 Patents) or computer operations derived from a received Downloadable that
`are deemed hostile or potentially hostile (’494 and ’086 Patents).
`A vulnerability is a potential weakness in a computer system that may be exploited by
`malicious code or hostile operations. Customers use Nexpose, AppSpider, and Metasploit to
`identify and validate vulnerabilities in their networks, and prioritize what vulnerabilities their IT
`team should remediate first. These Rapid7 products are akin to a security consultant checking a
`house to determine if there are unlocked doors or windows – i.e., potential vulnerabilities – that a
`malicious intruder might use to enter the house, and providing the homeowner with a report
`ranking which windows or doors are most likely to be used by an intruder. Finjan’s patents, in
`contrast, are akin to the home owner hiring a security guard to stand in front of the house and
`determine whether people seeking to enter are malicious intruders, so they can be turned away.
`An unlocked window is not itself malicious/hostile, but rather it potentially renders the house more
`vulnerable to malicious/hostile activity. These are two completely different approaches to security.
`There is no factual dispute that Nexpose, AppSpider and Metasploit do not detect malicious
`code or potentially hostile operations that an incoming executable application program can
`perform. For example, Rapid7’s Rule 30(b)(6) designee for Nexpose confirmed that it cannot
`detect anything other than vulnerabilities.
`
`). He further testified
` Finjan, not
`surprisingly, stopped asking these basic questions in subsequent depositions for other accused
`products, but the same is true for AppSpider and Metasploit. Any attempt by Finjan to manufacture
`a factual dispute can be fully addressed during the summary judgment briefing process.
`
`

`

`Case 1:18-cv-01519-MN Document 194 Filed 10/09/20 Page 5 of 8 PageID #: 6728
`
`The Honorable Judge Maryellen Noreika
`October 2, 2020
`Page 3
`’494 and ’086 Patent – InsightIDR Product
`Finjan also alleges the InsightIDR product infringes the ’494 and ’086 Patents. Each
`asserted claim of the ’494 and ’086 Patents requires “receiv[ing] an incoming Downloadable” and
`either deriving or retrieving “security profile data for the incoming Downloadable” that includes a
`“list of suspicious computer operations that may be attempted by the Downloadable.” ’494 Patent,
`cl. 10; ’086 Patent, cl. 1, 17, 24, 42. Unlike the above Rapid7 products, InsightIDR has the ability
`to identify behaviors or activity occurring on a customer’s network that are potentially malicious.
`It does so by monitoring activity that takes place on a customer’s network
`
`owever, InsightIDR
`does not monitor (or analyze, inspect, scan, etc.) any incoming application programs to determine
`if they perform suspicious operations. InsightIDR thus does not receive an “incoming
`Downloadable,” and does not derive or retrieve a security profile “including a list of suspicious
`computer operations that may be attempted by the Downloadable.”
`For both patents, Finjan alleges that “Insight Agents [which are a component of
`InsightIDR] receive Downloadables through monitoring employee and server endpoints.” Ex. F,
`Cole Rep. ¶¶ 309, 509. Finjan’s expert identifies as an “incoming Downloadable” information
`such as log data gathered from a customer network, or
` First, the information received by Insight Agents
`and evaluated by InsightIDR is not an “incoming Downloadable” (i.e., an incoming “executable
`application program”), and Finjan’s expert does not even attempt to explain how it could be. For
`the only thing he identifies that could even arguably be considered a “Downloadable”, he misstates
`the testimony of Rapid7’s Rule 30(b)(6) designee, arguing that
`. To the contrary, the testimony states
`
`that
`
` Id.
`Second, the information Finjan identifies as “security profile data” is not “a list of
`suspicious computer operations that may be attempted by the Downloadable”. The information
`InsightIDR receives
`
` Ex. G, Adams Tr. at 97:23-98:25; Ex. F, Cole Rep. 375, 376. In other words,
`InsightIDR does not scan incoming Downloadables to identify suspicious operations that they may
`perform. Instead, it observes activity that is already happening on the customer’s network and
`attempts to determine whether that activity is potentially malicious.
`’154 Patent – All Accused Products
`The only asserted claim of the ’154 Patent requires “transmitting [an input to a call to a
`
`1 Finjan identifies, e.g.,
`
`

`

`Case 1:18-cv-01519-MN Document 194 Filed 10/09/20 Page 6 of 8 PageID #: 6729
`
`The Honorable Judge Maryellen Noreika
`October 2, 2020
`Page 4
`first function within content received over a network] to the security computer for inspection, when
`the first function is invoked;” “receiving an indicator from the security computer whether it is safe
`to invoke the second function with the input;” and “invoking a second function with the input,
`only if a security computer indicates that such invocation is safe.” ’154 Patent, cl. 1.
`For Nexpose (including in combination with Metasploit) and AppSpider, Finjan accuses a
`“web spidering” capability, which “crawls” (i.e., accesses) a web page and performs tests on the
`web page to identify vulnerabilities. Ex. H, Mitz. Rep. ¶¶ 236, 287; Ex. I, Mitz. Tr. 93:6-94:14.
`Finjan argues that the process of crawling the web page and testing it for vulnerabilities invokes
`the “functions” within that webpage, including the claimed “first function”. Ex. H, Mitz. Rep. ¶¶
`239, 298-299; Ex. I, Mitz. Tr. at 30:9-23, 90:13-19, 94:17-24. Finjan argues that the process of
`testing the crawled webpage to identify vulnerabilities or to identify associated risk scores is
`indicating whether “such invocation is safe.” Ex. H, Mitz. Rep. ¶¶ 429, 441; Ex. I, Mitz. Tr. 104:2-
`8. Finjan alleges that the “second function” that is invoked is “the same as the first function.” Ex.
`H, Mitz. Rep. ¶¶ 305, 339. This theory fails as a matter of law because it cannot satisfy the
`requirement of “invoking a second function with the input, only if a security computer indicates
`that such invocation is safe.” Because Finjan has alleged that the scanning and crawling process
`invokes all functions within the web page, then any alleged “second function” within that webpage
`was already invoked in order to determine whether any vulnerability exists as a threshold issue
`(i.e., before anything is sent to the alleged “security computer,” and before the “security computer”
`can indicate whether the input is safe). Therefore, the alleged “second function” is not invoked
`“only if” the “security computer” indicates that such invocation is safe, as required by the claim.
`For the InsightIDR product (including in combination with Nexpose), Finjan accuses
`functionality in which
`
`Finjan argues that the “input” is
`
`acknowledges,
`
`” Ex. H, Mitz. Rep. ¶ 365. However, as Finjan
`
` This cannot satisfy the requirements of claim 1. First,
`
`, “only if” safe as required by claim 1. Finjan does not
`identify any “second function” that is invoked with
` as its “input,” and it is undisputed that
` is not used as an input to any “second function”. Ex. I, Mitz. Tr. 135:18-136:8; Ex. H,
`Mitz. Rep. ¶¶ 365, 367. Second, it is undisputed that InsightIDR’s Insight Agent creates
`. The claim, however, requires that the accused
`
`

`

`Case 1:18-cv-01519-MN Document 194 Filed 10/09/20 Page 7 of 8 PageID #: 6730
`
`The Honorable Judge Maryellen Noreika
`October 2, 2020
`Page 5
`“content processor” (i.e., Insight Agent) “process[] content received over a network, the content
`including a call to a first function, and the call including an input.” ’154 Patent, cl. 1. The Insight
`Agent does not receive
`(i.e., the alleged “input”) over a network; rather, the Insight Agent
`generates
`. Ex. H, Mitz. Rep. ¶ 362; Ex. I, Mitz. Tr. 133:15-25.
`’289 Patent: Nexpose, Nexpose + Metasploit, AppSpider
`The asserted claims of the ’289 Patent require receiving an “input”. Then, “if the input
`includes a call to an original function”, the claims require an “input modifier” for “replacing the
`call to the original function with a corresponding call to a substitute function, the substitute
`function being operational to send the input for inspection.” D.I. 1-1, ’289 Patent, cl. 41. Finjan
`has not identified anything in a received “input” that is “replaced” by the accused products. Finjan
`also does not identify any “substitute function” that replaces “the call to the original function”
`within the received “input”, and that is “operational to send the input for inspection.”
`Finjan alleges that the claimed “input modifier” is the Nexpose Scan engine and AppSpider
`scan engine. Ex. H, Mitz. Rep. ¶¶ 531, 552. It is undisputed that the Nexpose and AppSpider scan
`engines can crawl web content, determine associated vulnerabilities, and send the results
`. The only mention in Dr. Mitzenmacher’s
`analysis of Nexpose of any alleged “substitute function being operational to send the input for
`inspection” is an unsupported statement that
`
` Id. at ¶¶ 531,
` contain a “substitute function” or that they
`579. Finjan provides no evidence
`are “operational to send the input for inspection.” Instead,
`Indeed, Dr. Mitzenmacher agreed during his deposition
`
` Id. at 147:11-148:19. An expert’s
`unsupported restatement of claim language – which is all Finjan has here – is not a disputed fact.
`With respect to AppSpider, Dr. Mitzenmacher simply re-states the claim language in
`connection with a citation to a source code file, with no explanation as to how the source code file
`allegedly supports his restatement of the claim language. Ex. H, Mitz. Rep. ¶ 561. Again, this is
`not sufficient to create a factual dispute, as AppSpider likewise does not modify an input or use a
`“substitute function” “operational to send the input for inspection.”
`’918 Patent – Nexpose and AppSpider
`The asserted claims of the ’918 Patent require receiving “executable code (‘CODE-C’),
`where CODE-C includes (i) wrapper executable code (‘CODE-B’), (ii) potentially malicious
`executable code (‘CODE-A’), and (iii) information about a computer account for CODE-A.” D.I.
`1-1, ’918 Patent, cl. 22, 28, 33. “CODE-C” was construed as “combined code”. D.I. 123 at 2.
`In his expert report, Finjan’s Dr. Cole argues that CODE-C (i.e., “combined code”) is
`satisfied if two things are somehow “associated with one another”. Ex. F, Cole Rep. ¶¶ 694, 705,
`711; see also id. at ¶ 689 (“because the validation is associated with the Downloadable, together
`they form CODE-C”). However, during his deposition, he admitted that
`Ex. J, Cole Tr. 85:20-25. Finjan does not identify any two pieces
`of code that were put together as “CODE-C”, instead arguing that data that is “associated with”
`other data is good enough. However, an “association” between two things is not combining them.
`
`

`

`Case 1:18-cv-01519-MN Document 194 Filed 10/09/20 Page 8 of 8 PageID #: 6731
`
`The Honorable Judge Maryellen Noreika
`October 2, 2020
`Page 6
`
`Very truly yours,
`
`/s/ Richard L. Renck
`Richard L. Renck (#3893)
`
`Counsel for Rapid7, Inc. and Rapid7 LLC
`
`RLR/chp
`Attachments
`
`