Case 5:17-cv-00072-BLF Document 55 Filed 07/07/17 Page 1 of 46
`
`
`PAUL ANDRE (State Bar No. 196585)
`pandre@kramerlevin.com
`LISA KOBIALKA (State Bar No. 191404)
`lkobialka@kramerlevin.com
`JAMES HANNAH (State Bar No. 237978)
`jhannah@kramerlevin.com
`KRAMER LEVIN NAFTALIS & FRANKEL LLP
`990 Marsh Road
`Menlo Park, CA 94025
`Telephone: (650) 752-1700
`Facsimile: (650) 752-1800
`
`Attorneys for Plaintiff
`FINJAN, INC.
`
`
`IN THE UNITED STATES DISTRICT COURT
`
`FOR THE NORTHERN DISTRICT OF CALIFORNIA
`
`SAN JOSE DIVISION
`
`FINJAN, INC., a Delaware Corporation,
`
`
`
`
`
`
`Plaintiff,
`
`v.
`
`
`CISCO SYSTEMS, INC., a California
`Corporation,
`
`
`Defendant.
`
`
`
`
`
`
`Case No.: 5:17-CV-00072-BLF
`
`SECOND AMENDED COMPLAINT FOR
`PATENT INFRINGEMENT
`
`DEMAND FOR JURY TRIAL
`
`
`
`____________________________________________________________________________________
`SECOND AMENDED COMPLAINT FOR
`CASE NO. 5:17-CV-00072-BLF
`PATENT INFRINGEMENT
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Patent Owner Finjan, Inc. - Corrected Ex. 2018, p. 1
`
`

`

`Case 5:17-cv-00072-BLF Document 55 Filed 07/07/17 Page 2 of 46
`
`
`SECOND AMENDED COMPLAINT FOR PATENT INFRINGEMENT
`
`Plaintiff Finjan, Inc. (“Finjan”) files this First Amended Complaint for Patent Infringement and
`
`Demand for Jury Trial against Cisco Systems, Inc. (“Defendant” or “Cisco”) and allege as follows:
`
`THE PARTIES
`
`1.
`
`Finjan is a Delaware Corporation, with its principal place of business at 2000 University
`
`Avenue, Suite 600, E. Palo Alto, California 94303.
`2.
`
`Cisco is a California Corporation with its principal place of business at 170 West
`
`Tasman Drive, San Jose, California 95134. Cisco may be served through its agent for service of
`
`process CSC at 2710 Gateway Oaks Dr. Ste. 150N, Sacramento, California 95833.
`
`JURISDICTION AND VENUE
`
`3.
`
`This action arises under the Patent Act, 35 U.S.C. § 101 et seq. This Court has original
`
`jurisdiction over this controversy pursuant to 28 U.S.C. §§ 1331 and 1338.
`4.
`5.
`
`This Court has personal jurisdiction over Cisco. Upon information and belief, Cisco
`
`Venue is proper in this Court pursuant to 28 U.S.C. §§ 1391(b) and (c) and/or 1400(b).
`
`does business in this District and have, and continues to, infringe and/or induce the infringement in this
`
`District. In addition, the Court has personal jurisdiction over Cisco because minimum contacts have
`
`been established with the forum and the exercise of jurisdiction would not offend traditional notions of
`
`fair play and substantial justice.
`
`INTRADISTRICT ASSIGNMENT
`
`6.
`
`Pursuant to Local Rule 3-2(c), Intellectual Property Actions are assigned on a district-
`
`wide basis.
`
`FINJAN’S INNOVATIONS
`
`7.
`
`Finjan was founded in 1997 as a wholly-owned subsidiary of Finjan Software Ltd., an
`
`Israeli corporation. In 1998, Finjan moved its headquarters to San Jose, California. Finjan was a
`
`pioneer in developing proactive security technologies capable of detecting previously unknown and
`
`emerging online security threats recognized today under the umbrella of “malware.” These
`
`technologies protect networks and endpoints by identifying suspicious patterns and behaviors of
`
`SECOND AMENDED COMPLAINT FOR
`PATENT INFRINGEMENT
`
`1
`
`CASE NO. 5:17-CV-00072-BLF
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Patent Owner Finjan, Inc. - Corrected Ex. 2018, p. 2
`
`

`

`Case 5:17-cv-00072-BLF Document 55 Filed 07/07/17 Page 3 of 46
`
`
`content delivered over the Internet. Finjan has been awarded, and continues to prosecute, numerous
`
`patents covering innovations in the United States and around the world resulting directly from Finjan’s
`
`more than decades-long research and development efforts, supported by a dozen inventors, and over
`
`$65 million in R&D investments.
`8.
`
`Finjan built and sold software, including application program interfaces (APIs), and
`
`appliances for network security using these patented technologies. These products and related
`
`customers continue to be supported by Finjan’s licensing partners. At its height, Finjan employed
`
`nearly 150 employees around the world building and selling security products and operating the
`
`Malicious Code Research Center through which it frequently published research regarding network
`
`security and current threats on the Internet. Finjan’s pioneering approach to online security drew
`
`equity investments from two major software and technology companies, the first in 2005, followed by
`
`the second in 2006. Finjan generated millions of dollars in product sales and related services and
`
`support revenues through 2009 when it spun off certain hardware and technology assets in a merger.
`
`Pursuant to this merger, Finjan was bound to a non-compete and confidentiality agreement, under
`
`which it could not make or sell a competing product or disclose the existence of the non-compete
`
`clause. Finjan became a publicly traded company in June 2013, capitalized with $30 million. After
`
`Finjan’s obligations under the non-compete and confidentiality agreement expired in March 2015,
`
`Finjan re-entered the development and production sector of secure mobile products for the consumer
`
`market.
`9.
`
`On November 28, 2000, U.S. Patent No. 6,154,844 (“the ‘844 Patent”), titled SYSTEM
`
`AND METHOD FOR ATTACHING A DOWNLOADABLE SECURITY PROFILE TO A
`
`DOWNLOADABLE, was issued to Shlomo Touboul and Nachshon Gal. A true and correct copy of
`
`the ‘844 Patent is attached to this Complaint as Exhibit 1 and is incorporated by reference herein.
`10.
`
`All rights, title, and interest in the ‘844 Patent have been assigned to Finjan, who is the
`
`sole owner of the ‘844 Patent. Finjan has been the sole owner of the ‘844 Patent since its issuance.
`11.
`
`The ‘844 Patent is generally directed towards computer networks, and more
`
`particularly, provides a system that protects devices connected to the Internet from undesirable
`
`SECOND AMENDED COMPLAINT FOR
`PATENT INFRINGEMENT
`
`2
`
`CASE NO. 5:17-CV-00072-BLF
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Patent Owner Finjan, Inc. - Corrected Ex. 2018, p. 3
`
`

`

`Case 5:17-cv-00072-BLF Document 55 Filed 07/07/17 Page 4 of 46
`
`
`operations from web-based content. One of the ways this is accomplished is by linking a security
`
`profile to such web-based content to facilitate the protection of computers and networks from
`
`malicious web-based content.
`12.
`
`On October 12, 2004, U.S. Patent No. 6,804,780 (“the ‘780 Patent”), titled SYSTEM
`
`AND METHOD FOR PROTECTING A COMPUTER AND A NETWORK FROM HOSTILE
`
`DOWNLOADABLES, was issued to Shlomo Touboul. A true and correct copy of the ‘780 Patent is
`
`attached to this Complaint as Exhibit 2 and is incorporated by reference herein.
`13.
`
`All rights, title, and interest in the ‘780 Patent have been assigned to Finjan, who is the
`
`sole owner of the ‘780 Patent. Finjan has been the sole owner of the ‘780 Patent since its issuance.
`14.
`
`The ‘780 Patent is generally directed towards methods and systems for generating a
`
`Downloadable ID. By generating an identification for each examined Downloadable, the system may
`
`allow for the Downloadable to be recognized without reevaluation. Such recognition increases
`
`efficiency while also saving valuable resources, such as memory and computing power.
`15.
`
`On January 12, 2010, U.S. Patent No. 7,647,633 (“the ‘633 Patent”), titled
`
`MALICIOUS MOBILE CODE RUNTIME MONITORING SYSTEM AND METHODS, was issued
`
`to Yigal Mordechai Edery, Nimrod Itzhak Vered, David R. Kroll, and Shlomo Touboul. A true and
`
`correct copy of the ‘633 Patent is attached to this Complaint as Exhibit 3 and is incorporated by
`
`reference herein.
`16.
`
`All rights, title, and interest in the ‘633 Patent have been assigned to Finjan, who is the
`
`sole owner of the ‘633 Patent. Finjan has been the sole owner of the ‘633 Patent since its issuance.
`17.
`
`The ‘633 Patent is generally directed towards computer networks and, more
`
`particularly, provides a system that protects devices connected to the Internet from undesirable
`
`operations from web-based content. One of the ways this is accomplished is by determining whether
`
`any part of such web-based content can be executed and then trapping such content and neutralizing
`
`possible harmful effects using mobile protection code.
`18.
`
`On March 20, 2012, U.S. Patent No. 8,141,154 (“the ‘154 Patent”), titled SYSTEM
`
`AND METHOD FOR INSPECTING DYNAMICALLY GENERATED EXECUTABLE CODE, was
`
`SECOND AMENDED COMPLAINT FOR
`PATENT INFRINGEMENT
`
`3
`
`CASE NO. 5:17-CV-00072-BLF
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Patent Owner Finjan, Inc. - Corrected Ex. 2018, p. 4
`
`

`

`Case 5:17-cv-00072-BLF Document 55 Filed 07/07/17 Page 5 of 46
`
`
`issued to David Gruzman and Yuval Ben-Itzhak. A true and correct copy of the ‘154 Patent is attached
`
`to this Complaint as Exhibit 4 and is incorporated by reference herein.
`19.
`
`All rights, title, and interest in the ‘154 Patent have been assigned to Finjan, who is the
`
`sole owner of the ‘154 Patent. Finjan has been the sole owner of the ‘154 Patent since its issuance.
`20.
`
`The ‘154 Patent is generally directed towards a gateway computer protecting a client
`
`computer from dynamically generated malicious content. One way this is accomplished is to use a
`
`content processor to process a first function and invoke a second function if a security computer
`
`indicates that it is safe to invoke the second function.
`21.
`
`On March 18, 2014, U.S. Patent No. 8,677,494 (“the ‘494 Patent”), titled MALICIOUS
`
`MOBILE CODE RUNTIME MONITORING SYSTEM AND METHODS, was issued to Yigal
`
`Mordechai Edery, Nimrod Itzhak Vered, David R. Kroll, and Shlomo Touboul. A true and correct
`
`copy of the ‘494 Patent is attached to this Complaint as Exhibit 5 and is incorporated by reference
`
`herein.
`
`22.
`
`All rights, title, and interest in the ‘494 Patent have been assigned to Finjan, who is the
`
`sole owner of the ‘494 Patent. Finjan has been the sole owner of the ‘494 Patent since its issuance.
`23.
`
`The ‘494 Patent is generally directed towards a method and system for deriving security
`
`profiles and storing the security profiles. The claims generally cover deriving a security profile for a
`
`downloadable, which includes a list of suspicious computer operations, and storing the security profile
`
`in a database.
`
`CISCO
`
`24.
`
`Cisco makes, uses, sells, offers for sale, and/or imports into the United States and this
`
`District products and services that utilize Cisco’s Advanced Malware Protection (“AMP”), Cisco
`
`Collective Security Intelligence (“CCSI”), Cisco Outbreak Filters, Talos Security Intelligence and
`
`Research Group (“Talos”), and AMP Threat Grid technologies, including Cisco AMP for Endpoints,
`
`Cisco AMP for Networks (also referred to by Cisco as “NGIPS”), Cisco AMP for ASA with
`
`FirePOWER Services, Cisco AMP Private Cloud Virtual Appliance, Cisco AMP for CWS, ESA, or
`
`WSA, Cisco AMP for Meraki MX, Cisco AMP Threat Grid (collectively, “Accused AMP Products”).
`
`SECOND AMENDED COMPLAINT FOR
`PATENT INFRINGEMENT
`
`4
`
`CASE NO. 5:17-CV-00072-BLF
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Patent Owner Finjan, Inc. - Corrected Ex. 2018, p. 5
`
`

`

`Case 5:17-cv-00072-BLF Document 55 Filed 07/07/17 Page 6 of 46
`
`
`See https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/advanced-malware-
`
`protection/at-a-glance-c45-731876.pdf, attached hereto as Exhibit 6.
`25.
`
`Cisco AMP for Endpoint products operate on multiple operating systems, including
`
`Windows, Mac OS, Linux, and Android, as described in
`
`http://www.cisco.com/c/en/us/products/collateral/security/fireamp-endpoints/datasheet-c78-
`
`733181.html, attached hereto as Exhibit 7.
`26.
`
`Cisco AMP for Networks products include AMP7150, AMP8050, AMP8150,
`
`AMP8350, AMP8360, AMP8370, and AMP8390, as described in
`
`http://www.cisco.com/c/en/us/products/collateral/security/amp-appliances/datasheet-c78-733182.html,
`
`attached hereto as Exhibit 8.
`27.
`
`Cisco AMP for ASA with FirePOWER Services products include Cisco ASA 5506-X,
`
`Cisco ASA 5506W-X, Cisco ASA 5506H-X, Cisco ASA 5508-X, Cisco ASA 5516-X, Cisco ASA
`
`5512-X, Cisco ASA 5515-X, Cisco ASA 5525-X, Cisco ASA 5545-X, Cisco ASA 5555-X, Cisco
`
`ASA 5585-X SSP-10, Cisco ASA 5585-X SSP-20, Cisco ASA 5585-X SSP-40, Cisco ASA 5585-X
`
`SSP-60, Cisco ASA 5585-X SSP EP 10/40, and Cisco ASA 5585-X SSP EP 20/60, as described in
`
`http://cisco-apps.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-
`
`firewalls/datasheet-c78-733916.html, attached hereto as Exhibit 9.
`28.
`
`Cisco AMP Private Cloud Virtual Appliance products are AMP Private Cloud 2.0, as
`
`described in http://www.cisco.com/c/en/us/products/collateral/security/fireamp-private-cloud-virtual-
`
`appliance/datasheet-c78-733180.html, attached hereto as Exhibit 10.
`29.
`
`Cisco AMP for CWS includes Cloud Web Security Essentials, Cloud Web Security
`
`Premium license, Advanced Threat Detection, Cisco AMP license, and Web Security bundle, as
`
`described in http://www.cisco.com/c/en/us/products/collateral/security/cloud-web-
`
`security/data_sheet_c78-729637.html, attached hereto as Exhibit 11.
`30.
`
`Cisco AMP for ESA products include ESA C690, ESA C690X, ESA C680, ESA C390,
`
`ESA C380, ESA C190, ESA C170, ESAV C100v, ESAV C300v, ESAV C600v, SMA
`
`M690/690X/680, SMA M390/380 and SMA M190/170, as described in
`
`SECOND AMENDED COMPLAINT FOR
`PATENT INFRINGEMENT
`
`5
`
`CASE NO. 5:17-CV-00072-BLF
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Patent Owner Finjan, Inc. - Corrected Ex. 2018, p. 6
`
`

`

`Case 5:17-cv-00072-BLF Document 55 Filed 07/07/17 Page 7 of 46
`
`
`http://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/data-sheet-c78-
`
`729751.html, attached hereto as Exhibit 12.
`31.
`
`Cisco AMP for WSA products include S690, S690X, S680, S390, S380, S190, S170,
`
`WSAV S000v, WSAV S100v, WSAV S300v, M680, M380, and M170, as described in
`
`http://www.cisco.com/c/en/us/products/collateral/security/content-security-management-
`
`appliance/datasheet-c78-729630.html, attached hereto as Exhibit 13.
`32.
`
`Cisco AMP for Meraki MX is included with Meraki MX products that have the MX
`
`Advanced Security License, including MX64, MX64W, MX65, MX65W, MX84, MX100, MX400,
`
`MX600, as described in http://blogs.cisco.com/security/cisco-meraki-mx-with-amp-threat-grid,
`
`https://meraki.cisco.com/products/appliances#models and
`
`https://meraki.cisco.com/amp?utm_source=overview%20features&utm_medium=overview&utm_cam
`
`paign=AMP%20launch%202016, attached hereto as Exhibits 14-16.
`33.
`
`Cisco AMP Threat Grid products include Cisco AMP Threat Grid 5000, Cisco AMP
`
`Threat Grid 5500, AMP Threat Grid portal, and AMP Threat Grid dynamic analysis, as described in
`
`http://www.cisco.com/c/en/us/products/collateral/security/amp-threat-grid-appliances/datasheet-c78-
`
`733667.html and http://www.cisco.com/c/en/us/products/collateral/security/amp-threat-grid-
`
`cloud/datasheet-c78-733495.html, attached hereto as Exhibits 17-18.
`34.
`
`In addition, Cisco makes, has made, uses, sells, offers for sale, and/or imports into the
`
`United States and this District the Talos service that detects, analyzes and protects against both known
`
`and emerging threats, utilizing systems that create threat intelligence for Cisco products (collectively,
`
`“Accused Talos Service”), as described in http://blogs.cisco.com/author/talos, attached hereto as
`
`Exhibit 19.
`35.
`
`Further, Cisco makes, has made, uses, sells, offers for sale, and/or imports into the
`
`United States and this District products and services that utilize Cisco’s Outbreak Filters (also known
`
`as IronPort Outbreak Filters) with Talos, including Cisco’s ESA appliances: ESA C690, ESA C690X,
`
`ESA C680, ESA C390, ESA C380, ESA C190, ESA C170, ESAV C100v, ESAV C300v, ESAV
`
`C600v, SMA M690/690X/680, SMA M390/380 and SMA M190/170 (collectively, “Accused
`
`SECOND AMENDED COMPLAINT FOR
`PATENT INFRINGEMENT
`
`6
`
`CASE NO. 5:17-CV-00072-BLF
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Patent Owner Finjan, Inc. - Corrected Ex. 2018, p. 7
`
`

`

`Case 5:17-cv-00072-BLF Document 55 Filed 07/07/17 Page 8 of 46
`
`
`Outbreak Filter Products”), as described in
`
`http://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/data-sheet-c78-
`
`729751.html, attached hereto as Exhibit 20.
`
`Talos
`
`36.
`
`Talos Security Intelligence and Research Group (“Talos”) was created by combining
`
`SourceFire’s Vulnerability Research Team, the Cisco Threat Research and Communications group,
`
`and the Cisco Security Applications Group. Talos is also a part of the Cisco Security Intelligence
`
`Operations (“SIO”) and primary member of Cisco’s Collective Security Intelligence ecosystem
`
`(“CSI”). Talos detects and correlates threats in real time using a threat detection network spanning
`
`web, email, malware samples, open source data sets, endpoint intelligence, and network intrusions.
`
`Talos encompasses five key areas, including Detection Research, Threat Intelligence, Engine
`
`Development, Vulnerability Research and Development, and Outreach. Detection Research consists of
`
`vulnerability and malware analyses that lead to the development of detection content for all Cisco’s
`
`security products. Threat Intelligence consists of correlating and tracking threats in order to turn
`
`attribution information into actionable threat intelligence. Engine Development ensures various
`
`inspection engines stay current and maintain their ability to detect and address emerging threats.
`
`Vulnerability Research and Development develops ways to identify “Zero-Day” security issues on
`
`platforms and operating systems.
`
`SECOND AMENDED COMPLAINT FOR
`PATENT INFRINGEMENT
`
`7
`
`CASE NO. 5:17-CV-00072-BLF
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Patent Owner Finjan, Inc. - Corrected Ex. 2018, p. 8
`
`

`

`Case 5:17-cv-00072-BLF Document 55 Filed 07/07/17 Page 9 of 46
`
`
`
`
`See http://www.talosintelligence.com/files/about/Talos_WhitePaper.v3.20160507.pdf, attached hereto
`
`as Exhibit 21.
`
`37.
`
`SIO is an advanced security infrastructure that provides threat identification, analysis,
`
`and mitigation to continuously provide security for Cisco customers. Cisco devices, whether on
`
`premise or cloud appliance based, act as the enforcement points in this ecosystem – they use Cisco SIO
`
`filters and reputation data to block or allow traffic. The devices also contribute threat intelligence and
`
`data back into Cisco SIO. Cisco SIO’s dynamic updates deliver current and complete security
`
`information to Cisco customers and devices.
`
`SECOND AMENDED COMPLAINT FOR
`PATENT INFRINGEMENT
`
`8
`
`CASE NO. 5:17-CV-00072-BLF
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Patent Owner Finjan, Inc. - Corrected Ex. 2018, p. 9
`
`

`

`Case 5:17-cv-00072-BLF Document 55 Filed 07/07/17 Page 10 of 46
`
`
`See http://blogs.cisco.com/ciscoit/cisco-security-intelligence-operations-defense-in-depth, attached
`
`hereto as Exhibit 22.
`38.
`
`As shown below, the Talos service includes advanced and dynamic analyses.
`
`
`
`SECOND AMENDED COMPLAINT FOR
`PATENT INFRINGEMENT
`
`9
`
`CASE NO. 5:17-CV-00072-BLF
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Patent Owner Finjan, Inc. - Corrected Ex. 2018, p. 10
`
`

`

`Case 5:17-cv-00072-BLF Document 55 Filed 07/07/17 Page 11 of 46
`
`
`
`
`See http://ciscoday.me/pdf/Cisco%20AMP%20Sasa%20Milic%20Asseco.pdf, attached hereto as
`
`Exhibit 23.
`
`AMP
`
`39.
`
`Cisco AMP uses Cisco’s Collective Security Intelligence cloud to obtain real-time file
`
`dispositions across multiple attack vectors, like web and email. This includes using Cisco Talos to
`
`push threat intelligence to the AMP network. Known malicious files are blocked from reaching their
`
`target systems. Files with an unknown dispositions are automatically submitted to the Threat Grid
`
`threat intelligence and malware analysis engine for analyses. A threat score is computed for analyzed
`
`files and a detailed threat report from Threat Grid is available to aid in decision making. AMP has
`
`many variations, including AMP for Endpoints, AMP for Networks, AMP for Firewalls, AMP for ISR,
`
`AMP for Web, AMP for E-mail, AMP Private Cloud Virtual Appliance, and Threat Grid.
`40.
`
`Additionally, the Cisco AMP solution uses an extensive infrastructure of sandboxes to
`
`analyze hundreds of thousands of files each day. The Cisco sandboxes detonate files in a safe
`
`environment and record its actions. This analysis results in a detained report about the file’s
`
`disposition (including details regarding major indicators of malicious behavior), potential impact on an
`
`SECOND AMENDED COMPLAINT FOR
`PATENT INFRINGEMENT
`
`10
`
`CASE NO. 5:17-CV-00072-BLF
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Patent Owner Finjan, Inc. - Corrected Ex. 2018, p. 11
`
`

`

`Case 5:17-cv-00072-BLF Document 55 Filed 07/07/17 Page 12 of 46
`
`
`environment, suspicious activity, dynamically linked libraries, indicators of compromise, network
`
`activity, and files that may have spawned or dropped.
`
`See http://s2.q4cdn.com/230918913/files/doc_presentations/doc_events/David-
`
`Goeckeler_Cisco_Live-Investor_6_8_15_v10_post-legal.pdf, attached hereto as Exhibit 24.
`
`
`
`
`
`SECOND AMENDED COMPLAINT FOR
`PATENT INFRINGEMENT
`
`11
`
`CASE NO. 5:17-CV-00072-BLF
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Patent Owner Finjan, Inc. - Corrected Ex. 2018, p. 12
`
`

`

`Case 5:17-cv-00072-BLF Document 55 Filed 07/07/17 Page 13 of 46
`
`
`See https://www.cisco.com/web/offer/emear/38586/images/Presentations/P17.pdf, attached hereto as
`
`Exhibit 25.
`
`Threat Grid
`
`41.
`
`AMP Threat Grid (both Cloud and Appliance), which crowd sources malware and
`
`analyzes all samples using proprietary, utilizes highly secure techniques that include static and
`
`dynamic (sandboxing) analysis. AMP Threat Grid analyzes suspicious behavior against more than
`
`450 behavioral indicators. It correlates the results with hundreds of millions of other analyzed
`
`malware to provide a global view of malware attacks, campaigns, and their distributions. This ability
`
`helps analysts effectively defend against both targeted attacks and the broader threats from advanced
`
`malware. AMP Threat Grid’s detailed reports include the identification of important behavioral
`
`indicators and the assignment of threat scores. Using the behavioral indicators, AMP Threat Grid
`
`determines whether a sample is malicious, suspicious, or benign, and why.
`
`See http://www.cisco.com/c/dam/global/da_dk/assets/pdfs/AMP-Threat-Grid.pdf, attached hereto as
`
`Exhibit 26.
`
`
`
`SECOND AMENDED COMPLAINT FOR
`PATENT INFRINGEMENT
`
`12
`
`CASE NO. 5:17-CV-00072-BLF
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Patent Owner Finjan, Inc. - Corrected Ex. 2018, p. 13
`
`

`

`Case 5:17-cv-00072-BLF Document 55 Filed 07/07/17 Page 14 of 46
`
`
`
`
`See http://www.cisco.com/c/dam/global/en_ca/assets/pdfs/amp-everywhere-deployment-infographic-
`
`white.pdf, attached hereto as Exhibit 27.
`
`Outbreak Filters
`
`42.
`
`Cisco Outbreak Filters protect systems against new outbreaks of viruses and other
`
`malware delivered via attachments by scanning uniform resource locators (“URLs”) and processing
`
`them in real time—as the user opens them—to block malicious sites. The Cisco Outbreak Filters can
`
`also rewrite URLs. Additionally, these filters send data about the websites to Talos to protect all users
`
`of Cisco security products, including Cisco’s firewall, web security, and intrusion prevention products.
`
`SECOND AMENDED COMPLAINT FOR
`PATENT INFRINGEMENT
`
`13
`
`CASE NO. 5:17-CV-00072-BLF
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Patent Owner Finjan, Inc. - Corrected Ex. 2018, p. 14
`
`

`

`Case 5:17-cv-00072-BLF Document 55 Filed 07/07/17 Page 15 of 46
`
`
`
`
`See http://www.cisco.com/c/en/us/products/collateral/security/email-security-
`
`appliance/white_paper_c11-684611.html at 2, attached hereto as Exhibit 28.
`43.
`
`Cisco Outbreak Filters use deep content analysis via Outbreak Intelligence processes
`
`that look for malicious web content. The content is scanned using multiple proprietary scanning
`
`engines for Flash, Java, PDF, archives, executables, file anomalies and more. Additionally, virtual
`
`script emulation is used where the script is run within the cloud infrastructure allowing for monitoring
`
`of malicious behavior such as a hidden redirect or drive-by download. If malicious behavior is
`
`detected, the script is blocked, preventing it from passing onto the end user.
`
`CISCO’S INFRINGEMENT OF FINJAN’S PATENTS
`
`44.
`
`Cisco has been and is now infringing, and will continue to infringe the ‘844 Patent, the
`
`‘780 Patent, the ‘633 Patent, the ‘154 Patent, and the ‘494 Patent (collectively “the Patents-In-Suit”) in
`
`this judicial District and elsewhere in the United States by, among other things, making, using,
`
`importing, selling, and/or offering for sale the claimed system and methods on the Accused AMP
`
`Products, Accused Talos Service, and Accused Outbreak Filter Products.
`
`SECOND AMENDED COMPLAINT FOR
`PATENT INFRINGEMENT
`
`14
`
`CASE NO. 5:17-CV-00072-BLF
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Patent Owner Finjan, Inc. - Corrected Ex. 2018, p. 15
`
`

`

`Case 5:17-cv-00072-BLF Document 55 Filed 07/07/17 Page 16 of 46
`
`
`45.
`
`In addition to directly infringing the Patents-In-Suit pursuant to 35 U.S.C. § 271(a),
`
`either literally or under the doctrine of equivalents, or both, Cisco indirectly infringe all the Patents-In-
`
`Suit by instructing, directing and/or requiring others, including its customers, purchasers, users, and
`
`developers, to perform all or some of the steps of the method claims, either literally or under the
`
`doctrine of equivalents, or both, of the Patents-In-Suit.
`46.
`
`In addition, Cisco has willfully infringed each of the Patents-in-Suit. Cisco had
`
`knowledge of each of the Patents-in-Suit before this lawsuit was filed and has engaged in egregious
`
`behavior warranting enhanced damages.
`47.
`
`Finjan and Cisco’s relationship dates back over two decades. Throughout the years,
`
`until the time that Cisco began infringing Finjan’s patents, Cisco and Finjan maintained an amicable
`
`relationship and consistently collaborated together on cybersecurity. In the late 1990’s, the parties
`
`entered into an original equipment manufacturer agreement that allowed Cisco to incorporate Finjan’s
`
`technology into Cisco’s products. As early as this time, Cisco saw the value of Finjan’s technology.
`
`Cisco explicitly acknowledged in a 1997 Fortune Magazine article that “discussions with Finjan
`
`brought it to the ‘watershed decision’ to include content inspection in its security products,” and that
`
`Cisco has “very high regard for Finjan and its technology.”
`48.
`
`Beginning as early as 2004, Cisco made multiple substantial financial investments in
`
`Finjan. At the time of these investments, Cisco knew of Finjan’s patent portfolio and patented
`
`technology. For example, on or about June 2, 2004, Finjan and Cisco entered into a Series D Preferred
`
`Stock Purchase Agreement, which specifically identified and described the ‘844 Patent and the
`
`application that resulted in the ‘780 Patent. Thus, Cisco knew of the ‘844 Patent and the pending
`
`application for the ‘780 Patent at least as early as June 2, 2004. The same agreement authorized Cisco
`
`to send one non-voting representative to all Finjan Board of Directors meetings. As a further example,
`
`on or about November 14, 2008, Finjan and Cisco entered into a Series E Preferred Stock Purchase
`
`Agreement, which specifically identified and described the ‘844 and ‘780 Patents and the application
`
`that resulted in the ‘633 Patent. Thus, Cisco knew of the ‘780 Patent and the pending application for
`
`the ‘633 Patent at least as early as November 14, 2008.
`
`SECOND AMENDED COMPLAINT FOR
`PATENT INFRINGEMENT
`
`15
`
`CASE NO. 5:17-CV-00072-BLF
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Patent Owner Finjan, Inc. - Corrected Ex. 2018, p. 16
`
`

`

`Case 5:17-cv-00072-BLF Document 55 Filed 07/07/17 Page 17 of 46
`
`
`49.
`
`Cisco continued to gain knowledge about Finjan and its patents and patented technology
`
`after investing in Finjan. For example, in or around December 2006, Finjan gave a presentation to
`
`Cisco titled “Introducing Finjan Vital Security” that discussed Finjan’s patents and described in detail
`
`the technology covered by the ‘844 and ‘780 Patents and Finjan’s products that practiced that
`
`technology. Furthermore, in or around 2005, Cisco had an observer, Cisco’s then-Vice President of
`
`Corporate Development, Yoav Samet, attend Finjan’s board of director meetings during which
`
`Finjan’s patents, technology and business were discussed.
`50.
`
`In addition, since at least June 2013 when Finjan became a public company, Cisco has
`
`been a Beneficial Owner of Finjan, owning 7.5% of Finjan Holdings, Inc.’s common stock and holding
`
`voting power continuously. Thus, Cisco has further gained knowledge of Finjan’s patents as a
`
`Beneficial Owner. For example, Cisco has known of the ‘633 Patent and ‘154 Patent since at least on
`
`or about March 14, 2014, when Finjan Holdings, Inc. published its Annual Report for investors, which
`
`included Cisco. This Annual Report specifically identified and described the ‘844 Patent, ‘780 Patent,
`
`‘633 Patent and ‘154 Patent and the pending lawsuits Finjan had filed against third parties for
`
`infringement of these patents. Cisco has also had knowledge of the ‘494 Patent since at least on or
`
`about May 8, 2014 when Finjan Holdings, Inc. published its Quarterly Report for investors, which
`
`included Cisco. This Quarterly Report specifically identified and described the ‘844 Patent, ‘780
`
`Patent, ‘633 Patent, ‘154 Patent and ‘494 Patent and the pending lawsuits Finjan had filed against third
`
`parties for infringement of these patents.
`51.
`
`Despite the foregoing knowledge of the ‘844, ‘780, ‘633, ‘154 and ‘494 Patents and the
`
`technology covered by these patents, and despite a high likelihood that its actions constituted
`
`infringement of these patents, Cisco proceeded to and continued to infringe these patents. Specifically,
`
`Cisco acquired technology that infringes each of the Patents-in-Suit from Sourcefire, Inc.
`
`(“SourceFire”) in or around October 2013, integrated that company’s appliances and technology into
`
`its own product lines and has continued with its infringing conduct since that time. Also, at least as
`
`early as March 2012, Cisco integrated into its products Outbreak Filters, which infringe the ‘154
`
`Patent, and has continued with its infringing conduct since.
`
`SECOND AMENDED COMPLAINT FOR
`PATENT INFRINGEMENT
`
`16
`
`CASE NO. 5:17-CV-00072-BLF
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Patent Owner Finjan, Inc. - Corrected Ex. 2018, p. 17
`
`

`

`Case 5:17-cv-00072-BLF Document 55 Filed 07/07/17 Page 18 of 46
`
`
`52.
`
`Cisco’s infringement of the ‘844 Patent, ‘780 Patent, ‘633 Patent, ‘154 Patent and ‘494
`
`Patent is egregious. Cisco and Finjan had been in a long and extensive collaborative working
`
`relationship for almost twenty years during which Cisco had “very high regard for Finjan and its
`
`technology.” As described above, from at least as early as 2004 until 2014, Cisco gained knowledge of
`
`each of the Patents-in-Suit and the technology they cover. Based on information obtained from Finjan
`
`concerning Finjan’s patents and technology, Cisco continuously invested in Finjan since at least as
`
`early as 2004. Finjan and Cisco maintained an amicable and collaborative relationship over the course
`
`of these years, in which Cisco’s representative even attended multiple Finjan board meetings where
`
`Finjan’s information, includi