Opinion
No. C 17-05659 WHA
08-24-2018
FINJAN, INC., Plaintiff, v. JUNIPER NETWORK, INC., Defendant.
ORDER GRANTING IN PART EARLY MOTION FOR SUMMARY JUDGMENT ON '494 PATENT
INTRODUCTION
In this patent infringement action, each side moves for early summary judgment on one asserted claim among many. For the reasons stated below, patent owner's motion is GRANTED IN PART.
STATEMENT
1. THE '494 PATENT.
United States Patent No. 8,677,494 ("the '494 patent") relates to malware detection. It is generally directed to systems and methods for protecting devices from suspicious "Downloadables" — "an executable application program, which is downloaded from a source computer and run on the destination computer" (Dkt. No. 126 at 6). These Downloadables may be used to deliver malicious code without the user's knowledge.
Specifically, the '494 patent's claims involve three basic steps: (1) receive a Downloadable; (2) scan the Downloadable to generate security profile data ("Downloadable Security Profile (DSP) data"), which includes a list of suspicious computer operations that the Downloadable may attempt to perform; and (3) store the security profile in a database ('494 patent 21:20-25, 22:8-16).
2. OVERVIEW OF ACCUSED PRODUCTS.
Image materials not available for display.
A. SRX Gateways.
Juniper's SRX Gateways are network appliances and software that act as firewalls to protect a computer on a network from receiving malicious content. Once the SRX intercepts an incoming file, it determines whether it is a Downloadable type that should be analyzed (such as HTML, Microsoft documents, EXE files). If so, it then sends the entire file to the cloud-based Sky ATP for analysis.
B. Sky ATP.
Sky ATP is a cloud-based scanning system that inspects files with its "Malware Analysis Pipeline" to determine the threat level posed by the Downloadable. The Malware Analysis Pipeline in Sky ATP scans an unrecognized Downloadable using (1) a conventional antivirus check; (2) static analysis; and (3) dynamic analysis. Static analysis involves analyzing the Downloadable's contents without actually running the file. Dynamic analysis, on the other hand, analyzes the Downloadable's contents by executing and observing the file in a safe, simulated environment called a "sandbox." This multi-stage pipeline analysis renders a "verdict," i.e. how dangerous the file is, which is returned to the SRX the next time it encounters the Downloadable.
3. FINJAN'S MOTION ON CLAIM 10 OF THE '494 PATENT.
According to Finjan, Juniper infringes Claim 10 of the '494 patent because the accused products "receive Downloadables from servers on the Internet, scan these Downloadables using dynamic and static analysis to generate a behavioral profile, and store the resulting behavioral profile in a results database" (Dkt. No. 98 at 2).
Finjan now moves for summary judgment of direct infringement of Claim 10 based on (1) Juniper's SRX Gateways used in combination with Sky ATP; and (2) Sky ATP alone (Dkt. No. 98 at 1). Juniper opposes on three grounds: (1) non-infringement; (2) invalidity based on unpatentable subject matter and indefiniteness; and (3) Finjan's failure to mark (Dkt. No. 126 at 1-2). Discovery relating to this round of early summary judgment informed both sides how the accused system works. This order follows full briefing and oral argument.
ANALYSIS
1. LEGAL STANDARD.
Summary judgment is proper when there is no genuine dispute of material fact and the moving party is entitled to judgment as a matter of law. FRCP 56(a). A genuine dispute of material fact is one that "might affect the outcome of the suit under the governing law." Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 247-48 (1986). In deciding a motion for summary judgment, we must accept the non-movant's non-conclusory evidence and draw all justifiable inferences in its favor. Id. at 255.
2. INFRINGEMENT (OR NON-INFRINGEMENT).
Claim 10 states ('494 patent at 22:7-16) (emphasis added):
A system for managing Downloadables, comprising:
a receiver for receiving an incoming Downloadable;
a Downloadable scanner coupled with said receiver, for deriving security profile data for the Downloadable, including a list of suspicious computer operations that may be attempted by the Downloadable; and
a database manager coupled with said Downloadable scanner, for storing the Downloadable security profile data in a database.
To prove infringement, Finjan must show that Juniper's accused products meet each properly construed limitation of Claim 10 either literally or under the doctrine of equivalents. See Deering Precision Instruments, LLC v. Vector Distribution Sys., Inc., 347 F.3d 1314, 1324 (Fed. Cir. 2003). To establish literal infringement, all of the elements of the claim, as correctly construed, must be present in the accused products. TechSearch, LLC v. Intel Corp., 286 F.3d 1360, 1371 (Fed. Cir. 2002). Finjan may also establish infringement under the doctrine of equivalents by "showing that the difference between the claimed invention and the accused product [is] insubstantial," including "by showing on a limitation by limitation basis that the accused product performs substantially the same function in substantially the same way with substantially the same result as each claim limitation of the patented product." Crown Packaging Tech., Inc. v. Rexam Beverage Can Co., 559 F.3d 1308, 1312 (Fed. Cir. 2009).
To determine whether summary judgment of non-infringement (or infringement) is warranted, this order will first construe Claim 10 to determine its scope and then determine whether the properly construed Claim 10 reads on Juniper's accused products. See Pitney Bowes, Inc. v. Hewlett-Packard Co., 182 F.3d 1298, 1304 (Fed. Cir. 1999).
Claim terms "are generally given their ordinary and customary meaning," i.e., "the meaning that the term would have to a person of ordinary skill in the art in question at the time of the invention." Phillips v. AWH Corp., 415 F.3d 1303, 1312-13 (Fed. Cir. 2005). Claim construction examines the claim language itself, the specification, and, if in evidence, the prosecution history. Amgen Inc. v. Hoechst Marion Roussel, Inc., 314 F.3d 1313, 1324 (Fed. Cir. 2003). When legal "experts" offer views on claim construction that conflict with each other or with the patent itself, such conflict does not create a question of fact or relieve the court of its obligation to construe the claim according to the tenor of the patent. Markman v. Westview Instruments, Inc., 52 F.3d 967, 983 (Fed. Cir. 1995).
Here, the parties dispute the following terms: (1) "list of suspicious computer operations"; (2) "suspicious computer operations"; (3) "scanner"; (4) and "database manager." This order will construe these terms in deciding the issue of infringement.
A. "List of Suspicious Computer Operations."
This order construes the limitation "list of suspicious computer operations" as "list of computer operations in a received Downloadable that are deemed hostile or potentially hostile."
Significantly, the '494 patent is a continuation of United States patent application Serial No. 08/964,388, now United States Patent No. 6,092,194 (the '194 patent), entitled "System and Method for Protecting a Computer and a Network from Hostile Downloadables." The later '494 patent incorporated the '194 patent by reference. The '494 patent's specification itself provides no clarity as to the limitations at issue, so this order will look to the earlier '194 patent's specification for guidance.
The '194 patent uses, perhaps confusingly, the term "list" in multiple ways, two of which concern the dispute over the term "list of suspicious computer operations." For our immediate purposes, we must distinguish between a pre-existing master list of suspicious computer operations versus a shorter list of suspicious computer operations freshly derived from a specific Downloadable. This duality of usage within the specification has allowed each side to construe the list in Claim 10 in two different ways. This order, however, holds that the list of suspicious computer operations referenced in Claim 10 is one derived from the specific Downloadable under scrutiny.
The '194 patent specification further refers to two more lists — "a list of all files to be accessed by the Downloadable code" and an "access control list" ('194 patent at 5:53-54, 6:21) — but these lists do not contribute to the problem at hand.
Let's start with the pre-existing master list. As between the two patents, only the '194 patent discloses any embodiment for deriving security profile data. That embodiment is found in a description of Figure 7, which illustrates the process for decomposing a Downloadable to derive DSP data ('194 patent at 9:24-29) (emphasis added):
The code scanner . . . resolves a respective command in the machine code, and in step 715 determines whether the resolved command is suspicious (e.g., whether the command is one of the operations identified in the list described above with reference to [Figure] 3). . . . [I]f the code scanner in step 715 determines that the resolved command is suspect, then the code scanner 325 in step 720 decodes and registers the suspicious command . . . as DSP data.
Image materials not available for display.
FIG. 7
In essence, as described in Figure 7, the code scanner (1) "disassemble[s] the machine code of the Downloadable"; (2) "resolves a respective command in the machine code;" and (3) "determines whether the resolved command is suspicious" ('194 patent at 9:20-29). If the resolved command is determined to be suspicious, then the code scanner (4) "decodes and registers the suspicious command . . . as DSP data" (id. at 9:34-37).
In turn, a description of Figure 3 (which Figure 7 references) also includes the following example master list (id. at 5:58-6:4):
An Example List of Operations Deemed Potentially Hostile
File operations: READ a file, WRITE a file;
Network operations: LISTEN on a socket, CONNECT to a socket, SEND data, RECEIVE data, VIEW INTRANET;
Registry operations: READ a registry item, WRITE a registry item;
Operating system operations: EXIT WINDOWS, EXIT BROWSER, START PROCESS/THREAD, KILL A PROCESS/THREAD, CHANGE PROCESS/THREAD PRIORITY, DYNAMICALLY LOAD A CLASS/ LIBRARY, etc.; and
Resource usage thresholds; memory, CPU, graphics, etc.
Specifically, a code scanner may identify a computer operation as suspicious by checking whether it is on the master "list described above with reference to [Figure] 3" — which most conceivably refers to the disclosed "Example List of Operations Deemed Potentially Hostile."
The adjective "master" is the Court's own word choice, not the specification's, but it captures the function served by the passages just quoted.
The second list referenced in the specification is the shorter list compiled of suspicious operations derived only from a received Downloadable. In the preferred embodiment, that list is generated by comparing the operations in the Downloadable to the master list of suspicious operations. When there is a match, that specific operation goes on the second list.
The description of Figure 3 — which Figure 7 references in connection with determining whether a command within a Downloadable is suspicious — further includes the following embodiment ('194 patent at 5:50-54):
The code scanner 325 may generate the DSP data 310 as a list of all operations in the Downloadable code which could ever be deemed potentially hostile and a list of all files to be accessed by the Downloadable code.
For example, if the master list contains 200 commands, all predetermined as suspicious, the commands in the received Downloadable code would then be checked against this master list, resulting in a second list specific to the Downloadable based on the matched hits of, say, twenty commands.
With at least two different "lists" in play in the specification, the question is then, which list does Claim 10 refer to? Reading the claim language and specification together as a whole, the claimed "list of suspicious computer operations" in Claim 10 refers to a list of computer operations found in the received Downloadable code that have been culled out as suspicious.
First, the Claim 10 language itself indicates a list derived for a specific Downloadable, not a pre-existing list. This is apparent when the limitation is read in the claim's context — "deriving security profile data for the Downloadable, including a list of suspicious computer operations that may be attempted by the Downloadable." The context of this language indicates that the list referenced in Claim 10 is tied to operations found within the Downloadable code. This reading is further supported by the term's parallel usage in Claim 1, which more clearly indicates that the "list of suspicious computer operations" is part of the security profile data derived specifically for a received Downloadable (see '494 patent at 21:20-23).
Second, the specification supports this construction. For example, the Downloadable security profile data, which includes the list at issue, is derived specifically for a received Downloadable. The specification says that the Downloadable's derived security profile data can then be compared against "the access control list" (yet another list), which "contains criteria indicating whether to pass or fail the Downloadable" ('194 patent at 6:13-23). While this important pass-fail step is not itself recited or reached in Claim 10, it illustrates that the "list of suspicious computer operations" within the Downloadable security profile data is necessarily limited to a specific Downloadable, not the pre-existing master list; otherwise, comparison with the access control list would be pointless. Moreover, the specification discloses that "the present invention may identify Downloadables that perform operations deemed suspicious" and that it "may examine the Downloadable code to determine whether the code contains any suspicious operations, and thus may allow or block the Downloadable accordingly" (id. at 2:32-37).
This order therefore mostly agrees with Finjan on this limitation, as the purpose of the Downloadable security profile data is to look at code within a received Downloadable and compile a list tailored to that file (see Tr. 99:6-9). It therefore rejects Juniper's assertion that Claim 10 includes both the pre-existing master list and the subset list of suspicious operations found in a Downloadable code (Tr. 100:19-102:4). In so arguing, Juniper embraces a construction of this limitation by a panel of the PTAB — "a list of all operations that could ever be deemed potentially hostile" — in Symantec Corporation & Blue Coat Systems LLC v. Finjan, Inc., IPR2015-01892, Paper No. 58 at 12 (P.T.A.B. Mar. 15, 2017) (Dkt. No. 126 at 11). The same PTAB panel affirmed this construction in Palo Alto Networks, Inc. & Blue Coat Systems LLC v. Finjan, Inc., IPR2016-00159, Paper No. 50 at 33-35 (P.T.A.B. Apr. 11, 2017). The panel based its construction on the aforementioned embodiment in the '194 patent included in the following description of Figure 3, "list of all operations in the Downloadable code which could ever be deemed potentially hostile" ('194 patent at 9:24-29). This construction, however, remains dictum, as the Board's decision did not ultimately turn on its adopted construction. See Symantec, IPR2015-01892 Paper No. 58 at 12. Anyway, this order disagrees with the panel's construction.
Using ellipses, Juniper justifies the panel's dictum by quoting "all operations . . . which could ever be deemed potentially hostile" from the aforementioned embodiment, this to assert that the claimed list must refer to a pre-existing master list. This, however, is a sleight of hand. Counsel's ellipses delete crucial limiting language, namely "in the Downloadable code," i.e., the '194 patent actually says "a list of all operations in the Downloadable code which could ever be deemed potentially hostile." Once this language is read in full without ellipses, the list refers to what is found within the four corners of the received Downloadable code. This cannot refer to the master list. The Court is disappointed that Juniper's counsel would use this sleight of hand. Once read in light of its true scope, this embodiment is fully consistent with this order's adopted construction. Nor would it necessarily violate, as Juniper argues, the principle that "a claim interpretation that excludes a preferred embodiment from the scope of the claim is rarely, if ever, correct." Accent Packaging, Inc. v. Leggett & Platt, Inc., 707 F.3d 1318, 1326 (Fed. Cir. 2013) (quoting On-Line Techs., Inc. v. Bodenseewerk Perkin-Elmer GmbH, 386 F.3d 1133, 1138 (Fed. Cir. 2004)).
This order finds that there is no genuine dispute that Juniper's accused products meet this limitation. The accused system's pre-existing master list, Juniper says, does not flag all operations that have been known to be suspicious or potentially hostile, including the example operation "CHANGE PROCESS/THREAD PRIORITY" given in the patent (Tr. 101:22-105:4; Dkt. No. 126 at 24-25). But as discussed above, the '494 patent does not claim the pre-existing list — it only claims the list of computer operations within a specific Downloadable deemed hostile or potentially hostile. Juniper's Malware Analysis Pipeline does compile a list of operations within a received Downloadable identified as hostile or potentially hostile (Dkt. No. 98, Exh. 11; Cole Decl. ¶¶ 34-37, 41). Juniper offers no evidence (under this order's construction) to the contrary.
Juniper's proposed construction would impose a seemingly impossible standard to meet. Juniper's proposed "list of all operations which could ever be deemed potentially hostile" would require a list of every operation (not just in the received Downloadable but in every possible Downloadable) that has been and could ever be used in a potentially hostile manner. As Juniper would have it, this list would have to be universally exhaustive and thus impossible to meet, for the imagination of hackers never sleeps in devising new ways to cheat.
For added clarity, this order therefore adopts Finjan's proposed construction with this modification, i.e., "list of computer operations in a received Downloadable that are deemed hostile or potentially hostile."
B. "Suspicious Computer Operations."
This order next rejects Juniper's contention that the term "suspicious" in this context is indefinite. "[A] patent is invalid for indefiniteness if its claims, read in light of the specification delineating the patent, and the prosecution history, fail to inform, with reasonable certainty, those skilled in the art about the scope of the invention." Nautilus, Inc. v. Biosig Instruments, Inc., 134 S. Ct. 2120, 2124 (2014). "Indefiniteness must be proven by clear and convincing evidence." Sonix Tech. Co., Ltd. v. Publications Int'l, Ltd., 844 F.3d 1370, 1377 (Fed. Cir. 2017). Here, Juniper fails to show by clear and convincing evidence that determining whether or not a computer operation is "suspicious" is subjective and thus inherently certain.
At issue here are essentially two distinct steps at which a computer operation is "deemed" suspicious. First, a human (say, a cyber security engineer) decides which computer operations, known to be capable of performing in a hostile manner (such as a WRITE command), to put on the pre-existing master list. This step necessarily requires that the human deem — this is the subjective part — an operation suspicious. Second, the patented system deems (or not) a computer operation in a received Downloadable code suspicious by checking it against the master list. If it's on the master list, too bad — it's suspicious. If it's not, great, it's not suspicious.
Once a human composes the master list, the subjective part is over. That part is not covered by the patent. All that is covered is the comparison. This is objective because the operation is either on the master list or not.
Juniper contends that the term "suspicious" is inherently subjective because "there is no standard or commonly accepted list of 'suspicious' computer operations" and that it requires a subjective determination (Dkt. No. 126 at 9-10). It further points to Finjan's statement in the Symantec IPR proceeding that "there is no a priori understanding of what constitutes a 'suspicious computer operation.' " See Symantec, IPR2015-01892 Paper No. 58 at 9. Juniper (and Finjan) is right in arguing that there is no a priori understanding of "suspicious," as the patent itself describes legitimate operations such as WRITE commands as "potentially hostile" (Dkt. No. 126 at 9-10; '194 patent at 5:59).
But this allegedly subjective inquiry happens in the first step as the master list is being compiled. That this initial determination by a human that an operation is suspicious may be an inherently subjective exercise, as argued by Juniper, is irrelevant to the definiteness of Claim 10. That step, important as it may be, is not part of the claimed invention.
Again, what is claimed is the objective second step, where an operation found in an incoming Downloadable is deemed suspicious because that operation had been included in the master list (see '194 patent at 5:59). As such, Juniper's reliance on Interval Licensing LLC v. AOL, Inc., 766 F.3d 1364, 1371-74 (Fed. Cir. 2014), Datamize, LLC v. Plumtree Software, Inc., 417 F.3d 1342 (Fed. Cir. 2005), and International Test Solutions, Inc. v. Mipox International Corporation, No. C 16-00791 RS, 2017 WL 1367975, at *4 (N.D. Cal. Apr. 10, 2017) (Judge Richard Seeborg), is unavailing. Those decisions involved "facially subjective" limitations that "provide[d] little guidance" on its own ("unobtrusive manner" in Interval Licensing, 766 F.3d at 1371-74 ) or were "completely dependent on a person's subjective opinion" ("aesthetically pleasing" in Datamize, 417 F.3d at 1350).
Here, on the other hand, "suspicious" as claimed and described in the specification is sufficiently definite such that a person of ordinary skill in the art can apply the claim language with reasonable certainty. Nautilus, 134 S. Ct. at 2124. As Finjan points out, a person of ordinary skill in the art "would be able to apply the claim language" by observing whether an accused system uses a pre-existing master list of computer operations "deemed hostile or potentially hostile to create a Downloadable security profile that includes a list of operations that were deemed suspicious according to the rules of the system" (Dkt. No. 184 at 5-6). Accordingly this order finds that Juniper fails to show by clear and convincing evidence that this limitation is indefinite.
Note well that in saving this claim from indefiniteness by excluding the master list from the invention, Finjan has made the claim even more abstract than before — a problem we will address below.
C. "Scanner."
Based on the claim language and specification of the '494 and '194 patents, this order mostly agrees with Finjan and therefore adopts its proposed construction, with modification. This order construes "scanner" as "software that searches code to identify suspicious patterns or suspicious computer operations."
Finjan requests judicial notice of Finjan, Inc. v. Cisco Systems, Inc., No. C 17-00072 BLF, 2018 WL 3537142 (N.D. Cal. July 23, 2018), where Judge Beth Freeman (who presided over the Blue Coat, 2015 WL 363000 decision both parties rely on) construed the same limitation. A court may judicially notice a fact that is not subject to reasonable dispute because it "can be accurately and readily determined from sources whose accuracy cannot reasonably be questioned." FRE 201(b). Accordingly, Finjan's request for judicial notice is GRANTED. --------
The Claim 10 language and the'194 patent's specification describe the role of the "code scanner" as deriving or resolving the Downloadable Security Profile data of a received Downloadable ('494 patent at 22:9-10; '194 patent at 5:41-42). The '194 patent specification further explains that the code scanner "determines whether the resolved command is suspicious" and "may search the code for any pattern, which is undesirable or suggests that the code was written by a hacker" (194 patent at 5:54-57; 9:24-26). The specification thus supports this order's construction of Claim 10's scanner as software searching code to identify suspicious patterns or suspicious computer operations, whether static or dynamic.
This order rejects Juniper's attempt to construe this limitation as "a static analyzer that uses parsing techniques to decompose the code." Juniper concentrates its fire on an embodiment in the '194 specification, which describes a "code scanner" that "uses conventional parsing techniques to decompose the code . . . of the Downloadable into the DSP data" ('194 patent at 5:42-45) (emphasis added). "While claims are to be interpreted in light of the specification . . . it does not follow that limitations from the specification may be read into the claims." Comark Comm'ns, Inc. v. Harris Corp., 156 F.3d 1182, 1186 (Fed. Cir. 1998). Further, courts are "cautioned against limiting the claimed invention to preferred embodiments or specific examples in the specification." Texas Instruments, Inc. v. United States Int'l Trade Comm'n, 805 F.2d 1558, 1563 (Fed. Cir. 1986). In fact, the '194 patent elsewhere describes other embodiments of the code scanner, such as "disassembling machine code" '(194 patent at 9:23-24), which renders Juniper's construction too narrow.
Juniper points to Finjan's arguments in Symantec Corporation v. Finjan, Inc., IPR2015-01892, Paper 27 at 29 (P.T.A.B. June 21, 2016) (Patent Owner Response) to set up a disclaimer. To distinguish an earlier particular reference, which had described dynamic analysis, Finjan argued that the reference taught against the use of scanners (Dkt. No. 126 at 8, Exh. 12 at 29). By implication, Juniper asserts Finjan conceded that anything using dynamic analysis cannot be a scanner within the meaning of Claim 10. That is, Juniper posits, Finjan disclaimed the use of a dynamic analyzer as the claimed scanner. This chain of inferences, however, is insufficient to establish disclaimer by Finjan. Even recognizing that "applicants rarely submit affirmative disclaimers," a prosecution disclaimer still requires "clear and unambiguous disavowal of claim scope." Saffran v. Johnson & Johnson, 712 F.3d 549, 559 (Fed. Cir. 2013) (citations omitted). The prior statement in question made by Finjan did not purport to limit the claim language itself, but rather purported to explain away a prior art reference. Even if we held Finjan to its statement that the reference taught against use of scanners, and even if the reference did use "dynamic analysis," Juniper cites no Federal Circuit authority holding that a patent owner's statement that a reference taught away from a claim limitation rises to the level of disclaimer as to claim scope. Therefore, given that the standard for finding a disclaimer is "demanding," this order is unwilling to hold that "scanner" excludes dynamic analysis. Avid Tech., Inc. v. Harmonic, Inc., 812 F.3d 1040, 1045 (Fed. Cir. 2016).
Under the adopted construction of "scanner," i.e. "software that searches code to identify suspicious patterns or suspicious computer operations," this order finds that Juniper's accused products meet this limitation. Finjan argues that Juniper's SRX Gateways with Sky ATP, and Sky ATP alone — which includes the Malware Analysis Pipeline involving both static and dynamic analyzers — constitute a Downloadable "scanner" (Dkt. No. 98 at 20). The evidence shows that the Malware Analysis Pipeline indeed generates a threat level "verdict" by searching a received Downloadable's code to identify suspicious operations or patterns (Cole Decl. ¶ 35; Dkt. No. 154, Exh. 5 at 121:11-22). Juniper does not dispute that it meets this limitation under this order's construction and thus does not point to any evidence in the record to the contrary. Accordingly, this order finds that Juniper's accused products meet this limitation.
D. "Database Manager."
This order adopts Juniper's proposed construction, "a program or programs that control a database so that the information it contains can be stored, retrieved, updated and sorted," which comes verbatim from Finjan's own explanation of this limitation in a former IPR proceeding.
Specifically, Juniper's proposed construction comes from Finjan itself in Palo Alto Networks, Inc. & Blue Coat Systems LLC v. Finjan, Inc., IPR2016-00159, Paper No. 50 at 49 (P.T.A.B. Apr. 11, 2017). To overcome prior art, Finjan explicitly stated that a person of ordinary skill in the art "would 'understand[] the term "database manager" to mean "a program or programs that control a database so that the information it contains can be stored, retrieved, updated and sorted.' " Id. at 49 (alteration in original) (citing Patent Owner's Response, Paper 17 at 43-44 (Aug. 12, 2016)). Now Finjan tries to walk back its previous statements, asserting that the plain and ordinary meaning already includes Juniper's interpretation such that Juniper's proposed construction adds unnecessary limitations. This order finds, however, that Finjan's statement in the IPR proceeding amounted to a clear and unmistakable disavowal of claim scope. Saffran, 712 F.3d at 559. Finjan itself defined this limitation in order to avoid invalidation and is now stuck with it.
Nevertheless, there is no genuine dispute that the accused system meets this limitation. Sky ATP stores results in three different storage solutions provided by Amazon: (1) DynamoDB, (2) S3, and (3) MySQL (Dkt. No. 126 at 26). ResultsDB management is an interface overlaying these three storage components. Juniper contends that its ResultsDB management does not constitute a "database manager." Rather, it asserts, Amazon, which runs the underlying storage components (i.e., DynamoDB, S3, and MySQL), acts as the "database manager" and controls its own storage products (Dkt. No. 126 at 32; Rubin ¶ 84). And, because ResultsDB is merely an interface, Juniper argues, it cannot directly sort data contained within DynamoDB or S3 and thus does not meet the proper construction.
This order disagrees. First, Juniper's assertion that ResultsDB is "just an interface" and that Amazon controls its databases is belied by its expert, who testified that ResultsDB indeed makes the determination of whether a result is stored in DynamoDB or S3 (Dkt. No. 154, Exh. 5 at 140:4-20). Second, Juniper's attempt to require that a database manager sort data directly within a database is unpersuasive, at least on this record. The construction "a program or programs that control a database so that the information it contains can be . . . sorted" simply requires that the database manager have the capability to sort the information contained within a database; it does not indicate where that information must be sorted. Here, Juniper admits that "ResultsDB can retrieve data from DynamoDB or S3 and then sort the data that was retrieved" (Dkt. No. 126 at 32) (emphasis in original). That "the data actually stored in DynamoDB or S3 remains as is" is irrelevant for the purposes of this construction (see ibid.). This order therefore finds that ResultsDB meets this limitation.
E. "Database."
Both parties agree to construe "database" as "a collection of interrelated data organized according to a database schema to serve one or more applications" (Dkt. No. 126 at 6). Unfortunately, this "stipulation" has led to satellite litigation over its meaning, so the stipulation has done no good.
Finjan points to Juniper's ResultsDB, which allegedly refer "both to the software components of Sky ATP that manage the results" and the "underlying databases that physically store the results for future use" (Dkt. No. 98 at 21, Exh. 11; Cole Decl. ¶¶ 57-61). This, Finjan argues, is the "database" where results of the Malware Analysis Pipeline are stored. Juniper responds that ResultsDB is simply an interface to the three underlying databases and is thus not a true database itself (Dkt. No. 126 at 27, Exh. 3 at 56:25-57:8; 55:13-25). The parties further dispute whether ResultsDB or DynamoDB are organized according to a "database schema" (Dkt. Nos. 97-30, 126 at 27-28; Rubin Decl. ¶¶ 61-66; Cole Decl. ¶¶ 64, 66), and whether the three storage components are "interrelated" (Dkt. Nos. 98 at 22, 126 at 29-30; Cole Decl. ¶ 59 Rubin Decl. ¶ 68). The parties also dispute whether ResultsDB functions as a database under the doctrine of equivalents.
The Court has tried hard to understand the record submitted as to whether the accused system includes a "database" within the meaning of Claim 10. Factual disputes regarding whether ResultsDB constitutes a "database" — either literally or under the doctrine of equivalents — while thin, preclude a determination one way or the other on the record provided with the degree of certainty required for summary judgment, particularly when viewing the record in light most favorable to Juniper. This issue will have to be tried to a jury. The Court will postpone any further claim construction on this limitation until the jury is instructed so that the Court will have the benefit of the trial record before construing the term.
F. Deriving Downloadable Security Profile Before Storing.
This order generally agrees with Juniper that Claim 10 includes a timing requirement, i.e., the list of suspicious computer operations cannot be simultaneously derived and stored in a database. It disagrees, however, with Juniper's interpretation of this timing requirement.
In IPR2015-01892, Finjan distinguished from prior art by asserting that the '494 patent required "storing the [Downloadable security profile] data in a database" to be construed such that it is clear "the [Downloadable security profile] data is only placed in the database upon derivation of the profile, including the list of suspicious computer operations" (Dkt. No. 126, Exh. 12 at 16). "Deriving" and "storing" the Downloadable security profile data therefore are separate steps.
Juniper contends Sky ATP does not meet the claim element "a database manager coupled with said Downloadable scanner, for storing the Downloadable security profile data in a database" because it stores the Downloadable security profile data before the alleged list of suspicious computer operations is derived (Dkt. No. 126 at 33). Specifically, Juniper contends it does not infringe because results from the Malware Pipeline Manager's multiple analysis engines (the static and dynamic analyzers) — each of which separately analyze files — are stored at different times, depending on when the engine finishes its analysis (and thus the Downloadable security profile data is built up iteratively) (Dkt. No. 126 at 33-34; Rubin ¶¶ 91-93). This order disagrees. The claim language and Finjan's argument in the IPR proceeding do not require that the Downloadable security profile data, including the list of suspicious computer operations, be fully derived before they are stored in a database. In other words, Claim 10 does not require the entire Downloadable security profile be derived before any security profile data (e.g. a suspicious compute operation) is stored in a database.
3. VALIDITY (OR INVALIDITY).
Juniper argues that Claim 10 is invalid under Section 101 for failing to meet the two-part Alice test. Under well-established Supreme Court precedent, laws of nature, natural phenomena, and abstract ideas remain patent-ineligible under Section 101. See, e.g., Ass'n for Molecular Pathology v. Myriad Genetics, Inc., 569 U.S. 576, 589 (2013) (citations and quotations omitted). The Supreme Court has set forth a two-step "framework for distinguishing patents that claim laws of nature, natural phenomena, and abstract ideas from those that claim patent-eligible applications of those concepts." Under this framework, a court must first "determine whether the claims at issue are directed to one of those patent-ineligible concepts." If so, then the court must further "consider the elements of each claim both individually and 'as an ordered combination' to determine whether the additional elements 'transform the nature of the claim' into a patent-eligible application." Alice Corp. Pty. Ltd. v. CLS Bank Int'l, 134 S. Ct. 2347, 2355 (2014) (quoting Mayo Collaborative Servs. v. Prometheus Labs., Inc., 566 U.S. 66 (2012)).
A. Alice Step One.
At step one, courts must first examine the "patent's 'claimed advance' to determine whether the claims are directed to an abstract idea." Finjan, Inc. v. Blue Coat Systems, Inc., 879 F.3d 1299, 1303 (Fed. Cir. 2018). "[T]the first step in the Alice inquiry . . . asks whether the focus of the claims is on the specific asserted improvement in computer capabilities . . . or, instead, on a process that qualifies as an 'abstract idea' for which computers are invoked merely as a tool." Enfish, LLC v. Microsoft Corp., 822 F.3d 1327, 1335-36 (Fed. Cir. 2016).
This order agrees with Juniper that Claim 10 of the '494 patent is directed to an abstract idea. It broadly claims the fundamental practice of collecting data, analyzing data, and storing results, a concept that is inherently needed for virtually any variation of data analysis, storage, and retrieval. See Intellectual Ventures I LLC v. Symantec Corp., 838 F.3d 1307, 1318 (Fed. Cir. 2016) (citing Alice, 134 S.Ct. at 2356).
Finjan, Inc. v. Blue Coat Systems, Inc., 879 F.3d 1299 (Fed. Cir. 2018), is distinguishable. There, the United States Court of Appeals for the Federal Circuit held the United States Patent No. 6,154,844 (the '844 patent) patent eligible under step one due to the patent's "behavior-based" approach to virus scanning. Id. at 1304. Representative Claim 1 of the '844 patent "scans a downloadable and attaches the virus scan results to the downloadable in the form of a newly generated file: a 'security profile that identifies suspicious code in the received Downloadable.' " Ibid. The appellate court held that this "behavior-based" virus scan that analyzed a downloadable's code was a non-abstract improvement on traditional, "code-matching" virus scans, which "simply look for the presence of known viruses."
Here, on the other hand, the '494 patent has a different focus. Claim 10 does not recite "a new kind of file," i.e. a security profile, "that enables a computer security system to do things it could not do before." See Blue Coat, 879 F.3d at 1305. Rather, Claim 10 recites deriving "security profile data." Ultimately, the thrust of Claim 10 is on analyzing a file and extracting information — which, once washed of its technological context, is merely an abstract idea. See Intellectual Ventures I LLC v. Symantec Corp., 838 F.3d 1307, 1314 (Fed. Cir. 2016) (claims involving filtering email for spam and viruses held directed to an abstract idea).
Unlike the '844 patent, which recites attaching the security profile to the Downloadable before allowing the file to reach a user (which added a "protective step"), Claim 10 of the '494 patent does not itself recite any step beyond the mere identification of suspicious operations within a received Downloadable (and then storing the information somewhere). See Finjan, Inc. v. Blue Coat Sys., LLC, No. C 15-03295 BLF, 2016 WL 7212322, at *10 (N.D. Cal. Dec. 13, 2016) (Judge Beth Labson Freeman), 2016 WL 7212322, at *10. It stops short of claiming any non-fundamental, routine step, such as comparing the security profile with the access control list or any kind of protective measure. As such, Claim 10 is directed to an abstract idea rather than an improvement on computer functionality. This finding in line with rulings made by two other courts in our district. Id. at *9-10; Finjan, Inc. v. Sophos, Inc., 244 F. Supp. 3d 1016, 1059-1060 (N.D. Cal. 2017) (Judge William H. Orrick).
B. Alice Step Two.
The Supreme Court has described step two as "a search for an inventive concept — i.e., an element or combination of elements that is sufficient to ensure that the patent in practice amounts to significantly more than a patent upon the ineligible concept itself." Alice, 134 S. Ct. at 2355 (quotations and citation omitted) (emphasis added). Juniper contends that Claim 10 of the '494 patent contains no inventive concept sufficient to transform its patent-ineligible subject matter into a patentable invention under Alice step two.
At this juncture, this order will postpone on reaching the issue of whether Claim 10 survives under Alice step two. Rather, the Court will wait to have the benefit of the trial record before determining whether Claim 10 contains an inventive concept such that it is patent eligible.
4. SECTION 287.
Juniper further alleges that Finjan is not entitled to summary judgment on its infringement claim on the now-expired '494 patent because it has not met its burden of showing compliance with Section 287's marking requirements.
Section 287 "advises a patent owner to mark his patented article with a notice of his patent rights. Failure to do so limits his recovery of damages to the period after the infringer receives notice of the infringement." Motorola, Inc. v. United States, 729 F.2d 765, 768 (Fed.Cir. 1984) (citing 35 U.S.C. § 287). Moreover, Section 287 is "a limitation on damages, and not an affirmative defense." Arctic Cat Inc. v. Bombardier Recreational Prod. Inc., 876 F.3d 1350, 1366 (Fed. Cir. 2017) (citations omitted) (emphasis added). Accordingly, this order declines to reach the issue of marking on Finjan's motion for summary judgment of infringement. A jury will have to decide.
CONCLUSION
For the foregoing reasons, Finjan's motion for summary judgment is GRANTED IN PART. In sum, the following issues will be decided at trial: (1) whether the accused products meet the "database" limitation; (2) Juniper's Section 101 invalidity defense; (3) Juniper's Section 287 defense on damages; and (4) the extent of damages. A separate order will address the trial schedule. Please, we will have no more motion practice directed to Claim 10.
IT IS SO ORDERED. Dated: August 24, 2018.
/s/_________
WILLIAM ALSUP
UNITED STATES DISTRICT JUDGE