Finjan, Inc. v. Blue Coat Sys., LLC

283 F. Supp. 3d 839

• Court: District Court, N.D. California
• Decided: July 28, 2017
• Docket: Case No. 15–cv–03295–BLF
• Status: Published

Opinion

BETH LABSON FREEMAN, United States District Judge

Before the Court are the parties' respective motions for summary judgment. Plaintiff Finjan, Inc. ("Finjan") seeks summary judgment that Defendant Blue Coat Systems, Inc.'s ("Blue Coat") Internet security software products infringe one of its patents and that several of its patents are not invalid. Blue Coat seeks summary judgment that certain of its products do not infringe several of Finjan's patents. After careful consideration, Finjan's Motion for Summary Judgment is GRANTED IN PART and DENIED IN PART and Blue Coat's Motion for Summary Judgment is GRANTED IN PART and DENIED IN PART.

I. BACKGROUND

A. The Technology and the Asserted Patents

Finjan asserts ten patents against Blue Coat: U.S. Patent No. 8,677,494 ("the '494 patent") ; U.S. Patent No. 8,566,580 ("the '580 patent") ; U.S. Patent No. 8,079,086 ("the '086 patent") ; U.S. Patent No. 8,225,408 ("the '408 patent") ; U.S. Patent No. 6,154,844 ("the '844 patent") ; U.S. Patent No. 6,965,968 ("the '968 patent") ; U.S. Patent No. 7,418,731 ("the '731 patent") ; U.S. Patent No. 9,141,786 ("the '786 patent") ; U.S. Patent No. 9,189,621 ("the '621 patent") ; and U.S. Patent No. 9,219,755 ("the '755 patent") (collectively, "the Asserted Patents"). Broadly speaking, the patents relate to two technology areas: (1) content-based security, and (2) secure sockets layer ("SSL") communication.

i. Content-Based Security

At a high level, content-based security identifies, isolates, and neutralizes actually or potentially malicious code in files downloaded from the Internet based on the detected behavior and characteristics of the code in those files, rather than scanning and maintaining a list of known viruses and actual malicious code signatures.

The '844 patent claims a system and methods of network protection where an inspector reviews a "Downloadable" for suspicious code or behavior according to a set of rules. '844 patent, col. 2 ll. 3-19. A *845"Downloadable" is "an executable application program, which is downloaded from a source computer and run on the destination computer." ECF 180 at 1. The inspector generates a profile characterizing the areas of suspicion and then attaches that profile to the Downloadable. Id. By providing verifiable profiles, the object of the invention is to provide flexible, efficient protection against known and unknown hostile Downloadables without having to re-inspect the same Downloadable each time. Id. , col. 2 l. 61-col. 3 l. 7.

The '494 patent also relates to inspecting a "Downloadable" for suspicious behavior. '494 patent, Abstract. Its claims, however, are directed to a narrower aspect of this, which involve the solution of: (1) intercepting an incoming Downloadable; (2) scanning the Downloadable and deriving "security profile data," which includes "a list of suspicious computer operations that may be attempted by the Downloadable;" and (3) storing the "security profile data" in a "database." Id. , col. 21 l. 20, col. 22 l. 8.

The '086 patent also concerns a discrete aspect of inspecting a "Downloadable" for suspicious behavior. '086 patent, Abstract. Similar to the '494 patent, its claims recite (1) receiving an incoming Downloadable and (2) scanning it and deriving "security profile data," which includes "a list of suspicious computer operations that may be attempted by the Downloadable." Id. , col. 22 ll. 9-15. However, instead of storing the "security profile data" in a database, the '086 patent claims "transmitting the Downloadable and a representation of the Downloadable security profile data to a destination computer." Id. , col. 22 ll. 16-20.

The '731 patent describes systems and methods of operating computer and network gateways that protect an intranet of computers. '731 patent, Abstract. The claimed inventions provide for caching of security information and policies at the gateway. Id. This caching of specific types of security profiles and security policies mitigates network latency-delay in the transmission of data-caused when the gateway processes downloadable information to protect intranet devices. Id. , col. 1 ll. 55-67.

The '968 patent is directed to policy-based caching, and more specifically to the management of multiple caches. '968 patent, Abstract. Content from the Internet can be cached so that the same web page does not have to be retrieved each time a user on the network requests the page. See id. , col. 3 ll. 34-40. However, users on the same network can also have different security policies-sets of rules that govern whether a file is allowed through the security filter. Id. , col. 4 ll. 14-19. The '968 patent provides a system and method of managing cached content in relation to multiple security policies by, inter alia, providing a "policy-based index ... indicating allowability of cached content relative to a plurality of policies" that can be easily utilized by a cache manager to determine whether cached content is allowable for different requesting users. Id. , col. 1 l. 63-col. 2 l. 11.

The '786 patent provides systems and methods for protecting devices on an internal network from code, applications, and/or information downloaded from the Internet that performs malicious operations. '786 patent, Abstract. At a high level, the disclosed embodiments describe a protection engine that generally resides on a network server and inspects incoming downloads for executable code. Id. , col. 2 l. 20-col. 3 l. 4. Upon detection of executable code, the protection engine deploys "mobile protection code" ("MPC") and protection policies to the download destination. Id. , col. 3 ll. 5-21. MPC is "code that, at runtime, monitors or intercepts actually or potentially malicious code operations." ECF 180 at 1;

*846see also Blue Coat I , ECF 118 at 5. At the destination, the downloadable-information is executed, typically within a sandboxed environment, and malicious or potentially malicious operations that run or attempt to run are intercepted and neutralized by the MPC according to set protection policies. Id. , col. 3 ll. 22-40.

The '621 and '755 patents relate to the use of operating system probes to monitor the behavior of a system during runtime. '621 patent, col. 21 ll. 33-53; '755 patent, col. 22 ll. 30-63. Certain detected information or operations can be compared against a security policy and, as appropriate, trigger responsive action. Id.

The '408 patent is directed towards using a "parse tree" to scan content to detect malicious code, known as exploits. '408 patent, Abstract. A "parse tree" is "a hierarchical structure of interconnected nodes built from scanned content." ECF 180 at 2. When the system of the '408 patent receives an incoming stream of content to be scanned, it sequentially reads in tokens¹ from the stream, organizes the tokens into a parse tree, and analyzes the tree to determine if it contains any patterns/structures that indicate the existence of an exploit. See generally '408 patent, col. 6 l. 14-col. 9 l. 58. To do this, it uses tokenizer, parser, and analyzer components which are specific to a particular "programming language" or "content language." Id. , col. 2 ll. 8-13, col. 6 ll. 17-26. This allows the '408 patent to provide "a multitude of content scanners within a unified framework." Id. , col. 15 ll. 41-43.

ii. Secure Sockets Layer ("SSL") Communication

SSL is a protocol that is used to send encrypted, secure communications between a client and a server. Id ., col. 1 ll. 10-12. In order to set up a secure SSL connection, the client and the server must first perform a series of initial exchanges, commonly referred to as the "SSL handshake." Ex. 5 to Blue Coat Mot. at BC2-0024371, ECF 225-5; Ex. 21 to Blue Coat Mot. at 16:11-19:15, ECF 226-24; Ex. 17 to Finjan Opp. at BC2-0778678, ECF 240-26. The handshake begins when the client sends a request to initiate an SSL connection, or a "client hello." Id. The server then sends the client a certificate verifying its identity and the server's public key, which the client can use to encrypt the information it sends to the server. Id. The encrypted information can be decrypted by a private key, which only the server knows. Id. After this exchange of information, the client and server share an SSL connection because the client can send encrypted information (using the server's public key) which only the server knows how to de-crypt. See id.

The '580 patent relates to methods and systems for efficiently providing an SSL connection between a client and server where one or several intermediate gateway computers lie in the transmission path. '580 patent, Abstract. Prior art solutions enabled SSL communication between a client and a server in these networks by maintaining an SSL connection at every step in the transmission chain:²

*847Id. , Fig. 1(c), col. 1 ll. 21-37. Unfortunately, the additional SSL connections meant "additionally degrade[d] performance and cause[d] additional latency."Id. , col. 1 ll. 35-37.

The '580 patent purports to solve this problem by "splitting" the SSL connection between the client and the server, so that the client and the server can communicate using SSL without requiring an SSL connection throughout: Id. , Fig. 2., col. 3 l. 62-col. 4 l. 5.

Setting up this split SSL connection works as follows: a client sends a request to initiate an SSL connection (i.e., a "client hello"), which gets received by the next computer in the chain, the first security computer. Id. , col. 4 ll. 36-38, col. 5 ll. 28-30. The first security computer passes this request to the intermediate third party gateway computer, which passes it to the second security computer, which passes it to the server. Id. , col. 4 ll. 37-57, col. 5 ll. 30-64. Once the server receives the request, it responds with its certificate (which includes its public key). Id. , col. 4 ll. 57-60, col. 5 ll. 64-67. This response is received by the second security computer, which passes it to the third party gateway computer, which passes it to the first security computer. Id. , col. 4 l. 65-col. 5 l. 2; col. 6 ll. 24-27. (Specifically, the second security computer does this by appending the server certificate attributes to a header in a CONNECT reply message, which it sends to the third party gateway computer, which the sends it to the first security computer. Id. , col. 4 l. 60-col. 5 l. 1, col. 6 ll. 12-14.) The first security computer then creates its own "proxy signed certificate" "using the attributes of the server certificate" with its own public key, and then passes it off to the client. Id. , col. 5 ll. 3-10, col. 6 ll. 36-40.

The end result is a system that, in operation, works as follows: the client will encrypt information using the first security computer's public key (received from the "proxy signed certificate"). See id. The first security computer will then decrypt that information and re-encrypt it with the server's public key. See id. , col. 4 l. 65-col. 5 l. 2; col. 6 ll. 24-27. This encrypted information will then be passed to the third party gateway computer, which passes it to the second security computer, which passes it to the server. See id. , col. 4 ll. 57-60, col. 5 ll. 64-67. The server will then decrypt it using its private key. See id. Thus, even though there is an intermediate third party gateway computer, information is only encrypted with a recipient's *848public key twice-hence, only two SSL connections. See id. , col. 1. l. 65-col. 2 l.4.

A final aspect of this system is that the first security computer maintains a cache of the server certificates it receives, so that the second security computer does not always have to send server certificates to the first security computer. Id. , col. 5 ll. 14-16. During the SSL handshake, when the client sends a request to initiate an SSL connection with a specific server and that request is first received by the first security computer, the first security computer will check its certificate cache to see if it already has a certificate for that server. Id. , col. 5 ll. 30-33. If it does, it will append a "fingerprint or hash of the certificate server" to the SSL connection request that it sends (directly or indirectly through third party gateway computer(s)) to the second security computer. Id. , col. 5 ll. 33-39. The second security computer will then also generate a "fingerprint or hash" of the server it receives from the certificate and check to see if it matches what it received from the first security computer. Id. , col. 6 ll. 3-8. If it does, the second security computer will skip the step of appending the server's certificate to its reply message. Id. , col. 6 ll. 17-19. If it does not, the second security computer will send the server's certificate to the first security computer, as described above. Id. , col. 6 ll. 8-14. The first security computer will then use this information to update its certificate cache, as necessary. Id. , col. 6 ll. 28-35.

B. Accused Products

Finjan accuses Blue Coat's ProxySG, Content Analysis System ("CAS"), Advanced Secure Gateway ("ASG"), Web Security Service ("WSS"), SSL Visibility Appliance ("SSLV"), Malware Analysis Appliance ("MAA"), and WebPulse service of infringing various claims of the asserted patents. ProxySG is a proxy server that provides, among other things, web security through policy control. CAS is a content inspection appliance that ProxySG can use for additional analysis of files. ASG is a single appliance that combines the functionality of ProxySG and CAS. WSS is a product that combines the functionality of ProxySG and CAS as a web-hosted service.

SSLV is a stand-alone appliance that performs SSL inspection, decryption, and management. It can be deployed by itself in a network or in-line with other appliances, such as a ProxySG. Finjan accuses a configuration where SSLV is deployed in-line with ProxySG of infringing the '580 patent.

MAA is an appliance that provides a customizable sandboxing environment. It can integrate with CAS (which, in turn, can integrate with ProxySG) or ASG. Finjan accuses a combination of ProxySG, CAS, and MAA, as well as a combination of ASG and MAA, of infringing the '844, '731, '968, '494, '621, '755, and '786 patents. Blue Coat also offers MAA functionality as a cloud-based service, referred to as MAS, which can be used in conjunction with WSS. Finjan accuses a combination of WSS and MAS of infringing the '844, '731, '968, '086, '494, '621, and '755 patents.

WebPulse is a cloud-based infrastructure that categorizes web pages and runs background processes, some of which look for evidence of malware activity. It is provided as part of Blue Coat's Global Intelligence Network ("GIN"), which is an umbrella name for Blue Coat's suite of intelligence services. WebPulse contains a real-time content analyzer component called the Dynamic Real-Time Rating ("DRTR") service. WebPulse or "WebPulse/GIN," either alone or in combination with WSS, is accused of infringing all of the Asserted Patents except for the '580 patent.

*849As helpfully provided by the parties, the following chart illustrates the patents, asserted claims, and accused products and product combinations at issue:

Patent Asserted Claims Accused Products '844 1, 7.15 WebPulse/GIN, WSS with WebPulse/GIN, WSS with ALAS: ASG with MAA. SA with MAA '731 1, 2 ASG with MAN, WSS with WebPulse/GIN, WSS with MAS '968 1 ASG with MAA, WSS with WebPulse/GIN, WSS with MAS '986 24 WebPulse/GIN, WSS with WebPulse/GIN, WSS with MAS, SA with MAA '494 10, 14, 16 WebPulse/GIN, WSS with WebPulse/GIN, WSS with MAS: ASG with MAA, ProxySG and CAS with MAA; SA with MAA '621 1, 10 WebPulse/GIN, WSS with MAS; ProxySG and CAS with MAA, ASG with MAA '755 3 ProxySG and CAS with MAA, ASG with MAA '786 1 WebPulse/GIN, WSS with MAS, ProxySG and CAS with MAA, ASG with MAA '580 1 SSLVA with ProxySG '408 22 WebPulse, WSS with WebPulse

C. Procedural History

The parties in this dispute are neither unfamiliar with each other nor this Court. On August 28, 2013, Finjan initiated a first patent infringement action, Case No. 5:13-CV-03999-BLF ("Blue Coat I "), against Blue Coat, alleging that Blue Coat infringed the '844, '968, and '731 patents, as well as U.S. Patent Nos. 6,804,780 ("the '780 patent"), 7,058,822 ("the '822 patent"), and 7,647,633 ("the '633 patent"). The parties tried all six patents before a jury who, on August 4, 2015, found that Blue Coat infringed the '844, '968, '731, '633, and '780 patents and awarded Finjan a total of $39,528,487 in lump-sum damages. Blue Coat I , ECF 438 at 2-3, 6-7. The Court entered final judgment on July 18, 2016. Blue Coat I , ECF 556.

On July 7, 2015, five days before the beginning of trial in Blue Coat I , Finjan initiated the instant suit. ECF 1. The parties have amended their pleadings several times. ECF 39, 46, 47, 62, 63, 65, 155, 161, 171.

On July 28, 2016, ten days after the Court entered final judgment in Blue Coat I , Finjan moved for a preliminary injunction, seeking to enjoin Blue Coat's alleged infringement of the '494 patent through the DRTR component. ECF 71. The Court denied Finjan's motion. ECF 149. On September 16, 2016, Blue Coat moved for judgment on the pleadings that the '494 patent was invalid for failure to claim patent-eligible subject matter under 35 U.S.C. § 101. ECF 104. The Court also denied that motion. ECF 156.

On January 31, 2017, the parties filed a joint stipulation notifying the Court that they had resolved all pending claim construction disputes and stipulating to certain agreed-upon constructions for six terms. ECF 175. The Court granted the parties' stipulation. ECF 178. The parties have since filed a further stipulation stating that they agree that certain additional terms should be given their plain and ordinary meaning. ECF 270.

The parties filed the instant motions for summary judgment on May 17, 2017. ECF 224, 228. The Court heard argument on June 22, 2017. ECF 273.

*850II. LEGAL STANDARDS

Federal Rule of Civil Procedure 56 governs motions for summary judgment. Summary judgment is appropriate if the evidence and all reasonable inferences in the light most favorable to the nonmoving party "show that there is no genuine issue as to any material fact and that the moving party is entitled to a judgment as a matter of law." Celotex Corp. v. Catrett , 477 U.S. 317, 322, 106 S.Ct. 2548, 91 L.Ed.2d 265 (1986). The current version of Rule 56 authorizes a court to grant "partial summary judgment" to dispose of less than the entire case and even just portions of a claim or defense. See Fed. R. Civ. P. advisory committee's note, 2010 amendments; Ochoa v. McDonald's Corp. , 133 F.Supp.3d 1228, 1232 (N.D. Cal. 2015). As such, a court can, "when warranted, selectively fillet a claim or defense without dismissing it entirely." Id.

The moving party "bears the burden of showing there is no material factual dispute," Hill v. R+L Carriers, Inc. , 690 F.Supp.2d 1001, 1004 (N.D. Cal. 2010), by "identifying for the court the portions of the materials on file that it believes demonstrate the absence of any genuine issue of material fact." T.W. Elec. Serv. Inc. v. Pac. Elec. Contractors Ass'n , 809 F.2d 626, 630 (9th Cir. 1987). In judging evidence at the summary judgment stage, the Court "does not assess credibility or weigh the evidence, but simply determines whether there is a genuine factual issue for trial." House v. Bell, 547 U.S. 518, 559-60, 126 S.Ct. 2064, 165 L.Ed.2d 1 (2006). A fact is "material" if it "might affect the outcome of the suit under the governing law," and a dispute as to a material fact is "genuine" if there is sufficient evidence for a reasonable trier of fact to decide in favor of the nonmoving party. Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248, 106 S.Ct. 2505, 91 L.Ed.2d 202 (1986).

Where the moving party will have the burden of proof on an issue at trial, it must affirmatively demonstrate that no reasonable trier of fact could find other than for the moving party. Celotex , 477 U.S. at 325, 106 S.Ct. 2548 ; Soremekun v. Thrifty Payless, Inc., 509 F.3d 978, 984 (9th Cir. 2007). Once the moving party meets its initial burden, the nonmoving party must set forth, by affidavit or as otherwise provided in Rule 56, "specific facts showing that there is a genuine issue for trial." Liberty Lobby, 477 U.S. at 250, 106 S.Ct. 2505 (internal quotation marks omitted). If the nonmoving party's "evidence is merely colorable, or is not significantly probative, summary judgment may be granted." Id. at 249-50, 106 S.Ct. 2505 (internal citations omitted). Mere conclusory, speculative testimony in affidavits and moving papers is also insufficient to raise genuine issues of fact and defeat summary judgment. See Thornhill Publ'g Co. v. GTE Corp., 594 F.2d 730, 738 (9th Cir.1979). For a court to find that a genuine dispute of material fact exists, "there must be enough doubt for a reasonable trier of fact to find for the [non-moving party]." Corales v. Bennett , 567 F.3d 554, 562 (9th Cir. 2009).

III. FINJAN'S MOTION

Finjan seeks summary judgment that WebPulse/GIN and certain combinations of gateway products-(1) ProxySG and CAS with MAA and (2) ASG with MAA-infringe claim 10 of the '494 patent. Finjan also seeks summary judgment that its patents are not invalid³ because:

*851(1) Blue Coat did not challenge the validity of the '731 and '580 patents in its expert reports; (2) Blue Coat is estopped under 35 U.S.C. § 315(e)(2) from challenging the validity of the '494 and '408 patents ; (3) Blue Coat is estopped from challenging the validity of the '844, '968, and '731 patents because of Blue Coat I ; (4) the Patent Trial and Appeals Board ("PTAB") declined to institute IPR for the '844, '968, '731, and '086 patents under a lower evidentiary standard; and (5) Blue Coat cannot establish that several pieces of the alleged prior art were publicly available in the United States before the priority date of the asserted patents. The Court addresses each issue in turn.

A. The '494 Patent

Finjan accuses WebPulse/GIN, ProxySG and CAS with MAA, and ASG with MAA of infringing claim 10 of the '494 patent. Claim 10 recites:

10. A system for managing Downloadables, comprising:

a receiver for receiving an incoming Downloadable;

a Downloadable scanner coupled with said receiver, for deriving security profile data for the Downloadable, including a list of suspicious computer operations that may be attempted by the Downloadable; and

a database manager coupled with said Downloadable scanner, for storing the Downloadable security profile data in a database.

'494 patent, col. 22 ll. 7-17. A "Downloadable" is "an executable application program, which is downloaded from a source computer and run on the destination computer." ECF 180 at 1. A "database" is "a collection of interrelated data organized according to a database schema to serve one or more applications." Id.

i. WebPulse/GIN

Finjan seeks summary judgment that "WebPulse/GIN"⁴ infringes claim 10. The parties only substantially dispute whether WebPulse/GIN satisfies the final two limitations of claim 10.⁵ According to Finjan, WebPulse/GIN has "a Downloadable scanner ... for deriving security profile data ..." because DRTR scans and profiles content, [Redacted] Finjan Mot. 7-8. Finjan argues the "database manager ... for storing the Downloadable security profile data in a database" limitation is satisfied by either of two components: [Redacted] Finjan Mot. 8-9; see also Ex. 26 to Finjan Mot. (Cole Rpt.) ¶¶ 1464-70, ECF 227-6. Under Finjan's infringement theory, [Redacted *852] Id. ; Ex. 30 to Finjan Mot., ECF 227-14.

Blue Coat, on the other hand, disagrees that some of the alleged "security profile data," [Redacted] "includ[es] a list of suspicious computer operations." Blue Coat Opp. 3-5. Blue Coat also argues there are at least disputed issues of fact as to whether the alleged [Redacted] are "databases." Id. at 5-7. With respect to the [Redacted] Blue Coat argues that it does not store a "list of suspicious operations" [Redacted] Id. at 5-7. [Redacted] Blue Coat argues that it does not store a "list of suspicious computer operations" [Redacted] does not "includ[e] a list of suspicious computer operations." Id. at 7. As support for these arguments, Blue Coat cites almost exclusively to the report and testimony of its expert, Dr. Nielson. Id. at 3-7.

The Court agrees that summary judgment is inappropriate, at least for the reason that disputed questions of fact remain as to whether the "database manager ..." limitation is satisfied by either [Redacted] the Court notes, as an initial matter, that the parties appear to disagree as to the scope of "database:" Finjan argues that "database" encompasses key-value pairings [Redacted] whereas Blue Coat argues it does not. Compare Finjan Mot. 8-9, Finjan Reply 4-5, with Blue Coat Opp. 6-7. On this point, the Court agrees with Finjan that key-value pairing can be a "database" within the context of the '494 patent. The parties stipulated that "database" should be construed as "a collection of interrelated data organized according to a database schema." ECF 180 at 1. Key-value pairings are a way of organizing interrelated data-keys to their related values. To the extent that "schema" implies a greater level of organization and/or relation between data than this, the Court finds it inappropriate to restrict the scope of "database" in this way. The plain language of claim 10 simply recites "database," and nothing in the specification suggests that "database" should be restricted to any certain degree of data organization. See Phillips v. AWH Corp. , 415 F.3d 1303, 1312 (Fed. Cir. 2005) ("[T]he words of a claim are generally given their ordinary and customary meaning.") (internal citation and quotation marks omitted). Indeed, the specification contrasts "database" with single-dimensional data structures (i.e., that have no interrelation) such as "list" or "array," but it provides no further clarification. '494 patent, col. 10 l. 11 ("list, array, database, etc."); id. , col. 17 l. 11 ("list, database or other storage structure(s) or storage structure configuration(s)"). Blue Coat cannot artificially restrict "database" through a one-sided interpretation of the parties' stipulation.

Nevertheless, [Redacted] disputed questions of fact remain as to whether it satisfies the remainder of the limitation. Claim 10 requires that the "database" store "security profile data," which must include a "list of suspicious computer operations." The parties disagree as to whether [Redacted] See Ex. 30 to Finjan Mot. at BC2-1884319, ECF 227-14. On one hand, Blue Coat's engineer testified that [Redacted]

[Redacted]

Ex. 3 to Finjan Reply at 66:8-22, ECF 249-10. However, construing this evidence in the light most favorable to Blue Coat, this excerpt only suggests that [Redacted] Further, the parties' experts appear to disagree as to whether the source code confirms that [Redacted] Compare Ex. 26 to Finjan Mot. (Cole Rpt.) ¶¶ 1276, 1465-66, ECF 227-6 [Redacted] with Ex. 27 to Finjan Mot. (Nielson Rpt.) ¶ 318, ECF 227-8 [Redacted] Thus, based on the evidence before it, the Court cannot rule out that there are no material factual disputes as to whether [Redacted] is an infringing "database." As such, summary judgment of infringement is inappropriate.

*853[Redacted] the parties do not dispute that this constitutes a "database." Compare Finjan Mot. 9, Finan Reply 4, with Blue Coat Opp. 7. The parties also do not substantially disagree as to what [Redacted] Compare Finjan Mot. 9-10, with Blue Coat Opp. 7-8; see also Ex. 26 to Finjan Mot. (Cole Rpt.) ¶ 1469, ECF 227-6; Ex. 27 to Finjan Mot. (Nielson Rpt.) ¶ 319, ECF 227-8. Instead, the parties dispute whether PDF Labels and YARA rule hits constitute "security profile data ... including a list of suspicious operations." Both of these issues are factual questions for the jury. For example, with respect to PDF Labels, Blue Coat's own expert acknowledges that at least some of the labels that can be assigned to PDFs indicate the existence of certain operations within the PDF. See, e.g Ex. 27 to Finjan Mot. (Nielson Rpt.) ¶ 141, ECF 227-8 [Redacted] However, whether these are suspicious operations, whether PDF Labels are sufficiently comprehensive to amount to a "security profile data ... including a list of suspicious operations," and other open factual questions remain. Similarly, with respect to YARA rule hits, [Redacted] See, e.g. , Ex. 31 to Finjan Mot. at BC2-1884474, ECF 227-16. However, whether these are suspicious operations, whether YARA rules are sufficiently comprehensive to amount to a "security profile data ... including a list of suspicious operations," and/or [Redacted] amounts to a "security profile data ... including a list of suspicious operations," and other open factual questions remain. Accordingly, material disputes as to whether [Redacted] is an infringing "database." As such, summary judgment of infringement is inappropriate.

In sum, material questions of fact remain at least as to whether the WebPulse/GIN infringes the "database manager ..." limitation of claim 10. Finjan's motion for summary judgment is DENIED.

ii. Gateway Products

Finjan also seeks summary judgment that "the accused combinations of gateway products-(1) ProxySG and CAS with MAA and (2) ASG with MAA-infringe claim 10. The parties only substantially dispute whether the accused combinations satisfy the final limitation of claim 10.⁶ Finjan argues that this limitation is satisfied by any one of three components: [Redacted] Finjan Mot. 11-14.

Blue Coat responds that there is at least a material factual dispute as to whether any of these components are infringing "databases." Specifically, [Redacted] Blue Coat argues that it does not "stor[e] ... security profile data" which "includ[es] a list of suspicious operations" [Redacted] Blue Coat Opp. 8-10. With respect to the [Redacted] Blue Coat argues that it also does not "stor[e] ... security profile data" [Redacted] Id. at 10-11. With respect to [Redacted] Blue Coat argues that this cannot be a "database" that is part of a "system for managing Downloadables" because it is instead only used [Redacted] Id. at 11-13. Blue Coat points out that this is underscored by the fact that [Redacted] which is an unacceptable substitute for the required "security profile data." Id. at 12.

The Court addresses each of Blue Coat's challenges in turn. Turning to [Redacted] the Court agrees with Blue Coat that there are at least disputed questions of material fact as to whether this comprises *854a "database" that "stor[es] ... security profile data." By the plain language of claim 10, "security profile data" must "includ[e] a list of suspicious operations." Reading this limitation in light of the specification makes it clear that the "security profile data" must include (in addition to, for example, other types of metadata) a selective list of suspicious operations, not an indiscriminate list of all operations. See, e.g. , '194 patent at col. 9 ll. 34-37 (describing how "if the code scanner ... determines that the resolved command is suspect, then the code scanner ... decodes and registers the suspicious command and its command parameters as DSP data"). Indeed, Finjan has itself taken a similar position before the PTAB. See Ex. 4 to Blue Coat Opp. at 16, ECF 237-4 ("Simply listing every operation, regardless of whether it is suspicious, does not create a list of suspicious computer operations without the additional step of deeming certain operations as suspicious."). Whether [Redacted] meets this bar is at least a disputed question of fact. On one hand, Mr. Runald, a Blue Coat employee, [Redacted] Ex. 4 to Finjan Reply at 201:19-202:9, ECF 249-12. On the other hand [Redacted] are not themselves "suspicious operations." For example, [Redacted] See Ex. 8 to Blue Coat Opp. at 56:1-5, 197:1-4, ECF 238-11; Ex. 6 to Blue Coat Opp. at BC2-0070332, ECF 237-6; Ex. 7 to Blue Coat Opp. at BC2-0426163, ECF 238-10. Thus, the Court cannot grant summary judgment on the basis that [Redacted] is the infringing "database."

Turning to [Redacted] the Court also finds that there are material questions of fact as to whether this is a "database" which "stor[es] ... security profile data" within the meaning of claim 10. For example, [Redacted] Ex. 45 to Finjan Mot. at BC2-1895322, ECF 227-34. However, pattern data used for matching is not the same as matches of suspicious operations that have been located for a particular file. Further, [Redacted] See, e.g. , Ex. 8 to Blue Coat Opp. at 210:16-22, ECF 238-11 [Redacted] Ex. 9 to Blue Coat Opp. at 29:3-11, ECF 238-12 [Redacted] Thus, there are at least disputed questions of fact as to whether [Redacted] "stor[es] ... security profile data" which includes a "list of suspicious operations," not all operations. Accordingly, the Court cannot grant summary judgment on the basis that [Redacted] is the infringing "database."

Turning to the [Redacted] the Court also finds that there are material questions of fact as to whether this comprises a "database" that "stor[es] ... security profile data." For example, [Redacted] Ex. 48 to Finjan Mot. at 90:8-18, ECF 227-36; see also Ex. 6 to Finjan Reply at 253:15-17. However, there is conflicting evidence as to whether these patterns amount to a "list of suspicious operations." See, e.g. , Ex. 5 to Finjan Reply at 48:20-25, ECF 249-16 [Redacted] Accordingly, this is a factual dispute that must be left for the jury. The Court cannot grant summary judgment on the basis that [Redacted] is the infringing "database."

In sum, material questions of fact remain at least as to whether the accused combinations of gateway products infringe the "database manager ..." limitation of claim 10. Finjan's motion for summary judgment is DENIED.

B. Validity

i. '731 and '580 Patents : Lack of Expert Opinion

Finjan moves for summary judgment that the '731 and '580 patents are not invalid because Blue Coat has not disclosed any expert opinion on their validity. Finjan Mot. 16-17. Blue Coat responds that a finding of invalidity need not be supported by expert testimony, and points out that it has at least provided invalidity contentions and prior art reference elections *855for these patents. Blue Coat Opp. 21-22.

Blue Coat's arguments are unconvincing. This is not a case where the "references and [Blue Coat's] invention[s] are easily understandable without the need for expert explanatory testimony." Union Carbide Corp. v. Am. Can Co. , 724 F.2d 1567, 1573 (Fed. Cir. 1984). Accordingly, in order to bear its burden of proving invalidity by clear and convincing evidence at trial, Blue Coat will need to present "testimony from one skilled in the art [which] identif[ies] each claim element, state[s] the witnesses' interpretation of the claim element, and explain[s] in detail how each claim element is disclosed in the prior art reference." Schumer v. Lab. Computer Sys., Inc. , 308 F.3d 1304, 1315 (Fed. Cir. 2002). Because it disclosed no expert opinion on the '731 and '580 patents, Blue Coat will be unable to do this. Accordingly, Finjan's motion for summary judgment that the '731 and '580 patents are not invalid is GRANTED.

ii. '494 and '408 Patents : IPR Estoppel

Finjan seeks summary judgment that the '494 and '408 patents are not invalid on the basis that Blue Coat is estopped from asserting invalidity under 35 U.S.C. § 315(e)(2). The parties do not dispute the underlying facts: In 2016, Blue Coat joined several third-party IPRs which were filed against the '494 and '408 patents. Exs. 56-59 to Mot., ECF 230-20 through 230-23. For each, the PTAB has issued final written decisions. Exs. 11, 15, 19 to Mot., ECF 229-11, 229-15, 229-18 The chart below summarizes the grounds raised and outcomes of each:

Patent Grounds in Petition Instituted Final Written Decision (IPR) Grounds '494 patent Swimmer (§§ 102, § 103) Swimmer Swimmer (§ 103): some (IPR2015-1892) Cline in view of Ji '600 (§ 103) (§ 103) claims unpatentable, Forrest in view of Ji '600 (§ 103) other claims not unpatentable '494 patent Touboul (§§ 102. § 103) Swimmer Swimmer (§ 103): some (IPR2016-00159) Touboul in view of Swimmer (§ 103) (§ 103) claims unpatentable; Touboul in view of Ji '600 (§ 103) Swimmer other claims not Swimmer (§ 103) and unpatentable Swimmer in view of Martin (§ 103) Martin Swimmer and Martin (§ (§ 103) 103): no claims unpatentable '408 patent Chandnani and Kolawa (§ 103) All All grounds: no claims (IPR2015-2001) Chandnani, Kolawa, and Walls (§ 103) grounds unpatentable Chandnani, Kolawa, and Huang (§ 103) (IPR2016-00157) Chandnani, Kolawa, Walls, and Huang (§ 103)

Here, Blue Coat challenges claims 10, 14, and 16 of the '494 patent as obvious over Griffin, Ji '348, and Nachenberg. Ex. 12 to Blue Coat Opp. at 126, ECF 237-12. Blue Coat challenges claim 22 of the '408 patent as obvious over (1) Kolawa and Necula '774 and (2 Kolawa, Li, and Chandnani. Id.

Finjan argues that, because Blue Coat was a party (through joinder) to the above-listed IPRs, § 315(e)(2) precludes it from asserting prior art that it raised or reasonably could have raised during these proceedings. Finjan argues that all of the references currently asserted by Blue Coat fall within this because they are "patents *856or printed publications"-types of prior art which can be raised in IPR petitions. Finjan Mot. 19. In addition, Finjan argues that Blue Coat could have reasonably known about and raised the Griffin, Ji '348, and Nachenberg references for the '494 patent because they are listed on the face of the '494 patent. Id. at 20. Finjan also argues that the same is true of the '408 references because Blue Coat disclosed Necula '774 in its invalidity contentions in Blue Coat I , Li was previously disclosed as a prior art reference in another case involving the '408 patent, and Blue Coat identified both Li and Griffin in its June 2016 invalidity contentions in this case. Id. at 20-21.

Blue Coat does not dispute that it was a party to the above-listed IPRs, but nevertheless argues that it is not bound by § 315(e)(2) estoppel because, under the Federal Circuit's decision in Shaw Indus. Grp., Inc. v. Automated Creel Sys., Inc. , 817 F.3d 1293, 1300 (Fed. Cir. 2016), cert. denied , --- U.S. ----, 137 S.Ct. 374, 196 L. Ed. 2d 292 (2016), estoppel only applies to arguments that reasonably could have been raised after institution, not grounds that were not instituted or never raised in the petition. Blue Coat Opp. 14-16. Because none of the IPRs instituted on the prior art combinations that Blue Coat asserts in this case, Blue Coat argues, § 315(e)(2) estoppel does not apply. Id. In reply, Finjan argues that Shaw is inapposite, because it applies only to estoppel when invalidity grounds were raised in the petition but denied institution. Finjan Reply 10-11.

Under § 315(e)(2), "[t]he petitioner in an [IPR] ... that results in a final written decision ... or the real party in interest or privy of the petitioner, may not assert ... in a civil action ... that [a] claim is invalid on any ground that the petitioner raised or reasonably could have raised during" IPR. 35 U.S.C. § 315(e)(2). In Shaw Indus. Grp. , 817 F.3d at 1300, the Federal Circuit addressed the application of this language in a case where the PTAB had instituted IPR on some grounds but not others, and found that § 315(e)(2) did not create estoppel for the non-instituted grounds. The court reasoned this was the case because "[b]oth parts of § 315(e) create estoppel for arguments 'on any ground that the petitioner raised or reasonably could have raised during that inter partes review' " and "IPR does not begin until it is instituted." Id. (emphasis in original). Thus, the court reasoned, it was impossible for the petitioner to have "raised or reasonably could have raised" the non-instituted grounds during IPR. Id.

Since Shaw , a number of district courts-including at least one in this District-have interpreted § 315(e)(2) estoppel as applying only to grounds that were both raised in the IPR petition and instituted in the IPR proceeding. See, e.g. , Verinata Health, Inc. v. Ariosa Diagnostics, Inc , No. 12-CV-05501-SI, 2017 WL 235048, at *3 (N.D. Cal. Jan. 19, 2017). However, other district courts have disagreed that Shaw applies so broadly, finding that, in the case of grounds that were never raised in the IPR petition, Shaw is mere dicta and § 315(e)(2) estoppel can still apply. See, e.g. , Cobalt Boats, LLC, v. Sea Ray Boats, Inc. , No. 2:15-CV-00021-HCM-LRL, Dkt. No. 285, slip op. at 5-6, 2017 WL 2605977 (E.D. Va. June 5, 2017).

The Court adopts the approach of its sister court in this District and follows the broader interpretation of Shaw : § 315(e)(2) estoppel applies only to grounds that were both raised in the IPR petition and instituted in the IPR proceeding. Applied to the facts here, Blue Coat is not estopped under § 315(e)(2) from pursuing any of the invalidity combinations that it currently asserts against the '494 and '408 patents. None of the IPRs were *857instituted on these precise combinations. Accordingly, Finjan's motion is DENIED.

iii. '844, '968, and '731 Patents : Collateral Estoppel

Finjan argues that collateral estoppel bars Blue Coat from challenging the validity of the '844, '968, and '731 patents because it challenged the validity of these patents in Blue Coat I and lost. Finjan Mot. 21-22. Finjan argues that all of the elements of collateral estoppel are met here: the issue-validity-is identical, Blue Coat I ended in a final judgment on the merits, and Blue Coat was a party in the first proceeding. Id.

Blue Coat responds that, under the Federal Circuit's decision in Nasalok Coating Corp. v. Nylok Corp. , 522 F.3d 1320, 1326 (Fed. Cir. 2008), whether Blue Coat is precluded from arguing invalidity with respect to the patents asserted in Blue Coat I should be governed by questions of res judicata, not collateral estoppel. Blue Coat Opp. 19-20. Blue Coat then argues that res judicata does not apply here because the accused products for the '844, '968, and '731 patents are different from Blue Coat I . Id.

Blue Coat's rebuttal is unconvincing. Collateral estoppel and res judicata are separate concepts. See Roche Palo Alto LLC v. Apotex, Inc. , 531 F.3d 1372, 1381 n.2 (Fed. Cir. 2008). Finjan moves only on the basis of collateral estoppel, so the Court will only conduct a collateral estoppel analysis. Nasalok does not compel a contrary approach, as it was only a res judicata case. See Nasalok Coating Corp. , 522 F.3d at 1326 ("[o]nly the doctrine of claim preclusion is relevant in this case"). Blue Coat's position is also belied by recent district court cases which have decided the question of whether collateral estoppel bars invalidity claims in later suits. See, e.g. , Rudolph Technologies, Inc. v. Camtek Ltd. , 2016 WL 8668504, *4-*6 (D. Minn. Aug. 8, 2016) ; Fairchild Semiconductor Corporation v. Power Integrations, Inc. , 2015 WL 1905871, *2 (D. Del. Apr. 23, 2015).

Collateral estoppel bars re-litigation of issues adjudicated in an earlier proceeding if: (1) the issue necessarily decided at the previous proceeding is identical to the one which is sought to be re-litigated; (2) the first proceeding ended with a final judgment on the merits; and (3) the party against whom collateral estoppel is asserted was a party or in privity with a party at the first proceeding. See Reyn's Pasta Bella, LLC v. Visa USA, Inc. , 442 F.3d 741, 746 (9th Cir. 2006). There is no dispute that Blue Coat I ended in a final judgment on the merits and that the parties are the same. Thus, the only question is whether the issues are "identical." On that point, the ultimate question of patent validity is the same, but the grounds of challenge are different: In Blue Coat I , Blue Coat challenged the '844 patent as anticipated by U.S. Patent No 6,253,370 ("Abadi"), the '968 patent as anticipated by U.S. Patent No. 6,772,214 ("McClain"), and the '731 patent as anticipated by a publication entitled "IBM Websphere Edge Server: New Features and Functions in Version 2" dated April 2002 ("Braswell"). Blue Coat I , ECF 543 at 18. Here, Blue Coat challenges the '844 patent as obvious over Ji '348, Necula, and Abadi and the '968 patent as obvious over Graham, O'Toole, and Coss. Ex. 12 to Blue Coat Opp. ¶ 274, ECF 237-12.

In the context of patent validity, the Federal Circuit has not definitively addressed what constitutes an "issue" for the purposes of collateral estoppel. Rudolph Techs., Inc. , No. 15-CV-1246, 2016 WL 8668504, at *3 ("the Court is unaware of[ ] any precedent in ... the Federal Circuit directly addressing [this issue]"). Some district courts and commentators have *858suggested that different grounds of invalidity, such as different sections of the Patent Act or different combinations of prior art references, constitute different "issues." See, e.g. , TASER Int'l, Inc. v. Karbon Arms, LLC , 6 F.Supp.3d 510, 519 (D. Del. 2013) ("[I]f the invalidity theories are based on different claim constructions or different prior art, the requirement of identicality is not satisfied."). The vast majority of district courts, however, have interpreted "issue" to mean the ultimate question of patent validity, regardless of its grounds. See, e.g. , Fairchild Semiconductor Corp. , C.A. No. 12-540, 2015 WL 1905871, at *2 ; Evonik Degussa GmbH v. Materia Inc. , 53 F.Supp.3d 778, 792-94 (D.Del. 2014) ; Astrazeneca UK Ltd. v. Watson Labs., Inc. , 905 F.Supp.2d 596, 602-03 (D. Del. 2012) ; Roche Palo Alto LLC v. Apotex, Inc. , 526 F.Supp.2d 985, 994-95 (N.D. Cal. 2007) ; Meritor Transmission Corp. v. Eaton Corp. , Civil No. 1:04CV178, 2006 WL 3951711, at *4-7 (W.D.N.C. Sept. 26, 2006) ; Applied Medical Resources Corp. v. U.S. Surgical Corp. , 352 F.Supp.2d 1119, 1124-26 (C.D. Cal. 2005).

The Court is persuaded by the reasoning of the latter cases and adopts this majority view. Accordingly, because the ultimate issue of the validity of the '844, '968, and '731 patents was litigated in Blue Coat I , Blue Coat is estopped from re-litigating it here. Finjan's motion for summary judgment that the '844, '968, and '731 patents are not invalid is GRANTED.

iv. '844, '968, '731, and '086 Patents : Estoppel Due to Denied IPR Petitions

Finjan argues that Blue Coat should be estopped from challenging the validity of the '844, '968, '731, and '086 patents because it filed IPR petitions for these patents and the PTAB denied institution under a lower evidentiary standard. Finjan Mot. 22. Blue Coat responds that Finjan is wrong as a matter of law, and that none of the institution decisions even have persuasive effect because the prior art combinations asserted here are different. Blue Coat Opp. 17-18.

The Court agrees with Blue Coat. Finjan cites no authority for the proposition that denying institution creates estoppel, and the Court is aware of none. Further, because the asserted combinations differ, the PTAB's decisions have little relevance to the validity issues before the Court. Accordingly, Finjan's motion is DENIED.

v. '494 Patent : Invalidity Theories Relying on Nachenberg Reference

Finjan seeks summary judgment that the '494 patent is not invalid over any theory relying on the Nachenberg reference because Blue Coat cannot prove that it is a printed publication that was publicly available before the priority date of the '494 patent. Finjan Mot. 21-22. Blue Coat does not substantively rebut Finjan's arguments, but instead offers to drop the Nachenberg reference from the combination of Griffin, Ji '348, and Nachenberg that it has asserted against the '494 patent. Blue Coat Opp. 20-21. In reply, Finjan objects that Blue Coat's proposal is in direct contravention of the Court's scheduling order, which states that "references for a single obviousness theory shall not be changed or revised for subsequent election of asserted prior art" and that "obviousness combination A, B, C, and D" "may not be changed or revised to the combination A, B, and C." ECF 41 n.3.

The Court agrees with Finjan that, pursuant to its scheduling order, Blue Coat cannot now revise its invalidity theory of obviousness over Griffin, Ji '348, and Nachenberg to obviousness over Griffin and Ji '348. Further, because Blue Coat provides no rebuttal for Finjan's arguments *859that Nachenberg is not a printed publication, the Court adopts Finjan's view. As such, any obviousness combination that includes the Nachenberg reference-including Blue Coat's proposed combination of Griffin and Ji '348-is not a valid obviousness combination and Blue Coat may not seek to invalidate the '494 patent on those grounds. Finjan's motion for summary judgment that the '494 patent is not invalid over any theory relying on the Nachenberg reference is GRANTED.

vi. '086 Patent : Priority Date

Finjan argues that summary judgment that the '086 is not invalid should be granted for any theory relying on Ji '348 because Ji '348 is not prior art to the '086 patent. Finjan Mot. 24-25. On November 28, 2016, the PTO issued a reexamination certificate for the '086 patent, which newly reflected that the '086 patent could claim the benefit of a priority date to U.S. Provisional Application No. 60/030,639 ("the '639 provisional application"), filed on November 8, 1996. Finjan argues that, in light of the reexamination certificate, Ji '348 is not prior art to the '086 patent, as Ji '348 claims a priority date of September 10, 1997. Finjan also points out that the PTAB found the reexamination certificate persuasive in IPR2016-01444, as it determined that, in light of this reexamination certificate, Blue Coat had not shown a reasonable likelihood of prevailing in establishing that the priority date of the '086 patent was no earlier than November 6, 1997. Id .; Ex. 25 to Finjan Mot. at 3, 6-9, ECF 229-25.

Blue Coat responds that summary judgment is inappropriate, as there are disputed questions of fact as to whether the '639 provisional application discloses claim 24's "transmitter" element. Blue Coat Opp. 18. In reply, Finjan argues that this is unpersuasive, as the PTAB found that there was support for the elements of claim 24 in its decision. Finjan Reply 14.

Both parties' arguments on this issue are unconvincing: Finjan effectively argues that the Court should award an earlier priority date to the '086 patent because the PTAB did so, while Blue Coat baldly asserts lack of written description support without offering any supporting argument or evidence. However, because Finjan, as the moving party, bears the initial burden, its shortcomings govern. Finjan has not met its burden of showing that it is entitled to summary judgment that the '086 is not invalid under invalidity theories relying on Ji '348. Accordingly, Finjan's motion is DENIED.

vii. Summary

In summary, for one or several reasons discussed above, Finjan's motion for summary judgment of no invalidity is GRANTED with respect to the '731, '580, '844, '968, and '494 (for theories relying on Nachenberg) patents. Finjan's motion for summary judgment of no invalidity is DENIED with respect to the '408, '086, and '494 (for all other theories) patents.

IV. BLUE COAT'S MOTION

Blue Coat seeks summary judgment that: (1) SSLV with ProxySG does not infringe claim 1 of the '580 patent ; (2) WebPulse, alone or in combination with WSS, does not infringe claim 22 of the '408 patent ; (3) WebPulse/GIN, WSS with MAS, ProxySG and CAS with MAA, and ASG with MAA do not infringe claim 1 of the '786 patent ; and (4) "WebPulse/GIN sandboxing" does not infringe any of the Asserted Patents. Finjan opposes summary judgment on all of these grounds. The Court addresses each issue in turn.

A. The '580 Patent

Finjan accuses SSLV, in conjunction with ProxySG, of infringing claim 1 of the '580 patent. Claim 1 recites:

*8601. A system for secure communication, comprising:

a first security computer comprising:

a certificate creator, (i) for receiving attributes of a server computer's signed certificate within a reply message generated by a second security computer and communicated to the first security computer, the signed certificate being used to authenticate the server computer, and (ii) for creating a proxy signed certificate from the received attributes;

a certificate cache for storing and retrieving the attributes of the server computer's signed certificate; and

a first SSL connector, for connecting to a client computer and for performing a first SSL handshake with the client computer using the proxy signed certificate created by said certificate creator; and

a second security computer communicatively coupled with said first security computer via a non-SSL connection for receiving a connection request message therefrom, the connection request message including cached attributes of the signed certificate, comprising:

a second SSL connector, for connecting to the server computer, for receiving current attributes of the signed certificate from the server computer, for performing a second SSL handshake with the server computer using the signed certificate, and for generating the reply message communicated to said first security computer in response to the connection request message;

a certificate comparator for comparing the cached attributes of the signed certificate with the current attributes of the signed certificate; and

a protocol appender, for appending the current attributes of the signed certificate within the reply message communicated to said first security computer, when said certificate comparator determines that the cached attributes of the signed certificate do not match the current attributes of the signed certificate.

'580 patent, col. 7 l. 46-col. 8 l. 20 (emphasis added). According to Finjan, SSLV is the "first security computer" and ProxySG is the "second security computer." Finjan Opp. 6.

Blue Coat argues that the combination of SSLV and ProxySG does not infringe claim 1 for several reasons: (1) SSLV and ProxySG do not "communicate" to each other; (2) SSLV and ProxySG do not communicate a "reply message" or a "connection request message including cached attributes of the signed server certificate" to each other and do not have a "certificate comparator;" (3) SSLV and ProxySG do not share a "non-SSL connection;" and (4) SSLV does not perform an "SSL handshake with the client computer." Blue Coat Mot. at 5-14. The Court finds that summary judgment is appropriate for at least two of these reasons, which it discusses in detail below.

i. SSLV and ProxySG do not share the claimed "non-SSL connection"

One critical aspect of the system recited in claim 1 is that the "first security computer" and "second security computer" share a "non-SSL connection." This distinguishes the invention of claim 1 from prior art systems, which required an SSL connection throughout. See '580 patent at col. 1 ll. 35-37, 49-53.

Blue Coat argues that the accused combination of SSLV and ProxySG does not meet this limitation because, instead, SSLV and ProxySG-the accused "first security computer" and "second security computer," respectively-communicate using *861an SSL connection. Blue Coat Mot. 11-13. Blue Coat argues this is the case because SSLV and ProxySG must each independently decrypt and re-encrypt the SSL traffic that pass through them. Id. As support, Blue Coat points to its documentation on "Us[ing] the SSL Visibility Appliance with a ProxySG" states that "[i]n this architecture SSL traffic is decrypted twice: once on the ProxySG, and then again on the SSL Visibility Appliance." Ex. 7 to Blue Coat Mot. at BC2-0024427, ECF 225-7. It also cites its employee David Wells, who testified to the same. Ex. 24 to Blue Coat Mot. at 90:12-22, ECF 225-26.

Finjan responds that SSLV and ProxySG do share a non-SSL connection because, in its view, "the SSLV sends intercepted plaintext (i.e., unencrypted) to the ProxySG, resulting in a non-SSL connection." Finjan Opp. 11. As support, Finjan cites to its expert Dr. Cole's report and deposition testimony, where he opines that a non-SSL connection exists between SSLV and ProxySG because SSLV sends an unencrypted connection request message to the ProxySG. Ex. 3 to Finjan Opp. (Cole Rpt.) ¶ 1796, ECF 240-6 ("the SSLV create a non-SSL connection between them to transfer information including a connection request message using the ProxySG as the second security computer"); Ex. 10 to Finjan Opp. at 240:12-241:7, ECF 240-16. Finjan also cites to several excerpts from Blue Coat's documentation which describe how, after SSLV has decrypted intercepted traffic, it can pass that decrypted intercepted traffic to other attached security appliances. Ex. 15 to Finjan Opp. at BC-0024354, ECF 241-16 ("sending non-SSL flows to the attached security appliances"); Ex. 9 to Finjan Opp. at BC2-0025898, ECF 241-10 ("Intercepted plaintext is delivered to attached devices as a valid regenerated TCP stream via the SSL Visibility's network ports.").

There is no genuine dispute that SSLV and ProxySG do not share a "non-SSL connection." Instead, all of the evidence cited by the parties agrees that, when SSLV and ProxySG are deployed in combination, they share an SSL connection. The "Blue Coat Systems V2800 and SV3800 Administration and Deployment Guide" relied on by Finjan explains how, when SSLV is deployed in a cooperative configuration with a "proxy device" (such as a ProxySG) to inspect outgoing traffic, each use certificate re-sign to gain access to the encrypted traffic. Ex. 9 to Finjan Opp. at BC2-0025920, ECF 241-10 ("The existing proxy re-signs the original server certificate and then the SSL Visibility re-signs the modified server certificate it receives."); see also Ex. 1 to Finjan Opp. at BC2-0024727, ECF 241-2 ("The existing proxy re-signs the original server certificate and then the SSL Visibility re-signs the modified server certificate it receives."). This means that SSLV and the proxy device perform an SSL handshake: as part of the certificate resigning technique, the proxy, after it receives a certificate from the server, will re-sign the server's certificate and replace the server's public key with its own public key and send that to the SSLV. See id. at BC2-0025918-19. This makes it such that, when SSLV transmits outgoing traffic to the proxy, it will encrypt the traffic with the proxy's public key. See id. This is an SSL connection. In addition, Blue Coat's "Use the SSL Visibility Appliance with a ProxySG" document explains how, when SSLV is deployed in combination with a ProxySG to inspect incoming traffic, it is given the ProxySG's private key so that it can decrypt incoming traffic. Ex. 7 to Blue Coat Mot. at BC2-0024427, ECF 225-7. SSLV receives this traffic from the ProxySG (which received it from the internet), which decrypts it, inspects it, and re-encrypts it with its public key before passing it off to SSLV. Id. This too is an SSL

*862connection. The testimony of Blue Coat's employee David Wells also confirms that, when SSLV and ProxySG are deployed in combination, traffic is decrypted and re-encrypted at every step. Ex. 24 to Blue Coat Mot. at 90:12-22, ECF 226-26. This also suggests that SSLV and ProxySG share an SSL connection.

None of the evidence cited by Finjan contradicts this. First, the only evidence of a "non-SSL connection" that Dr. Cole cites is the "connection request message" that SSLV sends to ProxySG. Ex. 3 to Finjan Opp. at ¶ 1796, ECF 240-6; Ex. 10 to Finjan Opp. at 240:12-241:7, ECF 240-16. However, as Dr. Cole admitted, this is simply an initial message that is sent "before the session between the client and the server." Ex. 21 to Blue Coat Mot. at 75:3-9, ECF 226-24. All SSL connections begin with an unencrypted initial message (e.g., the "client hello" in the SSL handshake, see Ex. 21 to Blue Coat Mot. at 16:11-19:15, ECF 226-24), so this initial "connection request message" gives no indication that SSLV and ProxySG do not share an SSL connection. Second, the excerpts that Finjan cites from Blue Coat's documentation (Ex. 15 to Finjan Opp. at BC-0024354, ECF 241-16 and Ex. 9 to Finjan Opp. at BC2-0025898, ECF 241-10) refer to the unencrypted traffic that SSLV can pass to attached security devices, which are separate from the ProxySG in the SSLV/ProxySG combination that Finjan accuses. Thus, these excerpts are irrelevant. Accordingly, Finjan has failed to raise a genuine dispute that SSLV and ProxySG share a "non-SSL connection." Summary judgment of noninfringement is appropriate for at least this reason.

ii. SSLV and ProxySG do not communicate a "connection request message including cached attributes of the signed server certificate"

Another critical aspect of the system recited in claim 1 is that the "first security computer" maintains a cache of server certificates, which improves overall performance by saving the second security computer from always having to send the full server certificate to the first security computer. '580 patent, col. 5 ll. 14-16. To enable this, claim 1 requires that when a client sends a request to initiate an SSL connection with a server, the first security computer sends a "connection request message including cached attributes of the signed server certificate ." Id. , col. 8 ll. 1-2. This allows the second security computer to make sure that the cached certificate for that server is up-to-date. See id. , col. 5 ll. 17-21, col. 5 ll. 30-35.

Blue Coat argues that the accused combination of SSLV and ProxySG do not meet the "connection request message including cached attributes of the signed server certificate" limitation because SSLV, as a transparent proxy, does not itself send a connection request. Blue Coat Mot. 10. Instead, according to Blue Coat, the client sends a connection request message and it invisibly passes through SSLV. Id. In support, Blue Coat points to its SSLV documentation, Ex. 23 to Blue Coat Mot. at BC2-1607593, ECF 225-23, and testimony from David Wells, Ex. 24 to Blue Coat Mot. at 35:18-36:1, ECF 226-26. Blue Coat also argues that it does not infringe this limitation because SSLV does not send any "cached attributes of the signed certificate" and Finjan's expert provided no opinion or evidence on this element in his report. Blue Coat Mot. 10.

Finjan responds that SSLV does indeed send a "connection request message" to ProxySG because "otherwise the products could not operate together" and "the connection request would never be forwarded to the web server." Finjan Opp. 9-10. It does not, however, cite any supporting evidence for these arguments. Finjan also argues that the "connection request message"

*863sent from SSLV includes "cached attributes of the signed server certificate," "such as the expiration date of the certificate." Id. at 10-11. As support, Finjan cites to Dr. Cole's report, which states, in addressing the "connection request" element, that "the SSLV create [sic] a non-SSL connection between them to transfer information including a connection request message using the ProxySG as the second security computer." Ex. 3 to Finjan Opp. (Cole Rpt.) ¶ 1796, ECF 240-6. Finjan also cites to portions of Dr. Cole's deposition, where he testified on redirect:

Q Can you explain-I believe you were cut off earlier. Can you please provide your full explanation of why this contains the cache attributes in the connection request message.

* * *

A So element 1f, the connection request message has to include cached attributes of the signed certificate, and that's exactly what's happening here. There's a non-SSL connection between the SSLV and the ProxySG and transferring information, including a connection request message, which includes the cached attributes of the signed certificate. So that fully satisfies that element of claim 1f.

Q And what is the signed certificate? Is that the certificate that is enabling the SSL connection?

A Yes, that's the signed certificate and other relevant information from the SSL server that's needed to communicate from the ProxySG to the SSLV.

Ex. 10 to Finjan Opp. at 240:2-241:14, ECF 240-16. Finjan further cites⁷ to excerpts that relate to the "connection request" element in varying degrees, including: portions of Dr. Cole's report that address the "certificate comparator" and "cached attributes" elements, Ex. 3 to Finjan Opp. (Cole Rpt.) ¶¶ 1843-45, ECF 240-6; excerpts that discuss the SSLV's ability to import certificates, Ex. 2 to Finjan Opp. at BC2-0024427, ECF 241-3, Ex. 3 to Finjan Opp. (Cole Rpt.) ¶¶ 1725-1726, ECF 240-6; testimony discussing the SSLV's ability to send decrypted information to attached security devices, Ex. 14 to Finjan Opp. at 112:1-14, ECF 240-24; and testimony about the handshake request passing through the SSLV, Ex. 12 to Finjan Opp. at 86:2-22, ECF 240-20.

As an initial matter, the Court finds that a genuine dispute exists as to whether SSLV communicates a "connection request message" to ProxySG. Several pieces of evidence describe how SSLV forwards a request sent from the client to initiate an SSL session (i.e., the "client hello" in the SSL handshake). See, e.g. , Ex. 12 to Finjan Opp. at 86:2-22, ECF 240-20 (testimony from David Wells agreeing that "the handshake request will go through the SSL Visibility Appliance to the SSL server"); Ex. 24 to Blue Coat Mot. at 35:18-36:1, ECF 226-26 (testimony from David Wells discussing how the client hello message passes through the SSLV to the server). Blue Coat also does not appear to dispute that SSLV forwards this request. See Blue Coat Mot. 10. This at least raises a material question of fact as to whether SSLV communicates a "connection request message" to the ProxySG.

However, there is no genuine dispute that, even if SSLV communicates a "connection request message," it does not "includ[e] cached attributes of the signed server certificate." Even construing all of the evidence in favor of Finjan, there is *864simply no evidence of this claim element. Indeed, David Wells explicitly testified to the contrary:

An important point with the Visibility Appliance is that the handshake message from the client to the server that initiates the handshake, the client hello message, is passed through without being modified , and that means that the server will see exactly what it would have seen if the Visibility Appliance wasn't present, and it will choose its responses to that handshake in the same way it would have done if the Visibility Appliance wasn't present either.

Ex. 24 to Blue Coat Mot. at 35:18-36:1, ECF 226-26 (emphasis added). Other evidence submitted by the parties also confirms that, when SSLV forwards a request from the client to initiate an SSL session to the ProxySG (i.e., a "client hello"), it does not "includ[e] cached attributes of the signed server certificate" in this request. See, e.g. , Ex. 9 to Finjan Opp. at BC2-0025916-21, ECF 241-10; Ex. 15 to Finjan Opp., ECF 241-16; Ex. 16 to Finjan Opp., ECF 241-17.

None of the evidence cited by Finjan raises a genuine material dispute on this point. Neither of the excerpts from Dr. Cole's report or deposition testimony which address the "connection request ..." element (Ex. 3 to Finjan Opp. (Cole Rpt.) ¶ 1796, ECF 240-6 and Ex. 10 to Finjan Opp. at 240:2-241:14, ECF 240-16) point to any evidence of a "connection request message" (let alone one that "includ[es] cached attributes of the signed server certificate"). Instead, Dr. Cole just makes the bare assertion that this element exists. Ex. 3 to Finjan Opp. (Cole Rpt.) ¶ 1796, ECF 240-6; Ex. 10 to Finjan Opp. at 240:2-241:14, ECF 240-16. This is insufficient as a matter of law. Expert opinions are not evidence; thus, an expert's unsupported assertion that an accused product contains a claim element is not sufficient to raise a material dispute. See Rohm and Haas Co. v. Brotech Corp. , 127 F.3d 1089, 1092 (Fed. Cir. 1997) (affirming district court's determination that patentee failed to prove infringement where the patentee "offered nothing more than its expert's general opinion that the accused product or process infringed the patents").

The remaining excerpts cited by Finjan also do not raise any material question of fact that SSLV sends "cached attributes of the signed server certificate." Dr. Cole's report at ¶¶ 1843-45 relates to caching and comparing certificate attributes at the ProxySG (the alleged "second security computer") and does not address the contents of any "connection request message" that is sent from SSLV to ProxySG. The excerpt at Ex. 2 to Finjan Opp. at BC2-0024427, ECF 241-3 and Dr. Cole's report at Ex. 3 to Finjan Opp. (Cole Rpt.) ¶¶ 1725-1726, ECF 240-6 discuss SSLV's ability to import certificates, which is an initial configuration setting which allows SSLV to decrypt traffic coming from the ProxySG and does not relate to any "connection request message" that is sent from SSLV to ProxySG. The testimony at Ex. 14 to Finjan Opp. at 112:1-14, ECF 240-24 discusses how SSLV sends decrypted information to attached security devices. This is unrelated to communications between SSLV and ProxySG. Finally, the testimony from David Wells at Ex. 12 to Finjan Opp. at 86:2-22, ECF 240-20 actually agrees that "the handshake request [from the client] will just go directly through the SSL Visibility Appliance to the SSL server," which, if anything, supports an inference that, when SSLV forwards a request sent from the client to initiate an SSL session, the request is unmodified and does not include "cached attributes of the signed server certificate." Thus, none of the evidence cited by Finjan raises a material dispute that the SSLV does not communicate a "connection request *865message including cached attributes of the signed server certificate." Summary judgment of noninfringement is appropriate for at least this reason.

iii. Conclusion

For at least the two independent reasons discussed above, the Court finds that Blue Coat is entitled to summary judgment. The Court need not reach the remaining reasons supplied by Blue Coat and declines to do so. Blue Coat's motion for summary judgment of noninfringement for claim 1 of the '580 patent is GRANTED.

B. The '408 Patent

Finjan accuses the DRTR component of WebPulse, alone or in combination with WSS, of infringing claim 22 of the '408 patent. Claim 22 recites:

22. A non-transitory computer-readable storage medium storing program code for causing a computer to perform the steps of:

receiving an incoming stream of program code;

determining any specific one of a plurality of programming languages in which the incoming stream is written;

instantiating a scanner for the specific programming language, in response to said determining, the scanner comprising parser rules and analyzer rules for the specific programming language, wherein the parser rules define certain patterns in terms of tokens, tokens being lexical constructs for the specific programming language, and wherein the analyzer rules identify certain combinations of tokens and patterns as being indicators of corresponding exploits, exploits being portions of program code that are malicious;

identifying individual tokens within the incoming stream ;

dynamically building, while said receiving receives the incoming stream , a parse tree whose nodes represent tokens and patterns in accordance with the parser rules;

dynamically detecting, while said dynamically building builds the parse tree, combinations of nodes in the parse tree which are indicator or potential exploits, based on the analyzer rules; and

indicating the presence of potential exploits within the incoming stream , based on said dynamically detecting.

'480 patent, col. 21 ll. 22-67 (emphasis added).

Blue Coat argues that DRTR does not infringe claim 22 for three reasons: (1) DRTR does not "determin[e] any specific one of a plurality of programming languages;" (2) DRTR does not "instantiat[e] a scanner ... in response;" and (3) DRTR does not analyze an "incoming stream" of program code. Blue Coat Mot. 14-18. The Court finds that none of these reasons warrant summary judgment. It discusses each below.

i. Disputed questions of fact remain as to whether DRTR "determin[es] any specific one of a plurality of programming languages"

Claim 22 requires "determining any specific one of a plurality of programming languages." The parties do not colorably disagree as to how the portions of DRTR relevant to this limitation operate: [Redacted] Blue Coat Mot. 16; Finjan Opp. 14; see Ex. 29 to Blue Coat Mot. at ll. 175-190, ECF 226-36; Ex. 11 to Blue Coat Mot. at 120:5-21, ECF 226-12. [Redacted] Blue Coat Mot. 16-17; Finjan Opp. 15; Ex. 34 to Finjan's Mot. at ll. 203-17, 326-66, ECF 227-20; see also Ex. 11 to Blue Coat Mot. at 70:10-17, ECF 226-12. [Redacted] Blue Coat Mot. 16-17; Finjan Opp. 15-16; see, e.g. , Ex. 34 to Finjan Opp. at ll. 3848-3979, *866ECF 240-42; Ex. 30 to Finjan Opp. at ll. 166, 365-573, ECF 240-38.

Blue Coat argues that this functionality does not satisfy the "determining any specific one of a plurality of programming languages" limitation of claim 22 [Redacted] Blue Coat Mot. 15-17. Blue Coat contends that, because a file type is not a "programming language," DRTR does not "determin[e] ... a ... programming language[ ]." Id. at 15-16. Blue Coat also argues that, [Redacted] this cannot infringe claim 22 [Redacted] Id. at 16-17.

Finjan, on the other hand, contends that determining file type is determining a "programming language," at least within the context of the '408 patent. Specifically, Finjan points out that the '408 patent discloses JavaScript, Visual Basic Script, HTML, URI, and URL as examples of "programming languages," and also states that "the present invention is ... applicable to parse and analyze binary content and EXE files." Finjan Opp. 14 (citing '408 patent, col. 1 l. 66-col. 2 l. 2, col 4 ll. 2-5, col. 6 ll. 17-23, col. 9 ll. 7-15, col. 16 ll. 10-13). Finjan also emphasizes that [Redacted] Finjan Opp. 14-16; see Ex. 7 to Finjan Opp. at 119:5-10, 181:18-23, ECF 240-14; Ex. 20 to Finjan Opp. at BC0005745-46, ECF 240-32 [Redacted] Ex. 34 to Finjan Opp. at ll. 3715-3738, ECF 240-42; see also Ex. 34 to Finjan Mot. at ll. 333, ECF 227-20 [Redacted] Ex. 4 to Finjan Opp. (Mitzenmacher Rpt.) ¶¶ 114, 953, 955-60, ECF 240-8. Finjan also argues that [Redacted] constitute "determining any specific one of a plurality of programming languages" because they search specifically for JavaScript code. Finjan Opp. 15.

At the time of the hearing, the parties agreed that there was no fundamental dispute as to the meaning of "programming language" and that it may be given its plain and ordinary meaning. ECF 270. However, the parties appear to have different conceptions of what this plain and ordinary meaning may encompass: Blue Coat contends that file types such as text, EXE, PDF, ZIP, XML, GZIP, or RAR are not "programming languages," whereas Finjan contends they are. Compare Blue Coat Mot. 15-16, with Finjan Opp. 14. The parties' experts, purported persons of ordinary skill in the art, also appear to disagree as to whether a file type can be a "programming language." Compare Ex. 30 to Blue Coat Mot. at 111:23-113:22, ECF 226-38 (testimony from Dr. Nielson, Blue Coat's expert, that "identification of file type does not identify programming languages"), with Ex. 28 to Blue Coat Mot. at 195:3-196:23, ECF 226-34 (testimony from Dr. Mitzenmacher, Finjan's expert, that [Redacted] it will determine which programming language the program code appears to be"). Thus, before turning to questions of infringement, the Court must first clarify the scope of "programming language."

While the Court agrees with Blue Coat that, in the most typical case, "programming language" refers to languages such as C, C++, Python, Java, or Perl, it agrees with Finjan that, within the context of the '408 patent, "programming language" carries a broader meaning. Claim 22 requires that, after a "programming language" is "determin[ed]," a "scanner" is "instantiat[ed]" for that "programming language," which includes "parser rules" which "define certain patterns in terms of tokens, tokens being lexical constructs for the specific programming language" and "analyzer rules" which "identify certain combinations of tokens and patterns." '408 patent, col. 21 ll. 48-57. Thus, a "programming language" must at least be something that has "lexical constructs" which can be recognized as "tokens" and put together in detectable "patterns." The specification gives several examples of such "programming languages:" JavaScript, HTML, Visual Basic script, and *867"URI content." Id. , col. 4 ll. 3-5, col. 6 ll. 20-23, col. 15 ll. 39-43. However, the specification also discloses that "the present invention is ... applicable to parse and analyze binary content and EXE files." Id. , col. 19 ll. 10-12. Thus, it must also be the case that "determining any specific one of a plurality of programming languages" includes detecting that a file is a binary file. See Vitronics Corp. v. Conceptronic, Inc. , 90 F.3d 1576, 1583 (Fed. Cir. 1996) (a claim interpretation that excludes a preferred embodiment "is rarely, if ever, correct"). Carrying this forward, it at least seems possible that other file types, such as PDF, ZIP, XML, GZIP, or RAR, could also be said to be written in a sort of "programming language," so long as they have definable "tokens" which could be put together in detectable "patterns."

In light of this, the Court finds that there are material questions of fact as to whether DRTR "determin[es] any specific one of a plurality of programming languages." Although it seems odd (and likely incorrect) to say that every file type is its own "programming language" even within the meaning of the '408 patent, the Court cannot conclude, construing the evidence in the light most favorable to Finjan, [Redacted] As discussed above, this will turn on whether they have "tokens" which could be put together in detectable "patterns," both of which are factual determinations that must be left for the jury.

Further, the parties do not dispute that DRTR includes code specific to at least some of the explicit examples of "programming languages" given in the '408 specification: HTML and JavaScript. '408 patent, col. 1 l. 66-col. 2 l. 2, col 4 ll. 2-5, col. 6 ll. 17-23, col. 9 ll. 7-15, col. 16 ll. 10-13. Although the Court agrees with Blue Coat that [Redacted] there may be no prior determination of a programming language, it cannot rule out, on summary judgment, that DRTR's logic of processing content does not somehow include a "determin[ation]" of a "programming language." For example, the source code and other evidence submitted by the parties shows that, [Redacted] DRTR can determine that it is a text file that potentially contains HTML (or, said another way, is potentially an HTML file). See Ex. 34 to Finjan Mot. at ll. 272-366, ECF 227-20; see also id. at l. 331 [Redacted] which treats the contents as if it were HTML and processes them accordingly. See Ex. 34 to Finjan Opp. [Redacted] ECF 240-42; Ex. 31 to Blue Coat Mot. [Redacted] ECF 226-40. Although it may be the case that DRTR's identification of HTML is more of a guess and not a perfect determination, the Court cannot conclude, construing the evidence the light most favorable to Finjan, that this is not a "determin[ation]." Thus, the Court cannot grant summary judgment of noninfringement on the basis of this limitation.

ii. Disputed questions of fact remain as to whether DRTR "instantiat[es] a scanner for the specific programming language"

Claim 22 also requires "instantiating a scanner for the specific programming language." The parties dispute whether DRTR satisfies this limitation for the same reasons they advance with respect to the "determining ..." limitation: in Blue Coat's view, DRTR does not practice this limitation because it only "instantiat[es]" scanners for file types, which are not programming languages. Blue Coat Mot. 17. Finjan, on the other hand, argues that file types are programming languages, so the fact that DRTR selects scanners based on file type at least creates a triable issue of fact. Finjan Opp. 16-17. Finjan also argues that DRTR satisfies this limitation [Redacted] Id. at 17.

Because disputed questions remain as to whether DRTR "determin[es] any specific *868one of a plurality of programming languages," disputed questions remain as to whether it "instantiat[es] a scanner for the specific programming language." Thus, the Court cannot grant summary judgment of noninfringement on the basis of this limitation.

iii. Disputed questions of fact remain as to whether DRTR receives and analyzes an "incoming stream" of program code

Claim 22 also requires that its receiving and analysis steps be performed on an "incoming stream" of program code. Blue Coat argues that, because DRTR begins processing a file only after the full or partial download has been completed, it does not operate on an "incoming stream" of program code. Blue Coat Mot. 17-18. According to Blue Coat, when DRTR receives a new URL to rate and categorize, [Redacted] Id. at 17-18; see also Ex. 11 to Blue Coat Mot. at 120:5-21, 116:1-25, ECF 226-12; Ex. 27 to Blue Coat Mot. at ll. 570-583, ECF 226-32. [Redacted] DRTR begins its analysis. Blue Coat Mot. 18; see also Ex. 11 to Blue Coat Mot. at 120:5-21, ECF 226-12; Ex. 27 to Blue Coat Mot. at ll. 570-583, ECF 226-32.

[Redacted] See Finjan Opp. 17-19. Finjan nevertheless argues that DRTR analyzes an "incoming stream" for two reasons: (1) it dynamically rates the URL before its content is downloaded to a client computer, id. at 17; and (2) [Redacted] as incoming content is being received. Id. at 17-18; Ex. 4 to Finjan Opp. (Mitzenmacher Rpt.) ¶¶ 856, 1025, 1028, 1038, ECF 240-8.

At the time of the hearing, the parties agreed that there was no fundamental dispute as to the meaning of "incoming stream" and that it may be given its plain and ordinary meaning. ECF 270. However, the parties appear to have different views of what this plain and ordinary meaning may encompass: Blue Coat appears to interpret "incoming stream" as a byte stream that must come from an external source (i.e., a byte stream that is actively being downloaded), whereas Finjan appears to view "incoming stream" as a byte stream that can also come from a local source, such as a buffer.

The Court agrees with Finjan that an "incoming stream" need not be from an external source. The '408 patent does not place any restriction on where an "incoming stream" is read from and in fact itself discloses an example of an "incoming stream" that is read from a local buffer. See, e.g. , '408 patent, col. 14 ll. 23-25 ("At step 500, the parser calls a tokenizer, such as tokenizer 210, to retrieve a next token from an incoming byte stream."). Thus, "incoming stream" must at least be as broad. See Vitronics Corp. , 90 F.3d at 1583 (a claim interpretation that excludes a preferred embodiment "is rarely, if ever, correct").

Blue Coat's noninfringement arguments are only based on its assumption that "incoming stream" must be coming from an external source. Because the Court disagrees with this view, Blue Coat is not entitled to summary judgment of noninfringement on this basis.

iv. Conclusion

Disputed questions of material fact remain with respect to all of the limitations for which Blue Coat argues it is entitled to summary judgment. Accordingly, Blue Coat's motion for summary judgment of noninfringement of claim 22 of the '408 patent is DENIED.

C. The '786 Patent

Finjan accuses the following combinations of infringing claim 1 of the '786 patent : (1) ProxySG, CAS, and MAA, (2) ASG with MAA, (3) WSS with MAS, and (4) WebPulse/GIN. Claim 1 recites:

*8691. A processor-based method, comprising:

receiving at a host server downloadable-information including a combination of non-executable and executable code;

analyzing by a detection engine the downloadable-information to detect the executable code; and

causing by a packaging engine mobile protection code to be communicated to at least one information-destination of the downloadable-information, when the executable code is detected in the downloadable-information,

wherein the causing mobile protection code to be communicated comprises forming the packaging engine a sandboxed package including the mobile protection code and the downloadable-information, and causing the sandboxed package to be communicated to the at least one information-destination .

'786 patent, col. 21 ll. 33-48 (emphasis added). "Mobile protection code" is "code that, at runtime, monitors or intercepts actually or potentially malicious code operations." ECF 180 at 1; see also Blue Coat I , ECF 118 at 5.

Blue Coat argues that it neither infringes this claim literally nor under the doctrine of equivalents. The Court addresses each in turn.

i. Literal Infringement

Blue Coat argues that it does not literally infringe claim 1 because all of the accused combinations have fundamentally different architectures from what is required by claim 1. According to Blue Coat, claim 1 requires that a "sandboxed package including the mobile protection code" be delivered to the "information destination" so that the "downloadable-information" can be executed in a sandboxed environment at the "information destination." Blue Coat Mot. 18-21. Blue Coat argues that "information destination" refers to the client user device, the machine which requested the "downloadable-information." Id. at 21-22. By contrast, Blue Coat argues, there is no sandboxed package that is delivered to the client device in the accused combinations. Id. at 18-22. Instead, all of the sandboxing happens at the MAA before the downloaded information reaches the client device. Id. at 18-22.

Finjan does not dispute that, in the accused combinations, sandboxing happens on the MAA, rather than the client user device. However, Finjan maintains that the accused combinations infringe claim 1 because the MAA receives potentially suspicious content to sandbox from the ASG or CAS by way of a remote API, which includes parameters which influence how the MAA sandboxes the content. According to Finjan, these "API directions" are "mobile protection code" because they cause the MAA to monitor or intercept potentially suspicious operations of the downloaded content. Id. Finjan also argues that, in the accused combinations, the MAA (or MAS) is the "information-destination," and that the meaning of "information-destination" is broad enough to include any information destination, such as a firewall, server, the MAA, or a client user device. Id. at 21-22. As support for its infringement position, Finjan relies on Blue Coat documentation, which explains how the MAA's remote API can be used to submit sample files to the MAA or create a task to be queued and performed by the MAA. Ex. 24 to Finjan Opp. at BC2-0003335, 37, ECF 241-25. Finjan also relies on the report of its expert, Dr. Cole, who opined that the ASG and CAS "communicate" a "sandboxed package including the mobile protection code" because they send digital content to be sandboxed to an MAA via an API call, then "submit mobile protection code to the MAA via another API call which is run by the MAA to monitor the behavior of the sample," and that the API "allows for the *870MAA to receive updated system software and base images that are used in the MAA for the processing" as well as "patterns used as part of the sandboxed package." Ex. 3 to Finjan Opp. (Cole Rpt.) ¶ 2173, ECF 240-6; see also id. ¶¶ 2172-74.

As an initial matter, the Court notes that the parties do not appear to fundamentally disagree as to how the relevant portions of the accused combinations work: Finjan agrees with Blue Coat that the MAA (not the user client device) performs sandboxing, and Blue Coat agrees with Finjan that the MAA can receive files to sandbox from an ASG or CAS by way of a remote API, the parameters of which can affect how the MAA sandboxes the file. Finjan Opp. 19-21; Ex. 24 to Finjan Opp. at BC2-0003335, 37, ECF 241-25; see Blue Coat Mot. 20-21. Instead, the parties' dispute turns on two discrete issues: (1) whether the MAA is an "information-destination;" and (2) whether an API call is "mobile protection code."

The Court finds that at least this second issue entitles Blue Coat to summary judgment.⁸ As previously noted, the Court construed "mobile protection code" to mean "code that, at runtime, monitors or intercepts actually or potentially malicious code operations." ECF 180 at 1; see also Blue Coat I , ECF 118 at 5. At the time of the hearing, the parties agreed that there was no fundamental dispute as to the meaning of "code" and that it may be given its plain and ordinary meaning. ECF 270. However, the parties appear to have different views of what this plain and ordinary meaning may encompass: Blue Coat contends that "code" must be limited to executable code, whereas Finjan views it as broad enough to include API calls. Compare Blue Coat Mot. 21, Blue Coat Reply 11-12, with Finjan Opp. 21.

The Court agrees with Blue Coat that "code" in "mobile protection code" is executable code. The specification consistently describes "mobile protection code" as something that is executed. See, e.g. , id. , col. 18 ll. 7-46, col. 20 ll. 44-65. This makes sense given that one cited advantage of the '786 patent is that it "does not require pre-installation of security code within a Downloadable destination;" instead, the mobile protection code can provide its own package of security code that can be run at the destination. Id. , col. 4 ll. 61-62. This also comports with the testimony of Finjan's experts, Drs. Cole and Medvidovic, who described "code" as something that executes. See Ex. 22 to Blue Coat Mot. at 70:20-75:16, ECF 225-22 (Dr. Medvidovic describing how "typically, you'll provide the code that implements that method inside of a block that's delimited by open curly brace"); Ex. 21 to Blue Coat Mot. at 186:24-187:2, ECF 226-24 (Dr. Cole referring to "code to run"). Moreover, as Blue Coat points out, the Court implicitly addressed this question in its claim construction order in Blue Coat I , where it rejected the notion that mobile protection code includes anything other than the code that itself operates to monitor and intercept suspicious operations. See Blue Coat I , ECF 118 at 7-8 (explicitly excluding "protection policies ... 'for causing one or *871more predetermined operations to be performed' " from construction of mobile protection code). Thus, for these reasons, the "code" in "mobile protection code" must be executable code.

In light of this clarification, there is no material factual dispute that the API calls that CAS and ASG use to submit sample files to the MAA are not "mobile protection code." As the parties agree, these API calls just provide the interface that CAS or ASG can use to launch the execution of sandboxing routines that already reside on the MAA; the API calls are not themselves the executable code. See Finjan Opp. 20 ("parameters that cause the MAA to monitor or intercept operations"); Ex. 21 to Blue Coat Mot. at 182:23-25, ECF 226-24 ("It [MAA] absolutely has code that would monitor or intercept potentially malicious code operations."). Thus, the accused combinations do not satisfy this element. For at least this reason, Blue Coat is entitled to summary judgment. Blue Coat's motion for summary judgment of no literal infringement of claim 1 of the '786 patent is GRANTED.

ii. Doctrine of Equivalents

Blue Coat also moves for summary judgment that it does not infringe claim 1 under the doctrine of equivalents. To prove doctrine of equivalents at trial, Finjan must "show[ ] on a limitation-by-limitation basis that the accused product performs substantially the same function in substantially the same way with substantially the same result as each claim limitation of the patent[ ] ...." Wavetronix LLC v. EIS Electronic Integrated Systems , 573 F.3d 1343, 1360 (Fed. Cir. 2009).

Blue Coat argues that it does not infringe claim 1 under the doctrine of equivalents because the accused products do not provide the same function, the same way, and with the same result as the limitations of claim 1. Blue Coat Mot. 22-23. Specifically, Blue Coat argues that the accused combinations do not provide the same function because the function of claim 1 is to prevent malicious attacks by files already received at the destination computer, whereas the function of the accused combinations is to gather information about a potentially suspicious file and determine whether it is dangerous before sending it to the destination. Id. Blue Coat argues that the accused combinations do not provide this function in the same way because claim 1 packages a potentially suspicious file with mobile protection code and sends it to its destination, whereas the accused combinations analyze the file at the MAA and then, if it is not dangerous, sends it unpackaged to its destination. Id. at 23. Blue Coat argues that the accused combinations do not achieve the same results because claim 1 results in running a downloadable in a safe environment at the destination, whereas the accused combinations result in preventing delivery of the downloadable if it is deemed dangerous. Id. at 23.

Finjan argues that there are at least disputed issues of fact as to whether Blue Coat infringes under doctrine of equivalents, citing its expert Dr. Cole's report as providing "ample evidence" to support this. Finjan Opp. 22 (citing Ex. 3 to Finjan Opp. (Cole Rpt.) ¶¶ 2159-66, 2235-41, ECF 240-6). Finjan cites to no other "evidence" outside its expert's report.

The Court finds that there is no material dispute that Blue Coat does not infringe under the doctrine of equivalents. Dr. Cole's opinion is based entirely on his assumption that the API calls that ASG or CAS make to the MAA are "mobile protection code." See Ex. 3 to Finjan Opp. (Cole Rpt.) ¶¶ 2159-66, 2235-41, ECF 240-6. As discussed above, this is incorrect based on undisputed facts. Finjan cites to no other "evidence" that Blue Coat infringes under the doctrine of equivalents; thus, it fails to *872raise a material dispute as to this issue. Accordingly, Blue Coat is entitled to summary judgment. Blue Coat's motion for summary judgment of no infringement of claim 1 of the '786 patent under the doctrine of equivalents is GRANTED.

D. WebPulse/GIN Sandboxing

BlueCoat moves for summary judgment that "WebPulse/GIN sandboxing" does not infringe the '844, '494, '786, '621, and '086 patents. Blue Coat Mot. 23-25. According to Blue Coat, one necessary component of Finjan's allegations with respect these patents is that "WebPulse/GIN" sends content to MAA(s) to sandbox. Id. at 23. [Redacted] Id. Blue Coat argues that infringement is impossible in both of these cases because these MAA(s) do not send their results to GIN. Id. [Redacted] Id. at 24 (citing Ex. 13 to Blue Coat Mot. at 282:18-21, ECF 226-14). Id. at 24-25. [Redacted] Id. at 25.

Finjan responds that there are disputed questions of fact as to whether WebPulse/GIN uses any of these MAAs, and hence, includes sandboxing. Finjan Opp. 23. [Redacted] Id. at 24-25 (citing Ex. 7 to Finjan Opp. at 106:8-13, 17:14-18:3, 18:18-19:2, ECF 225-7). [Redacted] Id. at 23-24. [Redacted] Id. at 25.

The Court finds that disputed questions of fact remain as to whether "WebPulse/GIN" uses sandboxing through either of the identified MAA(s). [Redacted] different Blue Coat employees provided varying testimony on this MAA and its relation to GIN. See Ex. 13 to Blue Coat Mot. at 282:18-21, ECF 226-14; Ex. 7 to Finjan Opp. at 106:8-13, 17:14-18:3, 18:18-19:2, ECF 225-7. The credibility of this testimony and whether, in light of this, [Redacted] are factual determinations for the jury. Accordingly, summary judgment is inappropriate. [Redacted] including the possibility that their results are provided to GIN. See, e.g. , Ex. 8 to Finan Opp., ECF 241-9; Ex. 27 to Finjan Opp., ECF 241-28; Ex. 6 to Finjan Opp. at 36:17-38:23, ECF 240-12; Ex. 5 to Finjan Opp. at 87:2-89:25, ECF 240-10. The credibility of this testimony and whether, in light of this and Finjan's other evidence, [Redacted] are factual determinations for the jury. In addition, although the Court agrees that, as a matter of law, [Redacted] NTP, Inc. v. Research In Motion, Ltd. , 418 F.3d 1282, 1316-17 (Fed. Cir. 2005), whether this is the case is also a factual determination that should be reserved for the jury. Accordingly, summary judgment is inappropriate. Blue Coat's motion for summary judgment of noninfringement with respect to "WebPulse/GIN Sandboxing" is DENIED.

V. CONCLUSION

For the foregoing reasons, IT IS HEREBY ORDERED that:

1. Finjan's motion for summary judgment is DENIED as to whether WebPulse/GIN and the identified combinations of gateway products (ProxySG and CAS with MAA; ASG with MAA) infringe claim 10 of the '494 patent ;

2. Finjan's motion for summary judgment is GRANTED as to whether the '731, '580, '844, '968, and '494 (for theories relying on Nachenberg) patents are not invalid and DENIED as to whether the '408, '086, and '494 (for all other theories) patents are not invalid:

a. Finjan's motion for summary judgment is GRANTED as to whether the '731 and '580 patents are not invalid due to Blue Coat's failure to challenge their validity in its expert reports;

b. Finjan's motion for summary judgment is DENIED as to whether the '494 and '408 patents are not invalid because Blue Coat is estopped under *87335 U.S.C. § 315(e)(2) from challenging their validity;

c. Finjan's motion for summary judgment is GRANTED as to whether the '844, '968, and '731 patents are not invalid because Blue Coat is collaterally estopped from challenging their validity;

d. Finjan's motion for summary judgment is DENIED as to whether the '844, '968, '731, and '086 are not invalid because the PTAB declined to institute IPR for these patents;

e. Finjan's motion for summary judgment is GRANTED as to whether the '494 patent is not invalid over any theory relying on the Nachenberg reference;

f. Finjan's motion for summary judgment is DENIED as to whether the '086 patent is not invalid over any theory relying on Ji '348.

3. Blue Coat's motion for summary judgment is GRANTED as to whether SSLV in conjunction with ProxySG infringes claim 1 of the '580 patent ;

4. Blue Coat's motion for summary judgment is DENIED as to whether WebPulse, alone or in combination with WSS, infringes claim 22 of the '408 patent ;

5. Blue Coat's motion for summary judgment is GRANTED as to whether (1) ProxySG, CAS, and MAA, (2) ASG with MAA, (3) WSS with MAS, and (4) WebPulse/GIN infringe claim 1 of the '786 patent ; and

6. Blue Coat's motion for summary judgment is DENIED as to whether "WebPulse/GIN sandboxing" infringes the '844, '494, '786, '621, and '086 patents.

IT IS SO ORDERED.

1 "A token is generally a sequence of characters delimited on both sides by a punctuation character, such as a white space. Tokens includes inter alia language keywords, values, names for variables or functions, operators, and punctuation characters ...." '408 patent, col. 6 ll. 54-59.

2 To describe this in more detail, the multiple separate SSL connections meant that, at every step in the chain, information would need to be decrypted and re-encrypted with the next recipient's public key: the client would encrypt information with the third party gateway computer's public key; the third party gateway computer would decrypt the information (using its private key) and re-encrypt it with the security gateway's public key; and the security gateway would decrypt the information (using its private key) and re-encrypt it with the server's public key. '580 patent, col. 1 ll. 30-35, 45-47.

3 In its briefing, Finjan phrases its requests as seeking summary judgment that its patents are "valid." However, "[i]n a court proceeding, a patent is not found 'valid.' A judgment in favor of a patent holder in the face of an invalidity defense or counterclaim merely means that the patent challenger has failed to carry its burden of establishing invalidity by clear and convincing evidence in that particular case-premised on the evidence presented there."In re Baxter Int'l, Inc. , 698 F.3d 1349, 1351 (Fed. Cir. 2012) (en banc) (O'Malley, J., concurring) (citing Ethicon, Inc. v. Quigg , 849 F.2d 1422, 1429 n.3 (Fed. Cir. 1988) ). Thus, the Court construes Finjan's requests as seeking summary judgment that its patents are not invalid, and refers to them as such.

4 The Court notes that Blue Coat takes issue with this designation, arguing that "WebPulse/GIN" is a misnomer that conflates the functionality of WebPulse, Blue Coat's URL rating service, and GIN, Blue Coat's umbrella designation for its suite of intelligence services, which include WebPulse. Blue Coat Opp. 2-3. The Court does not find this problematic for the purposes of deciding Finjan's motion. Regardless of the label used, Finjan's allegations are directed towards identifiable functionality, and Blue Coat does not appear to have difficulty understanding the scope of these allegations.

5 Blue Coat points out that its expert, Dr. Nielson, stated in his report that he disagrees that any of the limitations of claim 10 are satisfied by the Accused Products. Opp. 3 (citing Ex. 1 to Blue Coat Opp. (Nielson Rpt.) ¶ 307, ECF 238-6). However, Blue Coat only substantively disputes the final two limitations in its opposition, so the Court will similarly focus its analysis.

6 Blue Coat points out that its expert, Dr. Nielson, stated in his report that he disagrees that any of the limitations of claim 10 are satisfied by the Accused Products. Blue Coat Opp. 8 n.4 (citing Ex. 1 to Blue Coat Opp. ¶ 307, ECF 238-6). However, Blue Coat only substantively disputes the final limitation in its opposition, so the Court will similarly focus its analysis.

7 Finjan's opposition brief cites to these excerpts in discussing the "certificate comparator" element. However, at the hearing, Finjan argued that these excerpts also were evidence of the "connection request message ..." element. Thus, the Court discusses them here too.

8 As to the first issue, the Court notes that Blue Coat I addressed a similar question with respect to the '633 patent, which shares a specification with the '786 patent. (Both are directly or indirectly continuations of U.S. Patent No. 7,058,822.) In Blue Coat I , the jury found that claim 14 of the '633 patent, which recited a "downloadable-information destination," was infringed under the doctrine of equivalents by a combination of ProxySG, CAS, and MAA. ECF 556-1 at 3. In its Order Regarding Post-Judgment Motions, the Court upheld this portion of the verdict in part because "there was substantial evidence that the MAA satisfies the 'downloadable-information destination' element as Dr. Cole testified that the MAA is the information destination." ECF 543 at 18.