Cupp Cybersecurity LLC v. Symantec Corp

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: CUPP Cybersecurity, LLC (Delaware) and CUPP Computing AS (Norway)
  • Defendant: Symantec Corporation (Delaware)
  • Plaintiff’s Counsel: Kramer Levin Naftalis & Frankel LLP
• Case Identification: 3:19-cv-00298, N.D. Cal., 02/13/2019
• Venue Allegations: Venue is alleged based on Defendant’s corporate headquarters being located in Mountain View, California, and its continuous business operations within the Northern District of California.
• Core Dispute: Plaintiffs allege that Defendant’s endpoint security, network security, and data encryption products infringe a nine-patent portfolio related to mobile device security management, real-time monitoring of removable media, and network firewall protection.
• Technical Context: The technologies at issue address methods for providing robust, multi-layered security for mobile and endpoint devices, a critical area in both enterprise and consumer computing where performance, power consumption, and threat protection must be balanced.
• Key Procedural History: Post-filing Inter Partes Review (IPR) proceedings have significantly altered the landscape of this case. IPRs filed against U.S. Patent Nos. 8,631,488, 9,106,683, and 8,365,272 resulted in the cancellation of numerous asserted claims. Conversely, an IPR against U.S. Patent No. 8,789,202 resulted in the confirmation of several asserted claims. The complaint also notes that the ’272 Patent was assigned to Plaintiff CUPP Computing AS from Yoggie Security Systems Ltd.

Case Timeline

Date	Event
2005-12-13	Earliest Priority Date: ’164 and ’444 Patents
2007-05-30	Earliest Priority Date: ’079 and ’272 Patents
2008-08-04	Earliest Priority Date: ’488, ’683, ’595, and ’799 Patents
2008-11-19	Earliest Priority Date: ’202 Patent
2013-01-29	Issue Date: U.S. Patent No. 8,365,272
2014-01-14	Issue Date: U.S. Patent No. 8,631,488
2014-07-22	Issue Date: U.S. Patent No. 8,789,202
2015-08-11	Issue Date: U.S. Patent No. 9,106,683
2017-08-29	Issue Date: U.S. Patent No. 9,747,444
2017-09-05	Issue Date: U.S. Patent No. 9,756,079
2017-10-03	Issue Date: U.S. Patent No. 9,781,164
2017-12-12	Issue Date: U.S. Patent No. 9,843,595
2018-09-25	Issue Date: U.S. Patent No. 10,084,799
2019-02-13	Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 8,631,488 - "SYSTEMS AND METHODS FOR PROVIDING SECURITY SERVICES DURING POWER MANAGEMENT MODE"

• The Invention Explained:
  • Problem Addressed: The patent addresses the vulnerability of mobile devices when they operate outside a secure corporate network, and the inefficiency of performing security tasks (like virus scans) which traditionally require the device to be fully powered on, consuming significant battery life. (’488 Patent, col. 2:39-65).
  • The Patented Solution: The invention proposes a separate "mobile security system" that can manage a mobile device even when the device is in a low-power or "sleep" mode. The security system detects a "wake event," sends a signal to wake at least a portion of the mobile device, and then executes security services, such as scanning for malware, before potentially returning the device to a low-power state. (’488 Patent, Abstract; col. 4:14-25).
  • Technical Importance: This approach sought to provide continuous, enterprise-grade security for mobile devices without materially degrading battery life or requiring user interaction, a key challenge in the proliferation of mobile computing. (Compl. ¶¶10, 27).
• Key Claims at a Glance:
  • The complaint asserts independent claims 1 and 10, along with dependent claims 2-9 and 11-20. (Compl. ¶66). An IPR proceeding subsequent to the complaint’s filing resulted in the cancellation of claims 1-3, 5, 6, 9-12, 14, 15, and 18-20.
  • Independent Claim 1 (Method) includes the following essential elements:
    • Detecting by a mobile security system processor a wake event.
    • Providing from the mobile security system a wake signal to a mobile device, adapted to wake at least a portion of the mobile device from a power management mode.
    • After providing the wake signal, executing security instructions by the mobile security system processor to manage security services on the mobile device.

U.S. Patent No. 8,789,202 - "SYSTEMS AND METHODS FOR PROVIDING REAL TIME ACCESS MONITORING OF A REMOVABLE MEDIA DEVICE"

• The Invention Explained:

  • Problem Addressed: The patent identifies the security risks posed by connecting removable media, such as USB flash drives, to a host computer. Such connections create vectors for introducing malware or for the unauthorized exfiltration of sensitive data. (’202 Patent, col. 2:48-52).
  • The Patented Solution: The invention describes a method where, upon detection of a removable media device, "redirection code" is injected into the host digital device. This code intercepts system-level function calls for data on the removable media, allowing a security policy to be enforced (e.g., scanning a file for malware or blocking access based on user permissions) before the original data request is either granted or denied. (’202 Patent, Abstract; col. 5:54-67).
  • Technical Importance: This technology provides a mechanism for real-time, policy-based security enforcement for removable media, a common and significant threat vector for both individual and enterprise systems. (Compl. ¶13).

• Key Claims at a Glance:

  • The complaint asserts independent claims 1 and 21, along with dependent claims 2-10. (Compl. ¶88). An IPR proceeding subsequent to the complaint's filing confirmed the patentability of asserted claims 1, 3, 4, 6, 10, and 21.
  • Independent Claim 1 (Method) includes the following essential elements:
    • Detecting a removable media device coupled to a digital device.
    • Injecting redirection code into the digital device, where the code is configured to intercept a first function call and execute a second function call in its place.
    • Intercepting, with the code, a request for data on the removable media device.
    • Determining whether to allow the request based on a security policy.
    • Providing the requested data based on that determination.

• Multi-Patent Capsule: U.S. Patent No. 9,106,683

  • Patent Identification: U.S. Patent No. 9,106,683, "SYSTEMS AND METHODS FOR PROVIDING SECURITY SERVICES DURING POWER MANAGEMENT MODE," issued August 11, 2015. (Compl. ¶14).
  • Technology Synopsis: This patent is related to the ’488 Patent and is similarly directed toward the efficient security management of a mobile device. It describes a mobile security system that detects wake events associated with the device and then manages security services in response, particularly when the device is in a power management mode. (Compl. ¶16).
  • Asserted Claims: Claims 1-20. (Compl. ¶106). An IPR proceeding subsequent to the complaint's filing resulted in the cancellation of claims 1-3, 5, 6, 9-12, 14, 15, and 18-20.
  • Accused Features: The complaint alleges that Symantec's endpoint protection products, like SEP Mobile, infringe by using a client-server architecture to detect threats and remotely manage security services on mobile devices, including waking them from low-power states. (Compl. ¶¶111-112).

• Multi-Patent Capsule: U.S. Patent No. 9,843,595

  • Patent Identification: U.S. Patent No. 9,843,595, "SYSTEMS AND METHODS FOR PROVIDING SECURITY SERVICES DURING POWER MANAGEMENT MODE," issued December 12, 2017. (Compl. ¶17).
  • Technology Synopsis: This patent, also related to the ’488 Patent family, describes a security architecture involving a security administrator device and a security agent on a remote mobile device. The administrator device detects wake events, sends wake signals to the mobile device, and directs the performance of security services on the device after it has been woken from a power management mode. (Compl. ¶19).
  • Asserted Claims: Claims 1-30. (Compl. ¶129).
  • Accused Features: The complaint accuses Symantec’s products of infringing by using a management server (the security administrator device) to coordinate with security agents on endpoint devices to push information and security commands, thereby managing the security of remote mobile devices. (Compl. ¶134).

• Multi-Patent Capsule: U.S. Patent No. 9,781,164

  • Patent Identification: U.S. Patent No. 9,781,164, "SYSTEM AND METHOD FOR PROVIDING NETWORK SECURITY TO MOBILE DEVICES," issued October 3, 2017. (Compl. ¶20).
  • Technology Synopsis: This patent is directed to a security system that provides services to a mobile device and is managed by an IT administrator system over a trusted enterprise network. The system is configured to process remote management commands to update security code, policies, or data on the mobile device. (Compl. ¶22).
  • Asserted Claims: Claims 1-18. (Compl. ¶152).
  • Accused Features: The complaint alleges infringement by Symantec’s Mobile Device Security service, which allows IT administrators to control mobile device applications and network traffic through a secure tunnel, applying policies based on user, device, and location. (Compl. ¶¶157-158).

• Multi-Patent Capsule: U.S. Patent No. 9,756,079

  • Patent Identification: U.S. Patent No. 9,756,079, "SYSTEM AND METHOD FOR PROVIDING NETWORK AND COMPUTER FIREWALL PROTECTION WITH DYNAMIC ADDRESS ISOLATION TO A DEVICE," issued September 5, 2017. (Compl. ¶23).
  • Technology Synopsis: The technology involves a system with an address translation engine that translates between an application's internal address and an external network address. This dynamic address isolation is used in conjunction with a firewall to reject incoming data packets containing malicious content according to a security policy. (Compl. ¶25).
  • Asserted Claims: Claims 1-12. (Compl. ¶174).
  • Accused Features: Symantec’s Web Application Firewall (WAF) products are accused of infringement. These products allegedly use an address translation engine and advanced threat analysis to inspect inbound and outbound data packets and block malicious content based on security policies. (Compl. ¶179).

• Multi-Patent Capsule: U.S. Patent No. 9,747,444

  • Patent Identification: U.S. Patent No. 9,747,444, "SYSTEM AND METHOD FOR PROVIDING NETWORK SECURITY TO MOBILE DEVICES," issued August 29, 2017. (Compl. ¶26).
  • Technology Synopsis: The patent describes a security system that maintains a policy identifying trusted networks. When a mobile device is on a trusted network, data is forwarded directly. When it is on an untrusted network, the security system first scans the network data for malicious content before deciding whether to forward it to the mobile device. (Compl. ¶28).
  • Asserted Claims: Claims 1-21. (Compl. ¶190).
  • Accused Features: The complaint points to Symantec's location-aware features, which can determine if a device is on a trusted corporate network (e.g., behind a Secure Web Gateway) and apply different security policies accordingly. (Compl. ¶¶197-198).

• Multi-Patent Capsule: U.S. Patent No. 8,365,272

  • Patent Identification: U.S. Patent No. 8,365,272, "SYSTEM AND METHOD FOR PROVIDING NETWORK AND COMPUTER FIREWALL PROTECTION WITH DYNAMIC ADDRESS ISOLATION TO A DEVICE," issued January 29, 2013. (Compl. ¶29).
  • Technology Synopsis: Related to the ’079 patent, this technology describes a system using a network address translation engine to translate between an application address and a public address. It uses a driver to forward data packets to a firewall that rejects malicious content based on a mobile device security policy, thereby isolating the application's internal address. (Compl. ¶31).
  • Asserted Claims: Claims 1-19. (Compl. ¶211). An IPR proceeding subsequent to the complaint's filing resulted in the cancellation of claims 1 and 16, while claim 7 was found patentable.
  • Accused Features: Symantec's WAF products are accused of infringing by providing a system to set policies and using an address translation engine to analyze and protect against malicious content based on security policies. (Compl. ¶216).

• Multi-Patent Capsule: U.S. Patent No. 10,084,799

  • Patent Identification: U.S. Patent No. 10,084,799, "SYSTEMS AND METHODS FOR PROVIDING SECURITY SERVICES DURING POWER MANAGEMENT MODE," issued September 25, 2018. (Compl. ¶32).
  • Technology Synopsis: This patent, part of the ’488 Patent family, describes a security system that detects a wake event adapted to trigger one or more security services on a mobile device that is in a power management mode. The system provides a wake signal to the device and then executes security instructions to cause the device to perform the services. (Compl. ¶33).
  • Asserted Claims: Claims 1-25. (Compl. ¶235).
  • Accused Features: The accused features are the same as those for the ’488 and ’683 patents, focusing on the ability of Symantec’s products to manage security on mobile devices by waking them from power-saving modes. (Compl. ¶240).

III. The Accused Instrumentality

Product Identification

• The complaint collectively defines the "Accused Product" as Symantec Endpoint Security Products, Symantec Network Security Products, Symantec's Endpoint Encryption product(s), and Norton Security Products. (Compl. ¶63). Specific product lines named include Symantec Endpoint Protection ("SEP") 14 and 15, SEP Cloud, SEP Mobile, Symantec Endpoint Encryption ("SEE"), Symantec Network Security Products (including Secure Web Gateway and Web Application Firewall), and various Norton-branded consumer security products. (Compl. ¶¶36-62).

Functionality and Market Context

• The accused products form a comprehensive suite of security solutions for both enterprise and consumer markets, providing layered protection for endpoints like PCs, Macs, and mobile devices. (Compl. ¶38). The complaint highlights the Symantec Endpoint Security Portfolio’s cloud-based management architecture, which uses a "Single Agent" on devices to coordinate with cloud services for threat analysis, policy enforcement, and security management. A diagram in the complaint illustrates this portfolio, showing how a central security stack and cloud proxy manage security for devices both in a headquarters data center and for roaming users. (Compl. p. 26, Diagram). The SEP Mobile component is described as a mobile app that works with cloud servers to provide services such as threat detection, passcode enforcement, and remote wipe capabilities. (Compl. ¶¶72-73). The SEE products are alleged to provide policy enforcement and encryption for removable media devices like USB drives. (Compl. ¶51).

IV. Analysis of Infringement Allegations

’488 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
detecting by a mobile security system processor of a mobile security system a wake event;	The accused SEP Mobile solution includes Cloud Servers that allegedly act as the "mobile security system processor" and "predict and detect a range of existing and unknown threats," which the complaint equates to detecting a wake event.	¶72	col. 4:14-16
providing from the mobile security system a wake signal to a mobile device... the wake signal being in response to the wake event and adapted to wake at least a portion of the mobile device from a power management mode;	The Cloud Servers allegedly manage mobile devices by sending security instructions for policy and security enforcement, which can change the device's status from sleep to awake, thereby functioning as a wake signal.	¶¶73-74	col. 4:16-22
after providing the wake signal to the mobile device, executing security instructions by the mobile security system processor to manage security services configured to protect the mobile device, the security instructions being stored on the mobile security system.	The Cloud Servers and Public Mobile App allegedly provide managed security services, such as remote wipe, passcode lock, automated updates, and policy enforcement, which are executed in response to the wake event.	¶72	col. 4:22-25

• Identified Points of Contention:
  • Scope Questions: A principal dispute may arise over the definition of "mobile security system." The patent's figures and description suggest a portable hardware device that travels with the user, whereas the complaint alleges infringement by a distributed, client-server architecture where "Cloud Servers" perform the function of the "mobile security system processor." The court will need to determine if a remote, cloud-based server can be construed as a "mobile security system" within the meaning of the claims.
  • Technical Questions: A key factual question will be what constitutes the detection of a "wake event" by the mobile security system processor. The complaint alleges that general threat detection by a cloud server satisfies this element. A counterargument may be that the claim requires the security system to detect an event on the mobile device itself (e.g., a scheduled task or an incoming network packet) that initiates the security sequence, rather than the server independently identifying a threat.

’202 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
detecting a removable media device coupled to a digital device;	Symantec’s Removable Media Encryption products are alleged to detect when a removable media device is attached to a computer to determine if its content can be accessed.	¶¶92-93	col. 4:26-27
injecting redirection code into the digital device..., the redirection code configured to intercept a first function call and configured to execute a second function call in place of the first function call;	The complaint alleges that the accused products "allow for injection of redirection code when a removable media is attached to a computer," which intercepts data requests.	¶93	col. 4:28-35
intercepting, with the redirection code, a request for data on the removable media device;	The function of the allegedly injected redirection code is to intercept requests for data on the removable device before the operating system can fulfill them directly.	¶92	col. 4:36-37
determining whether to allow the intercepted request for data based on a security policy...;	Symantec's products are alleged to enforce individual, centrally managed policies related to the use of removable media and the encryption of its contents.	¶¶51, 92	col. 4:38-41
providing requested data based on the determination.	If the security policy allows access, the requested data is provided to the user or application after the security checks are completed.	¶92	col. 4:41-42

• Identified Points of Contention:
  • Scope Questions: The construction of "injecting redirection code" will be central. The dispute will likely focus on whether this requires a specific mechanism of software modification (e.g., altering system DLLs in memory) or if it can be read more broadly to cover any software method that intercepts data requests, such as a file system filter driver.
  • Technical Questions: The primary technical question is one of operational mechanism. The complaint alleges the literal "injection of redirection code." Symantec may argue its products achieve a similar result through a non-infringing alternative, such as a kernel-level driver or a user-space agent that monitors device plug-in events and file system access without "injecting" code to intercept function calls in the manner described by the patent. The complaint provides a screenshot of Symantec's "Five Layers of Protection," which includes "USB STORAGE DEVICES," but does not detail the underlying technical implementation. (Compl. p. 15, Diagram).

V. Key Claim Terms for Construction

• For the ’488 Patent:

  • The Term: "mobile security system"
  • Context and Importance: This term is the central component of the asserted claims. The infringement theory depends on construing Symantec’s cloud-based servers as the claimed "mobile security system." Practitioners may focus on this term because its definition could either confine the patent to a specific hardware embodiment or allow it to cover modern cloud-based security architectures.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The specification describes the system functionally, stating it "effectively acts as a mobile internet gateway on behalf of the mobile device." (’488 Patent, col. 5:31-33). This language may support a construction not tied to a particular physical form factor, but rather to the role it performs.
    • Evidence for a Narrower Interpretation: Figure 3 of the patent depicts the "mobile security system" (345a, 345b) as a discrete hardware box separate from the main "network security system" (320), through which a mobile device connects. The background also frames the problem as one of devices traveling "outside the enterprise network," suggesting the solution is a portable apparatus that travels with the device. (’488 Patent, Fig. 3; col. 2:1-4).

• For the ’202 Patent:

  • The Term: "injecting redirection code"
  • Context and Importance: This phrase describes the core technical mechanism of the invention. The infringement case hinges on whether the accused SEE products perform this specific action. A narrow construction could place the accused products outside the claim scope, while a broad one could cover a wider range of software interception techniques.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The claim language defines the code by its function: "configured to intercept a first function call and configured to execute a second function call in place of the first function call." (’202 Patent, col. 6:18-21). This may support a construction that encompasses any code achieving this intercept-and-execute function, regardless of the precise implementation method.
    • Evidence for a Narrower Interpretation: The specification provides an example of this mechanism as "temporarily replacing one or more dlls within the digital device." (’202 Patent, col. 5:54-55). A defendant could argue that this embodiment limits the term to this specific type of dynamic-link library manipulation, as opposed to other methods like kernel-level filtering.

VI. Other Allegations

• Indirect Infringement: The complaint includes separate counts for induced infringement for each asserted patent family. It alleges that Symantec instructs and encourages its customers and users to use the accused products in an infringing manner through the distribution of user manuals, operating guides, and technical support documentation available on its website. (Compl. ¶¶82-83, 100-101).
• Willful Infringement: The complaint does not contain a separate count for willful infringement. However, the indirect infringement counts allege that Symantec "knew or was willfully blind to the fact that it was inducing others...to infringe." (Compl. ¶82). Furthermore, the Prayer for Relief explicitly requests increased damages under 35 U.S.C. § 284 and a finding that the case is "exceptional" for an award of attorneys' fees under 35 U.S.C. § 285, which are remedies contingent upon a finding of willful or egregious conduct. (Compl. p. 85, ¶¶ D, E).

VII. Analyst’s Conclusion: Key Questions for the Case

• Architectural Scope: A central issue will be one of definitional scope: can the term "mobile security system," which the patent specification and figures often depict as a portable hardware appliance, be construed to cover Symantec’s modern, distributed architecture where remote cloud servers manage a software agent on the end-user device?
• Mechanism of Infringement: A key evidentiary question will be one of technical operation: for the removable media patents, does Symantec’s Endpoint Encryption product function by "injecting redirection code" to intercept operating system calls as claimed, or does it utilize a different, non-infringing mechanism (e.g., a file system filter driver) to achieve policy enforcement?
• Impact of Post-Filing IPRs: With numerous asserted claims for key patents (e.g., ’488, ’683) cancelled after the complaint was filed, a threshold question will be the remaining viability and scope of the suit. The case may pivot heavily toward the patents and claims that survived IPR challenges, such as those in the ’202 patent, fundamentally reshaping the infringement and damages theories.