DCT
1:17-cv-01489
Network Security Tech LLC v. McAfee Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Network Security Technologies, LLC (Delaware)
- Defendant: McAfee, Inc. (Delaware)
- Plaintiff’s Counsel: Devlin Law Firm LLC; Toler Law Group, PC
- Case Identification: 1:17-cv-01489, D. Del., 10/24/2017
- Venue Allegations: Venue is asserted in the District of Delaware based on Defendant's incorporation in the state.
- Core Dispute: Plaintiff alleges that Defendant’s Network Access Control solutions infringe patents related to methods for verifying the security posture of a device, and for quarantining and remediating non-compliant devices that attempt to connect to a protected network.
- Technical Context: The technology addresses Network Access Control (NAC), a security domain focused on preventing unsecured or infected endpoint devices from connecting to and compromising corporate networks.
- Key Procedural History: The complaint alleges that the accused products leverage the open architecture standards promulgated by the Trusted Network Connect (TNC) workgroup of the Trusted Computing Group (TCG), which Defendant is alleged to have adopted. The infringement theory appears to map the TNC architecture and its alleged implementation by Defendant onto the patent claims.
Case Timeline
| Date | Event |
|---|---|
| 2004-09-27 | Priority Date for ’705 and ’048 Patents |
| 2012-05-07 | TCG Trusted Network Communications Specification Published |
| 2012-07-31 | U.S. Patent No. 8,234,705 Issues |
| 2013-01-01 | Defendant Allegedly Adopted TNC Standards "at least as of 2013" |
| 2016-12-06 | U.S. Patent No. 9,516,048 Issues |
| 2017-10-24 | Complaint Filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 8,234,705 - Contagion Isolation and Inoculation, Issued July 31, 2012
The Invention Explained
- Problem Addressed: The patent describes the security threat posed by mobile or stationary computer systems that may become infected with malware (a "contagion") after connecting to untrusted networks or through other means. When such a compromised system attempts to connect to a "protected network," it risks infecting other resources on that network ('705 Patent, col. 1:13-41).
- The Patented Solution: The invention provides a method to detect an "insecure condition" on a host attempting to connect to the network. If the host is deemed insecure, it is quarantined, restricting its network access. This quarantine prevents the host from communicating with most of the protected network but permits communication with specific "remediation" hosts. This allows the host to download necessary patches, updates, or definitions to resolve the insecure condition before being granted full network access ('705 Patent, col. 3:7-23; FIG. 10A).
- Technical Importance: This technology addresses the security vulnerability created by bring-your-own-device (BYOD) and mobile workforces, where devices outside of direct IT control can act as vectors for network intrusions (Compl. ¶10).
Key Claims at a Glance
- The complaint asserts independent claim 1 (Compl. ¶16).
- The essential elements of claim 1 include:
- Detecting an insecure condition on a first host, which includes contacting a trusted computing base (TCB) associated with a trusted platform module (TPM) and determining if a response includes a valid digitally signed attestation of cleanliness (e.g., that the host is not infested or has a required patch level).
- If no valid attestation is received, quarantining the first host by preventing it from sending data to other hosts on the protected network.
- This quarantine process involves specific handling of service requests: serving a quarantine notification page for a web request, and for a DNS query, providing the IP address of a quarantine server unless the query is for a remediation host.
- Permitting the first host to communicate with the remediation host.
U.S. Patent No. 9,516,048 - Contagion Isolation and Inoculation via Quarantine, Issued December 6, 2016
The Invention Explained
- Problem Addressed: As a continuation of the application leading to the '705 patent, this patent addresses the same fundamental problem of preventing infected or non-compliant devices from compromising a protected network ('048 Patent, col. 1:21-49).
- The Patented Solution: The invention describes a similar method of detecting an insecure condition using a trusted computing base, and if the host is non-compliant, quarantining it. The claims of the ’048 patent provide more specific details on the quarantine mechanism, particularly for web server requests. The solution involves re-routing a non-remediation web request from the quarantined host by responding with a redirect that sends the host's browser to a quarantine server, which then serves a notification page ('048 Patent, Abstract; col. 4:1-12).
- Technical Importance: This technology provides a specific implementation for enforcing network access policies and guiding users of non-compliant devices through the remediation process, a key function of modern NAC systems (Compl. ¶29).
Key Claims at a Glance
- The complaint asserts independent claim 1 (Compl. ¶35).
- The essential elements of claim 1 include:
- Detecting an insecure condition on a first host by contacting a TCB and evaluating a digitally signed attestation of cleanliness.
- If no valid attestation is received, quarantining the first host.
- The quarantine process includes receiving a service request, determining if it is a remediation request, and if not, serving a quarantine notification page.
- Specifically for a web server request, serving the quarantine page includes "re-routing by responding to the service request... with a redirect that causes a browser on the first host to be directed to a quarantine server."
- Permitting the host to communicate with a remediation host.
III. The Accused Instrumentality
Product Identification
- Defendant’s "Network Access Control Solution," including products marketed as "McAfee NAC" and "McAfee Policy Enforcer" (the "Accused Instrumentalities") (Compl. ¶¶16, 18, 37).
Functionality and Market Context
- The complaint alleges the Accused Instrumentalities are designed to protect corporate networks by ensuring that only compliant systems are granted access (Compl. ¶¶18, 29). The products are alleged to leverage the Trusted Network Connect (TNC) open architecture to perform a multi-step process: (1) defining security policies, (2) detecting devices attempting to connect, (3) assessing systems for compliance against policies (e.g., checking for infections or required patches), (4) enforcing access by quarantining non-compliant systems, and (5) automatically remediating them (Compl. ¶¶17-18). The complaint includes a marketing diagram from McAfee that illustrates the components of its NAC architecture, including a policy orchestrator, sensors, and scanners working together to manage network access. (Compl. p. 6).
- The complaint frames the Accused Instrumentalities as a "vital part of McAfee's total network access control (NAC) solution" for mitigating risk from non-compliant systems (Compl. ¶¶18, 29).
IV. Analysis of Infringement Allegations
U.S. Patent No. 8,234,705 Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| detecting an insecure condition on a first host... wherein detecting the insecure condition includes contacting a trusted computing base associated with a trusted platform module within the first host, receiving a response, and determining whether the response includes a valid digitally signed attestation of cleanliness... | The Accused Instrumentalities allegedly detect an insecure condition by using the TNC architecture's Platform Trust Service (PTS) Protocol to contact a Policy Decision Point (PDP), which functions as the trusted computing base. This process involves collecting integrity measurements and receiving a cryptographically verifiable "attestation" of the host's cleanliness (i.e., not infested) or patch level. The complaint provides a TCG diagram illustrating this protocol. | ¶20 | col. 13:25-14:2 |
| when it is determined that the response does not include a valid digitally signed attestation of cleanliness, quarantining the first host, including by preventing the first host from sending data to one or more other hosts associated with the protected network... | When a host fails the integrity check, the Accused Instrumentalities allegedly use the TNC "Assessment Phase" to make an "Isolate or Block" recommendation. This quarantines the host to an "Isolation Network," preventing it from spreading contagions to the full network. | ¶20 | col. 11:32-12:14 |
| ...wherein preventing the first host from sending data... includes receiving a service request..., serving a quarantine notification page to the first host when the service request comprises a web server request, and... providing in response an IP address of a quarantine server... if a host name... is not associated with a remediation host... | The complaint alleges that when a quarantined host makes a service request (e.g., a web or DNS request), McAfee's "enforcer" component restricts its access. For a web request or DNS query to a non-remediation site, the system provides a quarantine notification page or the IP of the quarantine server, which displays remediation instructions. | ¶20 | col. 15:56-16:51 |
| and permitting the first host to communicate with the remediation host. | The Accused Instrumentalities allegedly permit the quarantined host to communicate with a "remediation host" (e.g., a remediation portal with resource links) to download patches or updates. This is described as providing "limited access to the network" to enable the client to reach a compliant state. | ¶21 | col. 11:40-12:14 |
U.S. Patent No. 9,516,048 Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| detecting an insecure condition on a first host... wherein detecting the insecure condition includes contacting a trusted computing base associated with a trusted platform module within the first host, receiving a response, and determining whether the response includes a valid digitally signed attestation of cleanliness... | The infringement allegation mirrors that for the '705 patent, asserting that McAfee's products use the TNC architecture and its PTS Protocol to contact a trusted computing base (the PDP) and receive a signed attestation regarding the host's integrity status and software versions. The complaint references a TCG diagram of the TNC architecture to support this allegation. | ¶39 | col. 13:25-14:2 |
| when it is determined that the response does not include a valid digitally signed attestation of cleanliness, quarantining the first host... | When a host fails the integrity check, the Accused Instrumentalities allegedly perform an "Assessment Phase" which results in an "Isolate or Block" recommendation. This quarantines the non-compliant host to protect the network from potential threats. | ¶39 | col. 11:32-12:14 |
| ...wherein preventing the first host from sending data... includes receiving a service request..., determining whether the service request... is associated with a remediation request, and when it is determined that the service request... is not associated with a remediation request, serving a quarantine notification page... | The complaint alleges that the Accused Instrumentalities provide "limited or quarantined access" for non-compliant hosts. This involves intercepting service requests and providing "remediation instructions" in place of standard responses if the request is not for an approved remediation resource. | ¶39 | col. 14:27-14:49 |
| ...wherein serving the quarantine notification page to the first host includes re-routing by responding to the service request sent by the first host with a redirect that causes a browser on the first host to be directed to a quarantine server... | The complaint alleges that McAfee's "enforcer" component restricts network access and that its remediation process for web requests illustrates this re-routing. Non-compliant users are directed to a "remediation portal" with instructions and links, which the complaint maps to the claimed redirect to a quarantine server. | ¶39 | col. 15:56-16:51 |
Identified Points of Contention
- Scope Questions: The complaint's theory relies on mapping the functions of the open TNC standard onto the patent claims. A primary question will be whether implementing the TNC standard necessarily constitutes infringement. The defense may argue that the patented methods are specific implementations, and that a TNC-compliant product does not have to practice these specific methods.
- Technical Questions: The infringement analysis will likely turn on the precise technical operation of McAfee's products versus the specific steps in the claims. Key questions include: (1) Does the "attestation" generated within the TNC framework meet all the requirements of the "valid digitally signed attestation of cleanliness" as claimed? (2) Do McAfee's products actually perform the distinct DNS query handling recited in claim 1 of the '705 patent? (3) Does the mechanism used by McAfee to direct users to a remediation portal constitute "re-routing by ... a redirect" as specifically required by claim 1 of the '048 patent?
V. Key Claim Terms for Construction
The Term: "trusted computing base"
- Context and Importance: This term appears in the independent claims of both patents and is foundational to the "detecting" step. The infringement case hinges on whether the components of the TNC architecture allegedly used by McAfee—such as the Policy Decision Point (PDP)—qualify as a "trusted computing base." Practitioners may focus on this term because its construction could determine whether a standards-based software architecture falls within the scope of claims that also reference a hardware "trusted platform module."
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The '705 patent specification does not appear to provide an explicit definition, potentially leaving the term open to its plain and ordinary meaning in the context of computer security at the time of the invention. The complaint leverages a definition from a TCG document, defining it as "the collection of system resources (hardware and software) that is responsible for maintaining the security policy" (Compl. ¶20, p. 10).
- Evidence for a Narrower Interpretation: The claims explicitly link the "trusted computing base" to a "trusted platform module" (TPM). The specification's frequent references to specific hardware and security initiatives (e.g., '705 Patent, col. 13:5-8, mentioning the Palladium initiative) could be used to argue that the inventor contemplated a more specific, hardware-rooted TCB, not a distributed set of software components as in the TNC architecture.
The Term: "serving a quarantine notification page" (in the context of specific web and DNS handling in '705 claim 1 and "re-routing by... redirect" in '048 claim 1)
- Context and Importance: The definition of this functional step is critical because both patents claim a very specific method for handling traffic from a quarantined host. A generic quarantine notification may not infringe; the method of delivery is key. The dispute will likely center on whether McAfee's products use the exact logic claimed.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification describes the overall goal as providing "information and links to assist in remediation" ('705 Patent, col. 15:1-3). A party could argue this functional goal should inform the interpretation, allowing for technically varied implementations that achieve the same result.
- Evidence for a Narrower Interpretation: The claims themselves provide the strongest evidence for a narrow construction. Claim 1 of the '705 patent recites different actions for web requests versus DNS queries. Claim 1 of the '048 patent explicitly requires "re-routing by responding... with a redirect." The patent's flowcharts, such as Figure 16, detail this specific logic, which may support an interpretation that limits the claim scope to these exact steps ('705 Patent, FIG. 16; '048 Patent, FIG. 16).
VI. Other Allegations
Indirect Infringement
- The complaint alleges induced infringement, asserting that Defendant encourages its customers and partners to infringe by providing instruction materials, advertising, and training for the Accused Instrumentalities (Compl. ¶¶23-24, 42-43).
Willful Infringement
- Willfulness is alleged based on Defendant’s constructive knowledge of the patents and their infringement starting from the filing date of the complaint. There are no allegations of pre-suit knowledge (Compl. ¶¶22, 41).
VII. Analyst’s Conclusion: Key Questions for the Case
- A central issue will be one of standards-based infringement: does McAfee's implementation of the open Trusted Network Connect (TNC) architecture necessarily practice the specific, multi-step methods for device attestation and traffic redirection recited in the asserted claims, or can the Accused Instrumentalities operate in a TNC-compliant but non-infringing manner?
- The case may also turn on a key claim construction question: will the term "trusted computing base," which is recited in the claims as being "associated with a trusted platform module," be construed broadly to cover the primarily software-based components of the TNC architecture, or will it be limited to a more specific, hardware-anchored implementation?
- A key evidentiary question will be one of functional implementation: what proof can be adduced that McAfee's commercial products perform the precise quarantine logic claimed—specifically the differential handling of web versus DNS requests ('705 patent) and the use of a "redirect" ('048 patent)—beyond what is described in general marketing materials or high-level standards documents?