DCT

1:17-cv-01490

Network Security Tech LLC v. Pulse Secure LLC

Log In
Key Events
Complaint
complaint

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 1:17-cv-01490, D. Del., 10/24/2017
  • Venue Allegations: Venue is asserted based on Defendant’s incorporation in the State of Delaware.
  • Core Dispute: Plaintiff alleges that Defendant’s Policy Secure network access control solution infringes patents related to verifying the security compliance of a device before granting it access to a protected network.
  • Technical Context: The technology at issue falls within the domain of Network Access Control (NAC), which is a critical component of modern enterprise security used to prevent compromised or non-compliant devices from connecting to corporate networks.
  • Key Procedural History: The complaint does not mention prior litigation or administrative proceedings. It alleges that the accused products leverage the Trusted Network Connect (TNC) open architecture promulgated by the Trusted Computing Group (TCG), which Defendant allegedly adopted as of 2013. The asserted '048 patent is a continuation of the application that resulted in the '705 patent.

Case Timeline

Date Event
2004-09-27 Priority Date for ’705 and ’048 Patents
2012-07-31 Issue Date for U.S. Patent No. 8,234,705
2013-01-01 Alleged adoption of TNC standards by Defendant (at least as of 2013)
2016-12-06 Issue Date for U.S. Patent No. 9,516,048
2017-10-24 Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 8,234,705 - "Contagion Isolation and Inoculation" (Issued July 31, 2012)

The Invention Explained

  • Problem Addressed: The patent addresses the security threat posed by mobile or stationary computers that, after connecting to insecure networks or being exposed to malicious media, may become infected with "viruses, worms, backdoors, and/or countless other threats" and subsequently harm a protected corporate network upon connection (ʼ705 Patent, col. 1:20-35).
  • The Patented Solution: The invention proposes a system that determines if a host attempting to connect to a protected network is in an "insecure condition." This is achieved by contacting a "trusted computing base" on the host to obtain a digitally signed attestation of its security status (e.g., patch levels and absence of infestation). If the host fails this check, it is "quarantined" with limited network access. During quarantine, its requests are intercepted; requests for remediation resources are permitted, while other requests (like web or DNS) are redirected to a quarantine server that provides information to help the user remedy the insecure condition (ʼ705 Patent, Abstract; Fig. 14).
  • Technical Importance: The technology provides a method for automated endpoint compliance verification, a foundational concept for managing security risks from mobile workforces and "Bring Your Own Device" (BYOD) policies (Compl. ¶10).

Key Claims at a Glance

  • The complaint asserts infringement of at least independent claim 1 (Compl. ¶16).
  • The essential elements of independent claim 1 include:
    • Detecting an insecure condition on a first host attempting to connect to a protected network.
    • The detection includes contacting a trusted computing base associated with a trusted platform module within the host and receiving a response to determine if it includes a valid digitally signed attestation of cleanliness (i.e., not infested and having a certain patch level).
    • If the attestation is not valid, quarantining the first host by preventing it from sending data to other hosts on the protected network.
    • The quarantine process includes receiving a service request from the host, serving a quarantine notification page for web server requests, and providing the IP address of a quarantine server in response to certain DNS queries.
    • Permitting the host to communicate with a remediation host.

U.S. Patent No. 9,516,048 - "Contagion Isolation and Inoculation via Quarantine" (Issued Dec. 6, 2016)

The Invention Explained

  • Problem Addressed: The patent addresses the same technical problem as its parent '705 patent: preventing infected or vulnerable computers from harming a protected network to which they are connecting ('048 Patent, col. 1:21-41).
  • The Patented Solution: The solution is substantively similar to the '705 patent, involving the detection of an insecure host, checking for a digitally signed attestation from a trusted computing base, and quarantining the host if it fails the check. Claim 1 of the '048 patent refines the quarantine process, explicitly requiring a step of determining whether a service request from the quarantined host is associated with remediation. For a web server request that is not for remediation, the patented method involves re-routing the host's browser to a quarantine server via a "redirect" ('048 Patent, Abstract; Fig. 14).
  • Technical Importance: This patent provides a more specific implementation of a quarantine and remediation system, further developing the technical framework for secure network access control (Compl. ¶29).

Key Claims at a Glance

  • The complaint asserts infringement of at least independent claim 1 (Compl. ¶35).
  • The essential elements of independent claim 1 include:
    • Detecting an insecure condition on a first host by contacting a trusted computing base and evaluating its digitally signed attestation of cleanliness.
    • If the attestation is not valid, quarantining the host by preventing it from sending data to other protected hosts.
    • The quarantine process includes receiving a service request from the host and determining if it is associated with a remediation request.
    • If the service request is not for remediation and is a web server request, serving a quarantine notification page by "re-routing by responding to the service request... with a redirect" that directs the browser to a quarantine server.
    • Permitting the host to communicate with a remediation host.

III. The Accused Instrumentality

Product Identification

  • The accused instrumentality is Defendant's "Policy Secure solution," which includes a client-side agent called "Host Checker" (Compl. ¶16, ¶18, ¶13).

Functionality and Market Context

  • The complaint alleges that the Policy Secure solution "coordinates network security compliance" by performing "health and security evaluations on endpoints before allowing them to connect to the network" (Compl. ¶18, ¶13). It allegedly leverages the Trusted Network Connect (TNC) open architecture to assess endpoint integrity (Compl. ¶17). According to a product datasheet referenced in the complaint, if an endpoint does not meet configured security requirements, the system can perform actions including "quarantining, remediating, and providing authorized network access once a device has been remediated" (Compl. ¶13). The complaint includes a diagram allegedly illustrating the product’s architecture, which shows a "Requestor" and "Challenger" interacting via a "PTS Protocol" to verify integrity (Compl. ¶20, p. 9).

IV. Analysis of Infringement Allegations

'705 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
detecting an insecure condition on a first host that has connected or is attempting to connect to a protected network... The Accused Instrumentalities detect when an Access Requestor (client) attempts to connect but has not passed integrity verification, placing it in an insecure condition. ¶20 col. 11:17-20
...wherein detecting the insecure condition includes contacting a trusted computing base associated with a trusted platform module within the first host... The Accused Instrumentalities allegedly use the TCG TNC architecture and the Platform Trust Service (PTS) Protocol to contact a trusted computing base (TCB) on the client host. The complaint references a protocol integration diagram to support this. ¶20 col. 13:58-62
...receiving a response, and determining whether the response includes a valid digitally signed attestation of cleanliness... The system receives a signed set of "attestation evidence" from the host, which is cryptographically verifiable and serves as an attestation of cleanliness. ¶20 col. 14:1-4
...wherein the valid digitally signed attestation of cleanliness includes at least one of an attestation that the trusted computing base has ascertained that the first host is not infested, and an attestation that the trusted computing base has ascertained the presence of a patch or a patch level associated with a software component on the first host... The attestation information allegedly includes measurements of the client's integrity (e.g., anti-virus status) and software versions (patch level), as collected by the TNC Integrity Measurement Collector (IMC). ¶20 col. 14:4-8
...when it is determined that the response does not include a valid digitally signed attestation of cleanliness, quarantining the first host... A client that fails the integrity check is "isolated (quarantined) onto an 'Isolation Network'" to prevent it from infecting the full network. ¶20 col. 11:30-33
...serving a quarantine notification page to the first host when the service request comprises a web server request, and in the event the service request comprises a DNS query, providing in response an IP address of a quarantine server... When a host fails a check, it is provided "remediation instructions," which the complaint characterizes as a quarantine notification page, and the system can be configured with DNS rules to handle requests from non-compliant hosts. ¶20 col. 16:1-12
...and permitting the first host to communicate with the remediation host. The quarantined host is permitted limited network access to "on-line sources of remediation data" such as software patch servers. ¶20 col. 12:5-10

Identified Points of Contention

  • Scope Questions: A central question may be whether the defendant's alleged implementation of the TNC industry standard constitutes infringement of every limitation of the claimed method. The complaint's theory relies heavily on mapping TNC specification documents to claim elements, raising the question of whether the accused product's actual operation aligns with both the standard and the specific claim language.
  • Technical Questions: The complaint alleges that the "PTS Protocol" is used to contact a "trusted computing base." A likely point of dispute is whether the accused "Host Checker" software, in its actual operation, functions as a "trusted computing base associated with a trusted platform module" (a term often tied to hardware security like a TPM), or if it performs a different type of software-based health check that falls outside the claim's scope.

'048 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
detecting an insecure condition on a first host... [including] contacting a trusted computing base... and determining whether the response includes a valid digitally signed attestation of cleanliness... The functionality alleged to meet these elements is identical to that alleged for the '705 patent, based on the TNC architecture and PTS protocol. ¶39 col. 13:58-62
...quarantining the first host... wherein preventing the first host from sending data... includes receiving a service request sent by the first host, determining whether the service request sent by the first host is associated with a remediation request... The system allegedly places a non-compliant host in an "Isolation Network" which provides "limited or quarantined access" specifically for remediation, which suggests a determination of whether a request is for remediation. ¶39 col. 11:45-50
...and when it is determined that the service request... is not associated with a remediation request, serving a quarantine notification page... wherein serving the quarantine notification page... includes re-routing by responding to the service request... with a redirect that causes a browser on the first host to be directed to a quarantine server... The complaint cites TNC specifications stating that a Policy Decision Point (PDP) can instruct a Policy Enforcement Point (PEP) to "redirect the AR to an isolation environment," and separately alleges the display of a "remediation page" to the user. ¶39 col. 12:1-5
...and permitting the first host to communicate with a remediation host... As with the '705 patent, the quarantined host is allegedly permitted limited access to online sources for remediation data and patches. ¶39 col. 12:5-10

Identified Points of Contention

  • Technical Questions: A key factual question will be whether the accused product's quarantine mechanism performs the specific logic claimed: first, "determining whether the service request... is associated with a remediation request," and second, using a "redirect" to serve the quarantine page for non-remediation web requests. The complaint infers this functionality from high-level descriptions in technical specifications and user guides.

V. Key Claim Terms for Construction

  • The Term: "trusted computing base associated with a trusted platform module"

    • Context and Importance: This term is the technological core of both asserted claims. The infringement case hinges on whether Defendant’s "Host Checker" software and its interaction with the endpoint meets this definition. Practitioners may focus on this term because its construction could determine whether a purely software-based integrity check infringes, or if a specific type of hardware-backed security (i.e., a Trusted Platform Module, or TPM) is required.
    • Intrinsic Evidence for a Broader Interpretation: The patents' specifications do not strictly define the term, referring to the "Paladium security initiative" as just one "example of a trusted computing base" ('705 Patent, col. 14:1-3). This could support an argument that the term is not limited to that single embodiment.
    • Intrinsic Evidence for a Narrower Interpretation: The claim language itself explicitly requires association with a "trusted platform module." This phrase is a term of art strongly associated with the TCG's hardware TPM specifications. This language may support an interpretation that a hardware security module is a required component, not merely an optional example.

  • The Term: "quarantining"

    • Context and Importance: While "quarantine" is a general concept, both patents define it with specific functional steps in "wherein" clauses. The dispute will likely center on whether the accused "Isolation Network" performs every recited step of intercepting and re-routing different service requests (web vs. DNS) in the precise manner claimed.
    • Intrinsic Evidence for a Broader Interpretation: The specification introduces the concept more generally, stating a quarantined host is "provided only limited access to the protected network" ('705 Patent, col. 3:12-13).
    • Intrinsic Evidence for a Narrower Interpretation: Claim 1 of the '705 patent provides a detailed definition, stating the step includes "serving a quarantine notification page... when the service request comprises a web server request, and... providing in response an IP address of a quarantine server if a host name that is the subject of the DNS query is not associated with a remediation host." This detailed recitation could be construed as defining and limiting the scope of "quarantining" for the purposes of the claim.

VI. Other Allegations

  • Indirect Infringement: The complaint alleges induced infringement under 35 U.S.C. § 271(b), asserting that Defendant provides "instruction materials, training, and services" that actively encourage and instruct its customers and end users to use the Accused Instrumentalities in a manner that directly infringes (Compl. ¶23-24, ¶42-43).
  • Willful Infringement: Willfulness is alleged based on Defendant’s knowledge of the patents and the alleged infringement "at least as early as the filing date of this Complaint" (Compl. ¶22, ¶41). This appears to be an allegation of post-suit willfulness rather than pre-suit knowledge.

VII. Analyst’s Conclusion: Key Questions for the Case

  • A core issue will be one of definitional scope: can the claim term "trusted computing base associated with a trusted platform module," which suggests a hardware-based security root of trust, be construed to cover the functionality of Defendant’s allegedly software-based "Host Checker" agent as implemented under the TNC standard?
  • A key evidentiary question will be one of functional precision: does the accused Policy Secure product’s "Isolation Network" perform the specific, multi-part logic for handling different service requests (web vs. DNS) and using a "redirect" as explicitly recited in the claims, or is there a mismatch between the high-level descriptions in the cited technical documents and the product's actual method of operation?