Cupp Cybersecurity LLC v. Symantec Corp

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: CUPP Cybersecurity, LLC (Delaware) and CUPP Computing AS (Norwegian)
  • Defendant: Symantec Corp. (Delaware)
  • Plaintiff’s Counsel: Barnes & Thornburg LLP; Kramer Levin Naftalis & Frankel LLP
• Case Identification: 1:18-cv-02050, N.D. Tex., 06/14/2018
• Venue Allegations: Plaintiff alleges venue is proper in the Northern District of Texas because Defendant Symantec maintains a regular and established place of business in the district and has allegedly committed acts of infringement there, including making, using, and selling the accused products.
• Core Dispute: Plaintiff alleges that Defendant’s endpoint security, network security, and data encryption products infringe eight patents related to mobile device security, including power management-based security operations and real-time monitoring of removable media.
• Technical Context: The patents address cybersecurity for mobile and endpoint devices, a commercially significant field focused on protecting users from malware, data theft, and network-based threats without compromising device performance.
• Key Procedural History: Subsequent to the filing of this complaint, Inter Partes Review (IPR) proceedings were instituted against seven of the eight asserted patents, resulting in the cancellation of a significant number of the asserted claims. For U.S. Patent 8,631,488, IPR cancelled claims 1-3, 5, 6, 9-12, 14, 15, and 18-20, all of which are asserted. For U.S. Patent 8,789,202, IPR confirmed the patentability of asserted claims 1, 3, 4, 6, 10, and 21. For the remaining patents subject to IPR (’683, ’595, ’164, ’079, and ’272), a majority of the asserted claims were cancelled. These outcomes substantially narrow the scope of the dispute as originally pleaded.

Case Timeline

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 8,631,488 - SYSTEMS AND METHODS FOR PROVIDING SECURITY SERVICES DURING POWER MANAGEMENT MODE

• Issued: January 14, 2014 (’488 Patent)

The Invention Explained

• Problem Addressed: The patent addresses the challenge of performing resource-intensive security tasks, like malware scanning, on mobile devices without disrupting the user or excessively draining the battery. (’488 Patent, col. 2:40-50).
• The Patented Solution: The invention proposes a separate "mobile security system" that detects when a primary mobile device enters a low-power or idle state (a "wake event"). It then sends a "wake signal" to activate the device, or a portion of it, to perform security services during this period of user inactivity, thereby preserving performance and battery life. (’488 Patent, Abstract; col. 3:9-20).
• Technical Importance: This approach allows for efficient, non-disruptive security management, which is critical for maintaining both the security posture and usability of mobile devices. (Compl. ¶9).

Key Claims at a Glance

• The complaint asserts independent claims 1 and 10, among others. (Compl. ¶63). As noted, claim 1 was subsequently cancelled in an IPR proceeding.
• Independent Claim 1 (as filed) requires:
  • Detecting by a mobile security system processor of a mobile security system a wake event;
  • Providing from the mobile security system a wake signal to a mobile device, the mobile device having a mobile device processor different than the mobile security system processor;
  • The wake signal being in response to the wake event and adapted to wake at least a portion of the mobile device from a power management mode; and
  • After providing the wake signal to the mobile device, executing security instructions by the mobile security system processor to manage security services configured to protect the mobile device.

U.S. Patent No. 8,789,202 - SYSTEMS AND METHODS FOR PROVIDING REAL TIME ACCESS MONITORING OF A REMOVABLE MEDIA DEVICE

• Issued: July 22, 2014 (’202 Patent)

The Invention Explained

• Problem Addressed: Removable media devices, such as USB flash drives, pose a security risk by potentially introducing malware or enabling unauthorized data removal. Traditional security solutions may lack real-time, policy-based control over these devices. (’202 Patent, col. 2:22-40).
• The Patented Solution: The invention describes a method where, upon connection of a removable media device, "redirection code" is injected into the host digital device. This code intercepts function calls (e.g., file access requests) directed at the removable media, assesses the request against a security policy, and then either permits or denies the action before it executes. (’202 Patent, Abstract; col. 3:50-60).
• Technical Importance: The method provides granular, real-time control over data access to and from removable media, enhancing endpoint security against both inbound threats and data exfiltration. (Compl. ¶12).

Key Claims at a Glance

• The complaint asserts independent claims 1 and 21, among others. (Compl. ¶85).
• Independent Claim 1 requires:
  • Detecting a removable media device coupled to a digital device;
  • Injecting redirection code into the digital device after detecting the coupling, the code configured to intercept a first function call and execute a second function call in its place;
  • Intercepting, with the redirection code, a request for data on the removable media device;
  • Determining whether to allow the intercepted request for data based on a security policy implementing content analysis and risk assessment algorithms; and
  • Providing the requested data based on the determination.

U.S. Patent No. 9,106,683 - SYSTEMS AND METHODS FOR PROVIDING SECURITY SERVICES DURING POWER MANAGEMENT MODE

• Issued: August 11, 2015
• Technology Synopsis: This patent is related to the ’488 Patent and is also directed to the efficient security management of a mobile device by detecting wake events and managing security services while the device is in a power management mode. (Compl. ¶15, 107).
• Asserted Claims: Claims 1-20 are asserted. (Compl. ¶103).
• Accused Features: The accused features are the Symantec Endpoint Security and Norton Security products that allegedly use a mobile security system to detect a wake event, provide a wake signal to the mobile device, and manage security services in response. (Compl. ¶107).

U.S. Patent No. 9,843,595 - SYSTEMS AND METHODS FOR PROVIDING SECURITY SERVICES DURING POWER MANAGEMENT MODE

• Issued: December 12, 2017
• Technology Synopsis: This patent is also related to the ’488 Patent family and is directed to efficient security management using a security administration device that detects wake events, sends wake signals to a mobile device, and performs security services. (Compl. ¶18, 130).
• Asserted Claims: Claims 1-30 are asserted. (Compl. ¶126).
• Accused Features: The complaint alleges that Symantec's security products operate via a security system and a security agent on the mobile device to detect wake events, send wake signals, and perform security services after the device is woken. (Compl. ¶130).

U.S. Patent No. 9,781,164 - SYSTEM AND METHOD FOR PROVIDING NETWORK SECURITY TO MOBILE DEVICES

• Issued: October 3, 2017
• Technology Synopsis: This patent is directed to a security system that provides security services to a mobile device and is managed by an IT administrator system, which can process remote commands to update security code, policies, or data. (Compl. ¶21, 153).
• Asserted Claims: Claims 1-18 are asserted. (Compl. ¶149).
• Accused Features: The complaint alleges infringement by Symantec products that provide a framework for applying policies based on user, device, and location, and allow IT administrators to control and update these policies on mobile devices. (Compl. ¶154, 158).

U.S. Patent No. 9,756,079 - SYSTEM AND METHOD FOR PROVIDING NETWORK AND COMPUTER FIREWALL PROTECTION WITH DYNAMIC ADDRESS ISOLATION TO A DEVICE

• Issued: September 5, 2017
• Technology Synopsis: This patent is directed to a system that uses an address translation engine to translate between an internal application address and an external network address, and a firewall to reject malicious packets based on a security policy. (Compl. ¶24, 175).
• Asserted Claims: Claims 1-12 are asserted. (Compl. ¶171).
• Accused Features: The Symantec Web Application Firewall (WAF) product is accused of infringing by providing advanced threat analysis, using an address translation engine, and employing a firewall to reject malicious data packets according to a security policy. (Compl. ¶176).

U.S. Patent No. 9,747,444 - SYSTEM AND METHOD FOR PROVIDING NETWORK SECURITY TO MOBILE DEVICES

• Issued: August 29, 2017
• Technology Synopsis: The patent describes a security system that identifies trusted networks and determines whether to forward network data to a security system for scanning based on whether the mobile device is on a trusted network. (Compl. ¶27, 191).
• Asserted Claims: Claims 1-21 are asserted. (Compl. ¶187).
• Accused Features: Symantec's Mobile Device Security service is accused of infringing by providing location-aware features that determine when a device is on a trusted corporate network and apply different security policies accordingly. (Compl. ¶192, 194).

U.S. Patent No. 8,365,272 - SYSTEM AND METHOD FOR PROVIDING NETWORK AND COMPUTER FIREWALL PROTECTION WITH DYNAMIC ADDRESS ISOLATION TO A DEVICE

• Issued: January 29, 2013
• Technology Synopsis: Related to the '079 patent, this patent is also directed toward receiving data, translating between an application address and an internal address, and isolating the internal address. (Compl. ¶30, 212).
• Asserted Claims: Claims 1-19 are asserted. (Compl. ¶208).
• Accused Features: The Symantec WAF is accused of infringing by using an address translation engine and a firewall to analyze and block malicious content based on a security policy. (Compl. ¶213).

III. The Accused Instrumentality

• Product Identification: The complaint identifies a broad range of Symantec products, including Symantec Endpoint Security Products (e.g., Symantec Endpoint Protection "SEP", SEP Cloud, SEP Mobile), Symantec Endpoint Encryption ("SEE") products, Symantec Network Security Products (e.g., Secure Web Gateway, Web Application Filter), and Norton Security Products (e.g., Norton Mobile Security). (Compl. ¶32-35, 48-49, 58).
• Functionality and Market Context: The accused products are alleged to form a comprehensive security ecosystem for protecting endpoints like PCs, Macs, and mobile devices. (Compl. ¶35, 38). The system is described as having a client-server architecture, where server components (e.g., "Cloud Servers" or management consoles) manage and push security policies and commands to client components (e.g., a "Public Mobile App" or agent) installed on end-user devices. (Compl. ¶37, 69). The complaint alleges these products provide layered protection against malware, network threats, and exploits through features like firewalls, antivirus scanning, threat detection, and policy enforcement for removable media. (Compl. ¶36, 48). A diagram in the complaint illustrates the "Symantec Endpoint Security Portfolio for the Cloud Generation," showing how components like SEP and SEP Mobile interact between a data center, roaming users, and personal devices. (Compl. ¶68).

IV. Analysis of Infringement Allegations

’488 Patent Infringement Allegations

• Identified Points of Contention:
  • Scope Questions: A central question may be whether sending a command from a cloud server to an application that is allegedly kept "running in the background" (Compl. ¶42) constitutes "waking" a device from a "power management mode" as contemplated by the patent. The analysis may turn on whether the accused app is truly in a low-power state before receiving the command.
  • Technical Questions: The complaint's theory appears to equate any remote security command with a "wake event" and "wake signal." A potential point of contention is whether the accused system's operation matches the patent's specific sequence of detecting an idle state first, and then initiating a security action in response to that idle state.

’202 Patent Infringement Allegations

• Identified Points of Contention:
  • Technical Questions: The complaint makes the conclusory allegation that the accused products operate by "injection of redirection code" (Compl. ¶90), but the provided marketing materials do not describe this specific technical mechanism. The infringement analysis will likely require evidence of how the SEE products technically implement their policy enforcement, raising the question of whether they use the claimed method of intercepting and replacing function calls or an alternative method such as OS-level file system filters.
  • Scope Questions: The dispute may focus on the scope of the term "injecting redirection code." The patent specification describes a specific technical approach, and a key question will be whether Symantec's method of enforcing access control, even if achieving a similar result, falls within the patent's claimed technical implementation.

V. Key Claim Terms for Construction

For the ’488 Patent

• The Term: "wake event"
• Context and Importance: The definition of this term is critical, as it is the trigger for the entire claimed method. Practitioners may focus on this term because its construction will determine whether a routine administrative command qualifies as the specific type of event contemplated by the patent, or if the event must be intrinsically related to the mobile device's power state.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The specification discloses that a wake event can include "receiving data over a network," which could be interpreted broadly to cover any incoming command from the security server. (’488 Patent, col. 4:5-10).
  • Evidence for a Narrower Interpretation: The patent's abstract and summary consistently frame the "wake event" as the trigger for waking a device from a power management mode, suggesting the event is one that occurs while the device is already idle, not one that simply initiates a task on an active device. (’488 Patent, Abstract).

For the ’202 Patent

• The Term: "injecting redirection code"
• Context and Importance: This term describes the core technical mechanism of the invention. Practitioners may focus on this term because the infringement case depends on whether the accused SEE products actually perform this specific action. If they enforce policies through other means (e.g., native OS controls, driver-level filtering without "injection"), infringement may be avoided.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The patent does not appear to provide significant language supporting a broad, non-technical interpretation of this term.
  • Evidence for a Narrower Interpretation: The specification describes the redirection module as comprising an "interceptor" that replaces operating system function calls. (Compl. Ex. 2, ’202 Patent, Fig. 20-21; col. 6:30-45). This suggests a specific implementation involving the modification or hooking of OS-level functions, rather than a more general form of policy enforcement.

VI. Other Allegations

• Indirect Infringement: The complaint alleges that Symantec induces infringement by instructing and encouraging its customers to use the accused products in an infringing manner. (Compl. ¶61). This inducement is allegedly supported by Symantec's maintenance of websites with guides and operating instructions on how to configure and use the infringing security features of the accused products. (Compl. ¶79-80, 97-98).

VII. Analyst’s Conclusion: Key Questions for the Case

• A key evidentiary question will be one of technical mechanism: for the '202 patent, what is the precise method by which Symantec’s Endpoint Encryption products enforce access policies on removable media? The case may turn on whether this method involves "injecting redirection code" to intercept and replace function calls, as claimed, or utilizes an alternative, non-infringing technical approach.
• A core issue will be one of definitional scope: for the '488 patent family, can a routine security command sent from a cloud server to an application running in the background on a mobile device be construed as detecting a "wake event" and providing a "wake signal" to rouse the device from a "power management mode," as required by the claims?
• A foundational issue for the litigation is the impact of the subsequent IPR proceedings. Given that a substantial portion of the asserted claims across most of the patents-in-suit have been cancelled since the complaint was filed, a central question will be the viability and scope of the infringement case based on the claims that survived review.