Sable Networks Inc v. Check Point Software Tech Ltd

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Sable Networks, Inc. (California) and Sable IP, LLC (Delaware)
  • Defendant: Check Point Software Technologies Ltd. (Israel) and Check Point Software Technologies, Inc. (Delaware)
  • Plaintiff’s Counsel: Bayard, P.A.; Berger & Hipskind LLP
• Case Identification: 1:21-cv-00201, D. Del., 02/12/2021
• Venue Allegations: Venue is alleged to be proper in the District of Delaware because Defendant Check Point Software Technologies, Inc. is a Delaware corporation and therefore resides in the district, and because Defendant Check Point Software Technologies Ltd. is a foreign entity.
• Core Dispute: Plaintiff alleges that Defendant’s security appliances and related network management products infringe six patents related to granular data flow management, quality of service (QoS) enforcement, and behavioral traffic analysis.
• Technical Context: The technology at issue addresses fundamental challenges in high-speed computer networking, focusing on methods to manage individual data streams ("flows") to guarantee performance and identify specific types of traffic without inspecting packet content.
• Key Procedural History: The complaint alleges that Defendant had pre-suit knowledge of the patents-in-suit due to a series of infringement lawsuits Plaintiff filed against Defendant's direct competitors—including Cisco, Juniper, Fortinet, and Nokia—beginning in April 2020, asserting the same patents against similar products.

Case Timeline

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 6,954,431 - "Micro-Flow Management"

The Invention Explained

• Problem Addressed: The patent describes the limitations of conventional network protocols like TCP/IP and ATM in providing granular Quality of Service (QoS) guarantees. These systems either rely on slow, complex signaling or group disparate data streams into 'composite flows,' which prevents efficient routing and makes it difficult to manage the performance of individual transmissions like a voice call or video stream ('431 Patent, col. 1:11-3:44).
• The Patented Solution: The invention proposes managing network traffic on a "micro-flow" basis, where a micro-flow is a uniquely identifiable set of packets, such as a single TCP connection. State information, including quantified QoS descriptors for rate and delay, is communicated in the first packet of a micro-flow. This information is stored in switches along the path, allowing the network to apply specific service guarantees to that individual flow without the overhead of older protocols ('431 Patent, Abstract; col. 5:40-6:41).
• Technical Importance: This approach allows network providers to offer differentiated, quantifiable service levels for individual data streams, which is critical for real-time applications like voice and video that are sensitive to delay and jitter (Compl. ¶23).

Key Claims at a Glance

• The complaint asserts at least independent claim 1 (Compl. ¶103).
• Claim 1 is a method for managing data traffic, comprising the key elements of:
  • Determining a capacity of a buffer containing a microflow based on a characteristic.
  • Assigning an acceptable threshold value for the buffer's capacity over a predetermined time.
  • Delegating a portion of available network bandwidth to the microflow.
  • Using the buffer for damping jitter associated with the microflow.

U.S. Patent No. 6,977,932 - "System and Method for Network Tunneling Utilizing Micro-Flow State Information"

The Invention Explained

• Problem Addressed: The patent notes that conventional network tunneling protocols like Multi-Protocol Label Switching (MPLS) do not typically maintain state information for individual micro-flows within a larger tunnel (a Label Switched Path, or LSP). This makes it difficult to provide differentiated QoS for different flows within the same tunnel and creates processor-intensive tasks when collecting statistics or altering tunnel paths ('932 Patent, col. 1:11-2:5).
• The Patented Solution: The invention introduces a two-tiered data structure: individual 'flow blocks' that maintain state information for each micro-flow, and 'aggregate flow blocks' (AFBs) that contain tunnel-specific information for the LSP. Each micro-flow's flow block includes an identifier that links it to the appropriate AFB. This architecture allows for efficient processing, as actions affecting the entire tunnel can be performed on the single AFB rather than searching through millions of individual flow blocks ('932 Patent, Abstract; col. 3:5-14).
• Technical Importance: This method enables more efficient and scalable management of large-scale network tunnels by combining the benefits of granular micro-flow state with the efficiency of aggregate, tunnel-level control (Compl. ¶37-38).

Key Claims at a Glance

• The complaint asserts at least independent claim 1 (Compl. ¶125).
• Claim 1 is a method for network tunneling, comprising the key elements of:
  • Creating a flow block for a received first data packet of a micro-flow.
  • Storing a tunnel identifier for the micro-flow in the flow block, which identifies a selected network tunnel.
  • Indexing an aggregate flow block using the tunnel identifier.
  • Transmitting the data packet using the selected network tunnel based on tunnel-specific information from the aggregate flow block.

U.S. Patent No. 8,085,775 - "Identifying Flows Based On Behavior Characteristics And Applying User-Defined Actions"

• Technology Synopsis: This patent addresses the problem of identifying specific types of traffic (e.g., P2P, VOIP) when traditional methods like inspecting packet headers or port numbers are ineffective because traffic can be disguised ('775 Patent, col. 1:12-2:30). The solution is to identify flows by analyzing 'payload-content agnostic behavioral statistics'—such as byte count, flow duration, and average packet rate—and applying user-defined policies and actions based on this observed behavior ('775 Patent, Abstract; Compl. ¶45).
• Asserted Claims: At least independent claim 1 (Compl. ¶154).
• Accused Features: The complaint alleges that Check Point's Smart-1 Security Appliances and Security Gateway devices create flow blocks, store and update payload-content agnostic behavioral statistics, and heuristically apply user-specified policies based on those statistics (Compl. ¶139, 143-147).

U.S. Patent No. 8,243,593 - "Mechanism for Identifying and Penalizing Misbehaving Flows in a Network"

• Technology Synopsis: This patent discloses methods for identifying and controlling 'less desirable network traffic' that may be disguised ('593 Patent, Abstract; Compl. ¶58-59). The system tracks behavioral statistics of a data flow to determine if it is 'undesirable' and then takes action to penalize that flow, such as by increasing its probability of being dropped. A key aspect is that this determination can be made regardless of the presence or absence of network congestion ('593 Patent, Abstract; Compl. ¶64).
• Asserted Claims: At least independent claim 4 (Compl. ¶179).
• Accused Features: The complaint accuses Check Point's DDoS Protector Appliances and related cloud services of maintaining and updating behavioral statistics to determine if a flow exhibits undesirable behavior and enforcing a penalty in response (Compl. ¶168, 174-178).

U.S. Patent No. 8,817,790 - "Identifying Flows Based on Behavior Characteristics and Applying User-Defined Actions"

• Technology Synopsis: As a continuation of the '775 patent, this patent further develops the concept of identifying undesirable traffic by analyzing behavior rather than payload content ('790 Patent, col. 1:8-16). The invention describes categorizing a flow into one or more 'traffic types' by determining if its header-independent statistics match predefined profiles, and then performing an operation on the flow's packets based on that traffic type (Compl. ¶75-76).
• Asserted Claims: At least independent claim 1 (Compl. ¶205).
• Accused Features: The complaint targets Check Point's Smart-1 Security Appliances and Security Gateway devices, alleging they use header-independent statistics (bit rate, packet counts) for traffic classification, store these statistics in a flow block, and categorize flows into traffic types to determine which operations to perform (Compl. ¶193, 199-204).

U.S. Patent No. 9,774,501 - "System and Method for Ensuring Subscriber Fairness Using Outlier Detection"

• Technology Synopsis: This patent addresses the problem of 'outlier' users consuming a disproportionate amount of network resources ('501 Patent, col. 1:21-31). The solution is a system that monitors subscriber usage across various attributes (e.g., flow count, byte count), uses outlier detection logic to identify users who exceed normal usage patterns, assigns those users to a 'flow-count band,' and applies a 'mitigating action' to restrict their access to network resources ('501 Patent, Abstract; Compl. ¶80-86).
• Asserted Claims: At least independent claim 1 (Compl. ¶232).
• Accused Features: The complaint alleges that Check Point's Security Gateway devices monitor stream data, derive flow-count histories, apply an outlier detection algorithm, assign users to a flow-count band, and apply a mitigating action based on that band (Compl. ¶219, 220-223, 228).

III. The Accused Instrumentality

Product Identification

• The complaint identifies several categories of accused products:
  • Check Point Smart-1 Security Appliances and Security Appliances with Gaia OS R80.10 and later ('431, '775, '790 Patents) (Compl. ¶91, 139, 193).
  • Check Point Quantum Spark 1500, 1600, and 1800 Appliance Series ('932 Patent) (Compl. ¶114).
  • Check Point DDoS Protector Appliances and related cloud services ('593 Patent) (Compl. ¶168).
  • Check Point Security Gateway devices with Gaia OS R80.20 and later ('501 Patent) (Compl. ¶219).

Functionality and Market Context

• The accused products are network security and management appliances that provide firewall, threat prevention, and data traffic management functions for enterprise networks. The complaint alleges these devices perform granular, flow-based traffic management, including creating and managing flow blocks, determining and enforcing QoS, implementing network tunneling, and analyzing traffic behavior to identify specific flow types or outlier users (Compl. ¶93-99, 117-122, 143-151, 174-178, 199-204, 220-228).
• The complaint provides a table of Plaintiff's "S-Series Products" which lists technical specifications for flow-based service controllers, providing context for the commercial application of the patented technology in high-throughput network devices (Compl. p. 7).

IV. Analysis of Infringement Allegations

U.S. Patent No. 6,954,431 Infringement Allegations

• Identified Points of Contention:
  • Scope Questions: The case may turn on whether the general-purpose buffering and bandwidth allocation functions in a modern security appliance perform the specific, quantified QoS management steps required by the claims. A question for the court could be whether the term "damping jitter", as described in the patent in the context of achieving "extremely small" delay variation for voice calls, reads on the general jitter-limiting capabilities of the accused product's buffers.
  • Technical Questions: A factual question may be what specific "characteristic" the accused products use to "determine" buffer capacity, as alleged in the complaint, and whether this aligns with the patent's disclosure of using parameters like a "packet discard time limit" to ensure buffer availability.

U.S. Patent No. 6,977,932 Infringement Allegations

• Identified Points of Contention:
  • Scope Questions: A central dispute may be whether the data structures used by Check Point's appliances to manage network tunnels correspond to the claimed two-tiered "flow block" and "aggregate flow block" architecture. The definition of an "aggregate flow block" that stores both "tunnel specific information" and "statistics" will be critical.
  • Technical Questions: An evidentiary question will be whether the accused products actually "index" a separate aggregate data structure using a "tunnel identifier" stored in a micro-flow data structure, as claimed, or if they use a different architectural method for associating flows with tunnels that does not map onto the claimed steps.

V. Key Claim Terms for Construction

• The Term: "microflow" ('431 Patent, Claim 1)

• Context and Importance: This term appears in all asserted patents and is fundamental to the technology. Its construction will determine whether the data streams managed by the accused products qualify as "microflows," which is a prerequisite for infringement of numerous claims. Practitioners may focus on this term because if Defendant's system operates on a different level of granularity (e.g., only on aggregate traffic or per-user policies), infringement may be avoided.

• Intrinsic Evidence for Interpretation:

  • Evidence for a Broader Interpretation: The specification defines a micro-flow as "a uniquely identifiable set of data signals that typically have the same open system interconnection model network layer and transport layer characteristics" ('431 Patent, col. 5:44-49). This language could support a broad definition covering any standard TCP/UDP connection.
  • Evidence for a Narrower Interpretation: The patent repeatedly ties the concept of a micro-flow to a set of specific, quantified QoS descriptors (e.g., guaranteed rate, delay variation) that characterize its behavior ('431 Patent, col. 5:50-54). A defendant may argue that a data stream only qualifies as a "microflow" if it is managed using this specific set of disclosed QoS parameters.

• The Term: "aggregate flow block" ('932 Patent, Claim 1)

• Context and Importance: This term is the central feature of the '932 patent's claimed solution for efficient tunnel management. Infringement hinges on whether the accused products utilize a data structure that meets this definition. The dispute will likely center on the structural and functional requirements of this claimed element.

• Intrinsic Evidence for Interpretation:

  • Evidence for a Broader Interpretation: The patent broadly states that the AFB includes "tunnel specific information" and "statistics for the selected network tunnel" ('932 Patent, Abstract). This could be interpreted to cover any data structure that aggregates information about a network tunnel.
  • Evidence for a Narrower Interpretation: The patent describes the AFB as a distinct entity that is "indexed using the tunnel identifier" stored in a separate "flow block" ('932 Patent, Claim 1). A defendant may argue that this requires a specific two-tiered, pointer-based data architecture, and that a more integrated data structure that combines flow and tunnel information would not infringe.

VI. Other Allegations

• Indirect Infringement: For each asserted patent, the complaint alleges induced infringement. The allegations are based on Defendant providing products capable of infringement and then distributing documentation, user manuals, and training materials that allegedly instruct customers on how to use the products in an infringing manner (e.g., Compl. ¶109, 133).
• Willful Infringement: The complaint alleges willful infringement for all asserted patents. The basis for willfulness is alleged pre-suit knowledge. Plaintiff alleges that Defendant, as a direct competitor to companies like Cisco, Juniper, and Fortinet, monitors patent litigation in the field and was therefore aware of Plaintiff's patents and infringement allegations against similar products well before this suit was filed, with the earliest alleged knowledge date being April 13, 2020 (e.g., Compl. ¶105-107, 110).

VII. Analyst’s Conclusion: Key Questions for the Case

• A core issue will be one of structural correspondence: Do the data structures and traffic management architectures within Check Point’s Gaia OS map onto the specific, multi-part data structures required by the patent claims (e.g., the "micro-flow" with quantified QoS descriptors or the two-tiered "flow block" and "aggregate flow block" system), or is there a fundamental architectural mismatch?
• A key evidentiary question will be one of functional operation: For the patents concerning behavioral analysis, does the accused products' traffic classification system rely on the claimed "payload-content agnostic behavioral statistics" as a primary mechanism for identifying traffic types and outliers, or does it primarily use other methods like deep packet inspection or signatures, with behavioral metrics serving an ancillary role?
• A critical legal and factual question will be one of pre-suit knowledge and intent: Can Plaintiff prove that Defendant not only knew of the patents but also had a basis to believe its own products infringed because of the widespread, public litigation against its direct competitors, providing the requisite foundation for a finding of willful infringement?