Cupp Cybersecurity LLC v. Gen Digital Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: CUPP Cybersecurity, LLC (Delaware) and CUPP Computing AS (Norway)
  • Defendant: Symantec Corporation (Delaware)
  • Plaintiff’s Counsel: Kramer Levin Naftalis & Frankel LLP
• Case Identification: 19-cv-00298, N.D. Cal., 02/13/2019
• Venue Allegations: Venue is based on Defendant's corporate headquarters being located in Mountain View, California, within the Northern District of California, where it conducts business.
• Core Dispute: Plaintiff alleges that Defendant’s endpoint and network security products, including the Symantec Endpoint and Norton Security product lines, infringe nine U.S. patents related to mobile device security, power management, and real-time data monitoring.
• Technical Context: The technology at issue falls within the cybersecurity sector, specifically concerning methods for protecting mobile devices and computers from malware, network threats, and unauthorized data access, a market of significant importance for both enterprise and consumer users.
• Key Procedural History: The complaint does not mention prior litigation. However, Inter Partes Review (IPR) proceedings were subsequently filed against the asserted patents. These proceedings resulted in the cancellation of numerous asserted claims across several patents, including independent claims of the ’488, ’683, '595, '164, '079, and '272 patents. The outcomes of these IPRs will substantially narrow the scope of the dispute to the claims that survived the challenges.

Case Timeline

Date	Event
2007-05-30	Earliest Priority Date for U.S. Patent No. 8,365,272
2008-05-30	Earliest Priority Date for U.S. Patent Nos. 9,781,164, 9,756,079, 9,747,444
2008-08-04	Earliest Priority Date for U.S. Patent Nos. 8,631,488, 9,106,683, 9,843,595, 10,084,799
2008-11-19	Earliest Priority Date for U.S. Patent No. 8,789,202
2013-01-29	U.S. Patent No. 8,365,272 Issues
2014-01-14	U.S. Patent No. 8,631,488 Issues
2014-07-22	U.S. Patent No. 8,789,202 Issues
2015-08-11	U.S. Patent No. 9,106,683 Issues
2017-08-29	U.S. Patent No. 9,747,444 Issues
2017-09-05	U.S. Patent No. 9,756,079 Issues
2017-10-03	U.S. Patent No. 9,781,164 Issues
2017-12-12	U.S. Patent No. 9,843,595 Issues
2018-09-25	U.S. Patent No. 10,084,799 Issues
2019-02-13	Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 8,631,488 - "SYSTEMS AND METHODS FOR PROVIDING SECURITY SERVICES DURING POWER MANAGEMENT MODE"

• Patent Identification: U.S. Patent No. 8,631,488, "SYSTEMS AND METHODS FOR PROVIDING SECURITY SERVICES DURING POWER MANAGEMENT MODE," issued January 14, 2014 (’488 Patent).

The Invention Explained

• Problem Addressed: The patent describes the security vulnerability of mobile devices when they operate outside a protected enterprise network and notes that conventional security measures require the device to be fully powered on, which is inefficient for battery-powered devices often in a low-power or "sleep" state (’488 Patent, col. 2:38-68).
• The Patented Solution: The invention proposes a separate "mobile security system," potentially a piece of hardware, that operates independently of the mobile device's main processor. This security system can detect a "wake event," send a signal to wake the mobile device (or a portion of it) from a low-power mode, and then use its own processor to execute security tasks like malware scanning, thereby conserving the mobile device's power (’488 Patent, Abstract; col. 4:13-24).
• Technical Importance: This architecture allows for the performance of essential security maintenance on mobile devices even when they are in a power-saving mode, addressing a practical challenge in securing intermittently active devices. (’488 Patent, Abstract).

Key Claims at a Glance

• The complaint asserts independent Claim 1 and dependent claims 2-20 (Compl. ¶66).
• The essential elements of independent Claim 1 include:
  • Detecting a wake event by a mobile security system processor of a mobile security system.
  • Providing a wake signal from the mobile security system to a mobile device, where the mobile device has a processor different from the mobile security system processor.
  • The wake signal is in response to the wake event and wakes at least a portion of the mobile device from a power management mode.
  • After providing the wake signal, executing security instructions by the mobile security system processor to manage security services for the mobile device.
• The complaint reserves the right to assert other claims, though many asserted claims, including independent claim 1, were subsequently cancelled in an IPR proceeding.

U.S. Patent No. 8,789,202 - "SYSTEMS AND METHODS FOR PROVIDING REAL TIME ACCESS MONITORING OF A REMOVABLE MEDIA DEVICE"

• Patent Identification: U.S. Patent No. 8,789,202, "SYSTEMS AND METHODS FOR PROVIDING REAL TIME ACCESS MONITORING OF A REMOVABLE MEDIA DEVICE," issued July 22, 2014 (’202 Patent).

The Invention Explained

• Problem Addressed: The patent addresses the security risks posed by connecting removable media, such as USB flash drives, to a host computer, which can lead to malware infections or unauthorized data transfer (’202 Patent, col. 2:40-48).
• The Patented Solution: The invention describes a method where, upon connection of a removable media device, "redirection code" is injected into the host computer's operating system. This code intercepts function calls related to data access on the removable media, allowing a security policy to be enforced (e.g., by performing content analysis) before the requested data operation is allowed to proceed (’202 Patent, Abstract; col. 3:20-36).
• Technical Importance: This approach enables real-time, policy-based, and content-aware monitoring of data transfers involving removable media, offering more granular control than simple device blocking. (’202 Patent, Abstract).

Key Claims at a Glance

• The complaint asserts independent Claim 1 and dependent claims 2-10 and 21 (Compl. ¶88).
• The essential elements of independent Claim 1 include:
  • Detecting a removable media device coupled to a digital device.
  • Injecting redirection code into the digital device, where the code is configured to intercept a first function call and execute a second function call in its place.
  • Intercepting a request for data on the removable media device using the redirection code.
  • Determining whether to allow the request based on a security policy that implements content analysis and risk assessment.
  • Providing the requested data based on that determination.
• The complaint reserves the right to assert other claims.

Multi-Patent Capsules

• U.S. Patent No. 9,106,683 - "SYSTEMS AND METHODS FOR PROVIDING SECURITY SERVICES DURING POWER MANAGEMENT MODE"

  • Patent Identification: U.S. Patent No. 9,106,683, "SYSTEMS AND METHODS FOR PROVIDING SECURITY SERVICES DURING POWER MANAGEMENT MODE," issued August 11, 2015.
  • Technology Synopsis: This patent is related to the ’488 Patent and describes a mobile security system with its own processor that detects a wake event on a mobile device and sends a wake signal to bring it out of a low-power mode to perform security services (Compl. ¶16).
  • Asserted Claims: Claims 1-20 (Compl. ¶106).
  • Accused Features: The complaint accuses Symantec's Endpoint and Norton Security products, alleging that the cloud server components act as the "mobile security system" to manage security services on client devices (Compl. ¶¶109, 111, 112).

• U.S. Patent No. 9,843,595 - "SYSTEMS AND METHODS FOR PROVIDING SECURITY SERVICES DURING POWER MANAGEMENT MODE"

  • Patent Identification: U.S. Patent No. 9,843,595, "SYSTEMS AND METHODS FOR PROVIDING SECURITY SERVICES DURING POWER MANAGEMENT MODE," issued December 12, 2017.
  • Technology Synopsis: This patent describes a security system that communicates with a security agent on a remote mobile device. The system detects a wake event, sends a wake signal to the agent to bring the device out of a power management mode, and instructs the agent to perform security services (Compl. ¶19).
  • Asserted Claims: Claims 1-30 (Compl. ¶129).
  • Accused Features: The complaint accuses Symantec's security products, where a management server and security agents on devices allegedly coordinate to detect events and perform security operations (Compl. ¶¶132, 134, 135).

• U.S. Patent No. 9,781,164 - "SYSTEM AND METHOD FOR PROVIDING NETWORK SECURITY TO MOBILE DEVICES"

  • Patent Identification: U.S. Patent No. 9,781,164, "SYSTEM AND METHOD FOR PROVIDING NETWORK SECURITY TO MOBILE DEVICES," issued October 3, 2017.
  • Technology Synopsis: This patent is directed to a security system that provides services to a mobile device and is managed by an IT administrator system. The system can process remote commands from the administrator to update security code, policies, or data (Compl. ¶22).
  • Asserted Claims: Claims 1-18 (Compl. ¶152).
  • Accused Features: The complaint accuses Symantec's products that use a framework of applying policies based on user, device, and location, and which allow IT administrators to control and update security policies on devices (Compl. ¶¶155, 157, 161).

• U.S. Patent No. 9,756,079 - "SYSTEM AND METHOD FOR PROVIDING NETWORK AND COMPUTER FIREWALL PROTECTION WITH DYNAMIC ADDRESS ISOLATION TO A DEVICE"

  • Patent Identification: U.S. Patent No. 9,756,079, "SYSTEM AND METHOD FOR PROVIDING NETWORK AND COMPUTER FIREWALL PROTECTION WITH DYNAMIC ADDRESS ISOLATION TO A DEVICE," issued September 5, 2017.
  • Technology Synopsis: The patent describes a system for firewall protection that uses an address translation engine to translate between an application's internal address and an external network address. A driver forwards packets to a firewall that rejects or allows them based on whether they contain malicious content according to a security policy (Compl. ¶25).
  • Asserted Claims: Claims 1-12 (Compl. ¶174).
  • Accused Features: The complaint accuses Symantec's Web Application Firewall (WAF) products, which conduct threat analysis on inbound/outbound packets to protect from malicious content and use an address translation engine (Compl. ¶¶177, 179).

• U.S. Patent No. 9,747,444 - "SYSTEM AND METHOD FOR PROVIDING NETWORK SECURITY TO MOBILE DEVICES"

  • Patent Identification: U.S. Patent No. 9,747,444, "SYSTEM AND METHOD FOR PROVIDING NETWORK SECURITY TO MOBILE DEVICES," issued August 29, 2017.
  • Technology Synopsis: This patent describes a security system that stores a policy identifying trusted networks. The policy defines whether to forward network data to a mobile device with or without scanning for malicious content, depending on whether the mobile device is on a trusted network (Compl. ¶28).
  • Asserted Claims: Claims 1-21 (Compl. ¶190).
  • Accused Features: The complaint accuses Symantec products with location-aware features that can determine if a device is on a trusted corporate network and apply different policies accordingly (Compl. ¶¶193, 195, 197).

• U.S. Patent No. 8,365,272 - "SYSTEM AND METHOD FOR PROVIDING NETWORK AND COMPUTER FIREWALL PROTECTION WITH DYNAMIC ADDRESS ISOLATION TO A DEVICE"

  • Patent Identification: U.S. Patent No. 8,365,272, "SYSTEM AND METHOD FOR PROVIDING NETWORK AND COMPUTER FIREWALL PROTECTION WITH DYNAMIC ADDRESS ISOLATION TO A DEVICE," issued January 29, 2013.
  • Technology Synopsis: This patent is related to the '079 patent and describes a system for providing a firewall with dynamic address isolation by translating between an application address and a public address, and using a firewall to reject or allow packets based on a security policy (Compl. ¶31).
  • Asserted Claims: Claims 1-19 (Compl. ¶211).
  • Accused Features: The complaint accuses Symantec's Web Application Firewall (WAF) products for their use of address translation and policy-based filtering of network traffic (Compl. ¶¶214, 216).

• U.S. Patent No. 10,084,799 - "SYSTEMS AND METHODS FOR PROVIDING SECURITY SERVICES DURING POWER MANAGEMENT MODE"

  • Patent Identification: U.S. Patent No. 10,084,799, "SYSTEMS AND METHODS FOR PROVIDING SECURITY SERVICES DURING POWER MANAGEMENT MODE," issued September 25, 2018.
  • Technology Synopsis: This patent is related to the '488 family and describes a security system that detects a wake event on a mobile device that is in a power management mode. In response, it sends a wake signal to the device to trigger the performance of one or more security services (Compl. ¶33).
  • Asserted Claims: Claims 1-25 (Compl. ¶235).
  • Accused Features: The complaint accuses Symantec's endpoint security products, alleging that their client-server architecture for managing mobile devices performs the claimed steps (Compl. ¶¶238, 240, 241).

III. The Accused Instrumentality

Product Identification

• The accused products collectively include Symantec Endpoint Security Products, Symantec Network Security Products, Symantec's Endpoint Encryption product(s), and Norton Security Products (Compl. ¶63). Specific product lines mentioned are Symantec Endpoint Protection ("SEP"), SEP Cloud, SEP Mobile, Symantec Endpoint Encryption ("SEE"), and Norton Mobile Security (Compl. ¶¶37, 38, 41, 44, 51).

Functionality and Market Context

• The accused products form a suite of cybersecurity solutions for enterprise and consumer markets (Compl. ¶35). They operate on a client-server model, where a client agent installed on an endpoint device (computer, server, or mobile device) communicates with server components (on-premise or cloud-based) that manage security policies (Compl. ¶39). The system provides layered protection, including antivirus, firewall, intrusion prevention, and mobile threat defense (Compl. ¶¶38, 39, 44). The "SEP Mobile" solution, for example, is described as having a "Public Mobile App" on the user's device and "Cloud Servers" that perform analysis and policy enforcement (Compl. ¶72). A diagram from Symantec marketing illustrates the architecture of "SEP Mobile," showing the interaction between the mobile application and cloud-based servers that provide services like deep analysis and policy enforcement (Compl. ¶72, p. 27).

IV. Analysis of Infringement Allegations

’488 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
detecting by a mobile security system processor of a mobile security system a wake event	The accused products' Cloud Servers, alleged to be the "mobile security system," predict and detect threats on mobile devices, which are alleged to constitute wake events.	¶72	col. 4:13-14
providing from the mobile security system a wake signal to a mobile device, the mobile device having a mobile device processor different than the mobile security system processor...	The Cloud Servers include a processor and send security instructions to the Public Mobile App, which runs on the mobile device's separate processor.	¶72	col. 4:15-18
...the wake signal being in response to the wake event and adapted to wake at least a portion of the mobile device from a power management mode	The security instructions from the Cloud Servers can allegedly change the mobile device's status from a low-power (sleep) state to an active state to perform a security operation.	¶¶73, 74	col. 4:18-21
after providing the wake signal to the mobile device, executing security instructions by the mobile security system processor to manage security services configured to protect the mobile device...	The Cloud Servers (the alleged "mobile security system") execute instructions to provide managed security services like remote wipe, passcode lock, and automated policy enforcement.	¶¶72, 74, 75	col. 4:22-24

• Identified Points of Contention:
  • Scope Questions: The patent’s specification and figures appear to describe the "mobile security system" as a physical hardware device separate from, but connected to, the mobile device (’488 Patent, Abstract; Fig. 10A-10C). A primary point of contention may be whether Symantec's remote "Cloud Servers" can meet the definition of this term, particularly the requirement that its processor be "different than" the mobile device processor in the manner contemplated by the patent.
  • Technical Questions: A key factual question may be whether a push notification or data packet sent from a cloud server to an application on a mobile device performs the function of a "wake signal" that brings the device out of a "power management mode" as claimed, or if it represents standard network communication with an already-active device or application.

’202 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
detecting a removable media device coupled to a digital device	Symantec Endpoint Encryption products are alleged to detect when a removable media device is connected to a computer.	¶92	col. 4:1-2
injecting redirection code into the digital device after detecting that the removable media device is coupled to the digital device, the redirection code configured to intercept a first function call...	The accused products are alleged to consist of components like a Management Agent that allow for the injection of redirection code when removable media is attached.	¶¶92, 93	col. 4:3-7
intercepting, with the redirection code, a request for data on the removable media device	The injected code allegedly intercepts user or application requests for data on the removable media.	¶92	col. 4:8-9
determining whether to allow the intercepted request for data based on a security policy, the security policy implementing content analysis and risk assessment algorithms	The accused products enforce security policies, such as requiring encryption or scanning content, to determine if access to data on the removable media device should be permitted.	¶¶51, 92	col. 4:10-12
providing requested data based on the determination	Based on the policy determination, the system either allows or denies the request to access data.	¶92	col. 4:13-14

• Identified Points of Contention:
  • Scope Questions: The construction of "injecting redirection code" will be critical. The question may arise whether configuring a pre-installed file system filter driver or security agent to monitor a device constitutes "injecting" code, or if the claim requires a more dynamic insertion of new code into the operating system's processes upon device connection, as some embodiments in the patent suggest (’202 Patent, Fig. 22).
  • Technical Questions: The complaint alleges the accused products perform the claimed steps, but a factual dispute may emerge over the precise technical mechanism. The analysis will question whether Symantec's products actually "intercept a first function call and... execute a second function call in place of the first function call," or if they use a different method of policy enforcement that does not map onto this specific claimed functionality. A screenshot from a user manual for Symantec Endpoint Encryption shows options for "Removable Media Encryption," illustrating the product's relevant functionality (Compl. ¶93, p. 34).

V. Key Claim Terms for Construction

• For the ’488 Patent and related family:

  • The Term: "mobile security system"
  • Context and Importance: This term is the central component of the power management inventions. The plaintiff's infringement theory hinges on Symantec's remote "Cloud Servers" qualifying as this system. The term's construction will determine if a software-based, client-server architecture can infringe claims that appear to describe a distinct hardware appliance.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The specification suggests the system could be an "add-on to existing software security" (’488 Patent, col. 5:61-63) and can "be generated from the relevant security policies of the enterprise" (’488 Patent, col. 5:55-58), language which may support a non-hardware or remote server interpretation.
    • Evidence for a Narrower Interpretation: The abstract explicitly refers to a "mobile security system (hardware)" (’488 Patent, Abstract). The detailed description repeatedly refers to it as a "small piece of hardware" and a "personal security appliance" (’488 Patent, col. 5:48-52), and figures show it as a physical box connected via USB or NIC to the mobile device (’488 Patent, Figs. 10A-10C), suggesting a physical, local device is required.

• For the ’202 Patent and related family:

  • The Term: "injecting redirection code"
  • Context and Importance: This phrase describes the core technical mechanism for monitoring data access. The infringement case depends on whether the accused products' method of policy enforcement meets this definition. Practitioners may focus on this term because it distinguishes the invention from more conventional security architectures like pre-installed filter drivers.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The summary of the invention describes the goal broadly as using a "redirect driver operative to transfer a data transfer request... to the security device before executing the data transfer request," which could encompass various software routing mechanisms (’202 Patent, col. 3:29-33).
    • Evidence for a Narrower Interpretation: A figure in the patent depicts a process flow that includes "Inject DLLs to user processes" (’202 Patent, Fig. 22, step 2210). This specific embodiment suggests a dynamic process of loading new code into active system processes, which could support a narrower construction than simply activating features of an already-running security agent.

VI. Other Allegations

• Indirect Infringement: The complaint alleges induced infringement for all asserted patents. The basis for these allegations is that Symantec provides its customers with products and encourages their use through user manuals, online support guides, and marketing materials that allegedly instruct on the infringing operation of the products (Compl. ¶¶81-83, 99-101).

VII. Analyst’s Conclusion: Key Questions for the Case

• A core issue will be one of architectural equivalence: Can the claimed "mobile security system," which the patent specification heavily implies is a distinct local hardware appliance, be construed to cover the accused products' distributed, software-based architecture of remote cloud servers and client-side agents? The viability of infringement allegations for the power management patents (’488, ’683, ’595, ’799) will likely depend on the answer.
• A second key issue will be one of operational scope: Does the term "injecting redirection code," described in the context of intercepting specific function calls, read on the accused products' method of policy enforcement for removable media and network traffic? The court will need to determine if configuring a pre-existing agent or filter driver is equivalent to the dynamic code injection process described in the patents.
• A threshold question for the entire litigation will be the viability of the asserted claims. Subsequent Inter Partes Review proceedings have resulted in the cancellation of a significant number of the claims asserted in this complaint, including several independent claims. The case will therefore be sharply focused on whether the remaining valid claims are infringed, which may present a fundamentally different and narrower dispute than the one initially pleaded.