DCT

1:25-cv-00889

Conexus LLC v. Fortra LLC

Log In
Key Events
Complaint
complaint

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 1:25-cv-00889, D. Del., 07/17/2025
  • Venue Allegations: Venue is alleged to be proper in the District of Delaware because Defendant is a Delaware corporation and maintains an established place of business in the District.
  • Core Dispute: Plaintiff alleges that Defendant’s unnamed software products infringe a patent related to detecting cybersecurity injection exploits.
  • Technical Context: The technology concerns methods for detecting malicious code injection attacks, such as SQL or OS command injection, by modeling legitimate application behavior and identifying deviations.
  • Key Procedural History: The complaint does not mention any prior litigation, inter partes review proceedings, or licensing history related to the patent-in-suit.

Case Timeline

Date Event
2019-04-09 U.S. Patent No. 11,736,499 Priority Date
2020-04-09 U.S. Patent No. 11,736,499 Application Filing Date
2023-08-22 U.S. Patent No. 11,736,499 Issue Date
2025-07-17 Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 11,736,499 - Systems and methods for detecting injection exploits

Issued August 22, 2023

The Invention Explained

  • Problem Addressed: The patent describes the problem of malicious "injection exploits" (e.g., SQL, NoSQL, OS command injection) where attackers send untrusted data to a web application’s interpreter as part of a command or query (’499 Patent, col. 4:17-23). This can lead to unauthorized data access, data theft, or the installation of malware like web shells (’499 Patent, col. 4:23-26).
  • The Patented Solution: The invention proposes a method that monitors web applications for the invocation of an "execution function"—a function that accepts external data (’499 Patent, Abstract). To detect malicious code, the system generates a "model of legitimate behavior" (e.g., an abstract syntax tree or a SQL parse tree) for that function and compares the application’s actual behavior against this model (’499 Patent, col. 4:40-48). An alert is generated if the actual behavior deviates from the legitimate model, such as when an injected command adds an unexpected new node to a parse tree (’499 Patent, Abstract; col. 28:11-19).
  • Technical Importance: The patent notes that web injection exploitation has been considered a top web application vulnerability, highlighting the need for effective detection methods beyond traditional security perimeters (’499 Patent, col. 4:20-22).

Key Claims at a Glance

  • The complaint does not specify which claims are asserted, instead referring to “Exemplary ’499 Patent Claims” identified in an unprovided exhibit (Compl. ¶11). Independent claim 1 is a representative method claim.
  • Independent Claim 1 requires:
    • Monitoring web applications and detecting the invocation of an "execution function" that accepts external free-form data.
    • Detecting malicious code by:
      • Generating a "model of legitimate behavior" after the function is invoked.
      • Comparing the "actual behavior" to this model.
      • Generating an alert when the actual behavior deviates from the model and "validating whether the deviation...is due to one or more functions that accept external input."
  • The complaint reserves the right to assert other claims, stating infringement of "one or more claims" (Compl. ¶11).

III. The Accused Instrumentality

Product Identification

The complaint does not name any specific accused products, referring to them generally as the “Exemplary Defendant Products” (Compl. ¶11). It states these products are identified in claim charts attached as Exhibit 2, which was not filed with the complaint (Compl. ¶16).

Functionality and Market Context

The complaint alleges that the Exemplary Defendant Products practice the technology claimed by the ’499 Patent (Compl. ¶16). It further alleges that Defendant has made, used, sold, offered for sale, and imported these products in the United States (Compl. ¶11). No other details regarding the products' specific functionality, operation, or market position are provided in the complaint.

IV. Analysis of Infringement Allegations

The complaint references claim charts in Exhibit 2 to support its infringement allegations, but this exhibit was not provided (Compl. ¶17). The complaint’s narrative theory states that the charts compare the claims to the Exemplary Defendant Products and demonstrate that the products "satisfy all elements" of the asserted claims (Compl. ¶16). Without the specific allegations from the charts, a detailed element-by-element analysis is not possible.

No probative visual evidence provided in complaint.

Identified Points of Contention

  • Scope Questions: A central issue may concern the scope of "model of legitimate behavior" as required by the claims (’499 Patent, col. 39:7). The dispute may focus on whether the accused products generate a dynamic, structural model (such as the Abstract Syntax Trees or SQL parse trees described in the patent's specification) or employ a different, non-infringing method of anomaly detection, such as static signature matching or statistical baselining (’499 Patent, col. 4:42-45).
  • Technical Questions: The infringement analysis raises the question of what evidence Plaintiff will present to show that the accused products perform the final step of claim 1: "validating whether the deviation of the actual behavior is due to one or more functions that accept external input" (’499 Patent, col. 39:11-14). Proving that the accused products perform this specific validation logic, as distinct from merely generating an alert, may be a key point of contention.

V. Key Claim Terms for Construction

The Term: "model of legitimate behavior"

  • Context and Importance: This term defines the core technical mechanism of the invention. The outcome of the case may depend on whether the accused products' method for detecting anomalies falls within the court's construction of this term. Practitioners may focus on this term because its construction will determine whether simpler, more common forms of security baselining are covered by the claims.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The claim language itself is abstract and does not specify the form of the model, which could support an argument that it covers any baseline representation of normal application activity used for comparison.
    • Evidence for a Narrower Interpretation: The specification repeatedly provides specific examples of the model, stating it "can include, but are not limited to, abstract syntax tree (AST), program dependency graph (PDG) and/or SQL parse tree" (’499 Patent, col. 4:42-45). A party could argue these examples define the scope of the invention and limit the term to structured, grammatical, or dependency-based models.

The Term: "execution function"

  • Context and Importance: This term serves as the trigger for the patented method. Its definition determines which application activities are subject to the patented monitoring and analysis.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: Claim 1 provides a broad definition, stating it is "a function that accepts external free-form data values" (’499 Patent, col. 39:3-5). This could be argued to encompass a wide range of functions in a web application.
    • Evidence for a Narrower Interpretation: The detailed description lists specific examples of high-risk functions, including those that "execute SQL queries, NoSQL queries, LDAP queries, XPath, and XQuery" and methods that "accept user input such as GET, POST, etc." (’499 Patent, col. 4:32-35). A party may argue that the term should be understood in this more limited context of functions that directly process user input or execute database queries.

VI. Other Allegations

Indirect Infringement

The complaint alleges induced infringement, asserting that Defendant, with knowledge of the patent from the complaint, sells its products and distributes "product literature and website materials" that instruct end users to use the products in a manner that infringes the ’499 Patent (Compl. ¶¶14-15).

Willful Infringement

The complaint alleges that service of the complaint and its attached (but unprovided) claim charts gave Defendant "Actual Knowledge of Infringement" (Compl. ¶13). It further alleges that Defendant's continued infringement despite this knowledge entitles Plaintiff to enhanced damages, forming a basis for a claim of post-suit willfulness (Compl. ¶14; Prayer D). The complaint does not allege pre-suit knowledge.

VII. Analyst’s Conclusion: Key Questions for the Case

  • A primary issue will be one of evidentiary sufficiency: as the complaint’s infringement theory relies entirely on unprovided claim charts, a key question is what specific evidence Plaintiff will offer to demonstrate that Defendant's unnamed products perform the specific steps of the asserted claims, particularly the generation of a behavioral "model" and the subsequent "validation" step.
  • The case will also turn on a question of definitional scope: can the term "model of legitimate behavior," which the patent illustrates with specific grammatical and structural examples like Abstract Syntax Trees and parse trees, be construed broadly enough to read on the specific anomaly detection techniques used in Defendant's products? The resolution of this claim construction issue will be critical to determining infringement.