Conexus LLC v. Palo Alto Networks Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Conexus LLC (NM)
  • Defendant: Palo Alto Networks, Inc. (DE)
  • Plaintiff’s Counsel: Garibian Law Offices, P.C.; Rabicoff Law LLC
• Case Identification: 1:25-cv-00890, D. Del., 07/17/2025
• Venue Allegations: Plaintiff alleges venue is proper in the District of Delaware because Defendant has an established place of business in the district, has committed acts of patent infringement in the district, and has caused Plaintiff harm there.
• Core Dispute: Plaintiff alleges that certain of Defendant's products infringe a patent related to methods for detecting malicious software injection exploits in networked computer systems.
• Technical Context: The technology lies in the field of cybersecurity, specifically addressing the detection of injection attacks (such as SQL or OS command injection) by monitoring application behavior rather than relying solely on predefined attack signatures.
• Key Procedural History: The complaint does not mention any prior litigation, Inter Partes Review (IPR) proceedings, or licensing history related to the patent-in-suit. The allegations of knowledge and willfulness are based solely on the filing of the instant complaint.

Case Timeline

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 11,736,499 - Systems and methods for detecting injection exploits

• Patent Identification: U.S. Patent No. 11,736,499, "Systems and methods for detecting injection exploits," issued August 22, 2023 ('499 Patent).

The Invention Explained

• Problem Addressed: The patent describes the challenge of detecting security threats, particularly "injection flaws" like SQL and OS command injection, which are identified as a persistent and critical web application vulnerability ('499 Patent, col. 4:18-24). Conventional security may fail to detect these exploits, which can allow attackers to steal data or install malware ('499 Patent, col. 3:1-16; col. 4:24-27).
• The Patented Solution: The invention proposes a system that monitors a web application to detect when an "execution function"—a function that accepts external, untrusted data—is invoked. The system then generates a "model of legitimate behavior" for what should happen next (e.g., by creating an Abstract Syntax Tree or SQL parse tree of the expected command). It compares the application's actual behavior to this model and generates an alert if there is a deviation, such as an extra command injected by an attacker ('499 Patent, Abstract; col. 23:10-24). Figure 6 provides a high-level flowchart of this process, including receiving executable code (612), creating an execution model (616), comparing actual behavior to the model (618), and generating an alert (620).
• Technical Importance: This behavioral analysis approach aims to detect both known and "zero-day" (previously unknown) injection attacks by focusing on deviations from normal application flow, rather than trying to match a predefined list of known malicious signatures ('499 Patent, col. 26:15-20).

Key Claims at a Glance

• The complaint asserts "one or more claims" of the ’499 Patent without specifying them, incorporating infringement charts by reference that were not included with the complaint (Compl. ¶11, ¶16). Claim 1 is the first independent claim.
• Independent Claim 1 (Method):
  • using a collector server, monitoring web applications that are executing and detecting when an execution function is received over a network and invoked, where an execution function is a function that accepts external free-form data values;
  • detecting malicious code by: generating a model of legitimate behavior subsequent to invocation of the execution function;
  • comparing actual behavior to the model of legitimate behavior; and
  • generating an alert when the actual behavior deviates from the model of legitimate behavior and validating whether the deviation of the actual behavior is due to one or more functions that accept external input.
• The complaint reserves the right to assert other claims, including dependent claims (Compl. ¶11).

III. The Accused Instrumentality

Product Identification

• The complaint identifies the accused instrumentalities as "Exemplary Defendant Products" detailed in charts within an incorporated Exhibit 2 (Compl. ¶11, ¶16).

Functionality and Market Context

• As Exhibit 2 was not provided with the complaint, the specific accused products and their technical functionality cannot be identified from the complaint document itself. The complaint alleges in general terms that the accused products practice the technology claimed by the ’499 Patent (Compl. ¶16).
  No probative visual evidence provided in complaint.

IV. Analysis of Infringement Allegations

The complaint alleges that Defendant infringes by making, using, selling, and/or importing the "Exemplary Defendant Products" that practice the technology claimed in the ’499 Patent (Compl. ¶11). The detailed infringement allegations are contained in claim charts in Exhibit 2, which is incorporated by reference but was not attached to the provided complaint document (Compl. ¶16-17). Consequently, a detailed, element-by-element analysis of the infringement allegations is not possible from the provided materials.

• Identified Points of Contention:
  • Scope Questions: A central question will be how broadly the key claim terms are construed. For example, does the accused technology's method of threat detection meet the specific definition of generating a "model of legitimate behavior" and "comparing actual behavior" to it, as required by the claim? Or does it use a different, non-infringing method (e.g., static signature matching)?
  • Technical Questions: The complaint must provide evidence that the accused products perform the specific, dynamic analysis claimed. For instance, what is the technical proof that an accused product generates a behavioral model (such as an AST or SQL parse tree, as described in the patent) subsequent to invoking a function, rather than using a pre-existing set of rules? The distinction between the claimed dynamic, behavioral modeling and other forms of security analysis will be a key technical issue.

V. Key Claim Terms for Construction

• The Term: "model of legitimate behavior" (Claim 1)

• Context and Importance: This term is the technological core of the invention. The definition of what constitutes such a "model" will be critical to the infringement analysis. Practitioners may focus on whether this term is limited to the specific, complex structures disclosed in the patent or if it can encompass other, simpler forms of behavioral rules.

• Intrinsic Evidence for Interpretation:

  • Evidence for a Broader Interpretation: The claim language itself does not specify the form of the model. The Abstract refers generally to "generating a model of legitimate behavior" without limitation to a specific structure ('499 Patent, Abstract).
  • Evidence for a Narrower Interpretation: The specification provides highly specific examples of what this model can be, such as an "abstract syntax tree (AST), program dependency graph (PDG) and/or SQL parse tree" ('499 Patent, col. 4:42-44). A defendant may argue that the claims should be limited to these disclosed structures.

• The Term: "execution function" (Claim 1)

• Context and Importance: This term defines the trigger for the patented detection method. Its scope determines which application activities fall under the patent's purview. The dispute may center on whether this applies to any function that receives external data or only to a specific class of functions known to be vulnerable to injection.

• Intrinsic Evidence for Interpretation:

  • Evidence for a Broader Interpretation: The claim itself provides a broad definition: "a function that accepts external free-form data values" ('499 Patent, col. 39:3-4).
  • Evidence for a Narrower Interpretation: The detailed description repeatedly provides specific examples of such functions, including system(), eval(), passthru(), and various SQL execution functions, suggesting the invention is aimed at these known high-risk functions ('499 Patent, col. 25:11-13; col. 26:1-5).

VI. Other Allegations

• Indirect Infringement: The complaint alleges induced infringement, stating that Defendant distributes "product literature and website materials" that instruct and encourage end users to use the accused products in a manner that infringes the ’499 Patent (Compl. ¶14-15).
• Willful Infringement: The complaint alleges knowledge of the ’499 Patent and infringement as of the date of service of the complaint (Compl. ¶13). It further alleges that despite this knowledge, Defendant continues to infringe, which may form the basis for a claim of post-suit willful infringement (Compl. ¶14).

VII. Analyst’s Conclusion: Key Questions for the Case

1. Definitional Scope: The case will likely hinge on claim construction. Can the term "model of legitimate behavior", which the patent illustrates with specific, complex structures like Abstract Syntax Trees, be construed to cover the actual security methodology implemented in Palo Alto Networks' products? The outcome of this definitional question will substantially determine the scope of the patent.
2. Evidentiary Burden: A key factual question will be what evidence Plaintiff can produce to show that the accused products perform the specific, multi-step process recited in Claim 1. Given the complaint's reliance on an external exhibit for its infringement contentions, a central issue for the court will be whether the technical evidence ultimately demonstrates the accused products' functionality matches the patent's claims of dynamically generating and comparing behavioral models, or if they operate on a different, non-infringing principle.