Conexus LLC v. Wallarm Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Conexus LLC (New Mexico)
  • Defendant: Wallarm, Inc. (Delaware)
  • Plaintiff’s Counsel: Garibian Law Offices, P.C.; Rabicoff Law LLC
• Case Identification: 1:25-cv-00897, D. Del., 07/18/2025
• Venue Allegations: Plaintiff alleges venue is proper in the District of Delaware because Defendant is a Delaware corporation with an established place of business in the district, has committed alleged acts of infringement in the district, and caused harm to the Plaintiff there.
• Core Dispute: Plaintiff alleges that Defendant’s cybersecurity products infringe a patent related to detecting security threats by monitoring network and application activity against established baselines.
• Technical Context: The technology at issue falls within the field of network security, specifically behavioral analytics and anomaly detection, which aims to identify threats that have bypassed traditional perimeter defenses by modeling normal system behavior and flagging deviations.
• Key Procedural History: The complaint does not mention any prior litigation, Inter Partes Review (IPR) proceedings, or licensing history related to the patent-in-suit.

Case Timeline

Date	Event
2015-12-07	U.S. Patent No. 10,812,497 Priority Date (based on Provisional Application No. 62/264,192)
2020-10-20	U.S. Patent No. 10,812,497 Issued
2025-07-18	Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 10,812,497 - “Systems and methods for detecting and responding to security threats using application execution and connection lineage tracing,” issued October 20, 2020

The Invention Explained

• Problem Addressed: The patent addresses the problem of detecting security threats that have already penetrated a network's perimeter and are moving laterally within the enterprise environment. Such threats often engage in a series of steps to find and exfiltrate sensitive data, and these actions may not be caught by traditional security tools focused on the network edge. (’497 Patent, col. 4:9-25).
• The Patented Solution: The invention proposes a system that monitors network connections and application activity to establish a baseline of normal behavior. A central "collector server" receives "activity data" from sensors, combines it with "context information" (e.g., user identity) to create "activity records," and compares these records against a set of "baseline signatures" representing normal operations. When a new activity record deviates from all known baselines, the system generates an alert and can take responsive action. (’497 Patent, Abstract; col. 1:30-60). This creates a behavioral model to detect anomalous, and therefore potentially malicious, activity.
• Technical Importance: This approach focuses on detecting the internal propagation of a threat, a critical phase of modern cyberattacks, and is designed to scale in large enterprise environments without requiring deep packet inspection for its initial filtering. (’497 Patent, col. 4:26-30, 60-65).

Key Claims at a Glance

The complaint asserts infringement of one or more unspecified claims, referring to them as the "Exemplary ’497 Patent Claims." (Compl. ¶11). Claim 1, the first independent method claim, includes the following essential elements:

• Receiving a first piece of activity data from a first sensor on an observed system.
• Combining the activity data with a first set of context information to generate a first activity record.
• Comparing the first activity record to a set of baseline signatures, where each baseline includes an application name and server name.
• Incrementing a count for a matching baseline signature if the activity record matches.
• Receiving a second piece of activity data from a second sensor.
• Combining the second activity data with a second set of context information to generate a second activity record.
• Generating an alert when the second activity record's attributes differ from all baseline signatures by a predetermined threshold.
• Reconfiguring a policy on the second sensor that controls traffic in response to the alert.

The complaint reserves the right to assert other claims, including by the doctrine of equivalents. (Compl. ¶11).

III. The Accused Instrumentality

Product Identification

The complaint does not name specific accused products in its main body. It refers generally to "Defendant products identified in the charts incorporated into this Count below (among the 'Exemplary Defendant Products')." (Compl. ¶11). These charts are part of Exhibit 2, which was not provided with the complaint.

Functionality and Market Context

The complaint alleges that the accused products "practice the technology claimed by the '497 Patent." (Compl. ¶16). Based on the patent's subject matter, the accused functionality would involve monitoring network and application behavior, identifying anomalies, and responding to potential security threats. The complaint makes no specific allegations regarding the products' commercial importance or market position.

IV. Analysis of Infringement Allegations

The complaint does not contain claim charts or detailed infringement allegations in its body, instead incorporating them by reference to an external "Exhibit 2," which was not publicly filed. (Compl. ¶16, ¶17). The complaint's narrative theory is that the "Exemplary Defendant Products" practice the patented technology and "satisfy all elements of the Exemplary '497 Patent Claims." (Compl. ¶16). No probative visual evidence provided in complaint.

Identified Points of Contention

Given the lack of specific allegations, the analysis necessarily focuses on potential areas of dispute based on the language of the patent's independent claims.

• Scope Questions: A central dispute may concern the final step of Claim 1, "reconfiguring a policy on the second...sensor that controls traffic in response to the generated alert." (’497 Patent, col. 21:59-63). The case could turn on whether the accused products perform an automated, active response that "controls traffic," or if they merely generate an alert for a human administrator to act upon, which may not meet this limitation.
• Technical Questions: An evidentiary question will be whether Plaintiff can demonstrate that the accused products' method for detecting threats is structurally and functionally the same as the claimed method. This includes proving the accused products create "baseline signatures," combine "activity data" with "context information" to form an "activity record," and compare that record to the baseline as claimed. The complaint provides no evidence on how the accused products actually operate.

V. Key Claim Terms for Construction

"baseline signatures"

• Context and Importance: This term is the foundation of the patented invention's anomaly detection method. The definition will determine what constitutes "normal" behavior and, by extension, what is considered a potentially infringing "deviation." Practitioners may focus on this term because its scope dictates whether the accused product's method of profiling normal activity falls within the claims.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The specification describes a baseline signature as including a "set of attributes, each attribute having a particular value" and being "unique in the combination of values of its attributes." (’497 Patent, col. 1:41-45). This could support a broad definition covering any record of normal, repeated system activity.
  • Evidence for a Narrower Interpretation: The patent describes a "learning period or mode" for building the baseline signatures and a transition to a "detection" mode. (’497 Patent, col. 18:56-col. 19:1). This could support a narrower construction where "baseline signatures" are only those established during a distinct, initial training phase.

"reconfiguring a policy on the second...sensor that controls traffic"

• Context and Importance: This term appears in the final step of Claim 1 and describes an active, responsive action. Whether the accused products perform this specific action will be a critical infringement question. If the accused products only alert or recommend actions, Defendant may argue they do not infringe.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The specification discusses enforcement actions more generally, including "automated quarantining" and "reconfiguring connections." (’497 Patent, col. 6:29-33). This could support an interpretation that covers a range of automated defensive actions that affect traffic flow.
  • Evidence for a Narrower Interpretation: The claim language is specific: "reconfiguring a policy on the...sensor." (’497 Patent, col. 21:59-61). This could be construed narrowly to require the system to automatically rewrite or modify a rule set directly on the sensor itself, as opposed to simply blocking a connection through other means.

VI. Other Allegations

Indirect Infringement

The complaint alleges induced infringement, stating that Defendant sells the accused products and provides "product literature and website materials" that instruct customers on how to use them in an infringing manner. (Compl. ¶14, ¶15). These allegations rely on materials referenced in the unattached Exhibit 2. (Compl. ¶14).

Willful Infringement

The complaint asserts willfulness based on knowledge obtained from the service of the complaint itself. (Compl. ¶13, ¶15). It does not allege that Defendant had knowledge of the ’497 Patent or its alleged infringement prior to the lawsuit's filing.

VII. Analyst’s Conclusion: Key Questions for the Case

1. A central issue will be one of claim scope and technical operation: Does the accused system's response to a detected anomaly constitute "reconfiguring a policy...that controls traffic" as required by the independent claims, or does it perform a different function, such as simply alerting an operator, that might fall outside the claim's scope?
2. A key evidentiary question will be whether Plaintiff can produce sufficient technical evidence to show that the accused products perform each step of the patented method. Given the complaint's reliance on unattached exhibits, the case will depend on discovery to reveal whether the accused products' internal architecture for profiling and detecting threats aligns with the patent's claimed process of creating and comparing "activity records" to "baseline signatures."
3. The dispute may also turn on the definition of "baseline signatures." The court's construction of this term will be critical in determining whether the accused products' method of modeling normal user and application behavior is functionally equivalent to the specific method protected by the ’497 patent.