8:24-cv-00898
PacSec3 LLC v. Knowbe4 Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: PacSec3 LLC (Texas)
- Defendant: Knowbe4 Inc. (Delaware)
- Plaintiff’s Counsel: Victoria E Brieant, P.A.
- Case Identification: 8:24-cv-00898, M.D. Fla., 04/12/2024
- Venue Allegations: Venue is alleged to be proper based on Defendant maintaining a regular and established place of business in the district.
- Core Dispute: Plaintiff alleges that Defendant’s firewall systems and related internet services infringe a patent related to defending against network data packet flood attacks.
- Technical Context: The technology addresses distributed denial-of-service (DDoS) attacks by creating a system where routers and victim computers cooperate to trace the path of malicious traffic and selectively reduce its flow.
- Key Procedural History: The asserted patent is a continuation of an earlier application filed in 2000. Following an ex parte reexamination request, the U.S. Patent and Trademark Office issued a certificate in 2023 confirming the patentability of the two claims asserted in this lawsuit, claims 7 and 10.
Case Timeline
| Date | Event |
|---|---|
| 2000-11-16 | '497 Patent Priority Date |
| 2009-04-21 | '497 Patent Issue Date |
| 2023-05-22 | Ex Parte Reexamination Certificate Issued |
| 2024-04-12 | Complaint Filing Date |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 7,523,497 - “PACKET FLOODING DEFENSE SYSTEM”
- Issued: April 21, 2009
The Invention Explained
- Problem Addressed: The patent addresses "packet flooding attacks," where an attacker overwhelms a victim’s network bandwidth with useless data, rendering services slow or inaccessible (’497 Patent, col. 2:7-11). The background notes that prior art defenses were often ineffective because they relied on information that an attacker could easily falsify, such as a packet's source address (’497 Patent, col. 2:1-5).
- The Patented Solution: The invention proposes a distributed defense system where "cooperating sites and routers" work together (’497 Patent, Abstract). Instead of relying on spoofable information, the system uses "attacker-independent information about the path a packet takes" to identify and mitigate attacks (’497 Patent, col. 4:1-5). Upstream routers apply "packet marks" to data, allowing a destination computer or firewall to determine the actual path the data traveled. The destination can then request that specific routers along that path limit the rate of unwanted traffic, thereby neutralizing the attack at its source without affecting legitimate users on other paths (’497 Patent, Fig. 1; col. 3:3-11).
- Technical Importance: This path-based approach represented a conceptual shift toward making attack mitigation more resilient by relying on the network infrastructure itself to provide trustworthy information, rather than on data within the packets that an attacker controls (’497 Patent, col. 4:60-65).
Key Claims at a Glance
- The complaint asserts independent claims 7 and 10 (Compl. ¶13). An exemplary claim, claim 10, contains the following essential elements:
- A method for providing packet flooding defense.
- Determining a path by which data packets arrive at a router "via packet marks provided by routers leading to said host computer."
- Classifying received data packets "by path."
- Associating a "maximum acceptable transmission rate" with each class of data packet.
- Allocating a transmission rate for "unwanted data packets" that is a equal to or less than the associated maximum rate.
- The complaint states that support for infringement of claim 10 is found in an exhibit, but also notes that it may pursue infringement of other claims (Compl. ¶14, ¶15).
III. The Accused Instrumentality
Product Identification
The complaint identifies the accused instrumentalities as "one or more firewall systems" and "related services that provide services across the Internet" that are offered, sold, and manufactured by Defendant KNOWBE4 (Compl. ¶13, ¶15).
Functionality and Market Context
The complaint alleges that Defendant's "Accused Products are available to businesses and individuals throughout the United States" (Compl. ¶20). However, the complaint does not provide sufficient detail for analysis of the specific technical functionality of the accused systems or how they operate to provide firewall or other security services.
IV. Analysis of Infringement Allegations
The complaint references an "Exhibit B, a claim chart for claim 10" that purportedly describes how the accused products infringe (Compl. ¶14, ¶22). As this exhibit was not provided with the complaint, the specific factual basis for the infringement allegations cannot be analyzed in a chart format. The complaint's narrative theory is that Defendant's "firewall systems" practice the methods of the asserted claims (Compl. ¶13). No probative visual evidence provided in complaint.
- Identified Points of Contention:
- Scope Questions: The patent claims a specific method of defense reliant on a cooperative system of routers that apply "packet marks" to trace a "path" (’497 Patent, cl. 10). The complaint accuses "firewall systems" (Compl. ¶13). This raises the question of whether the accused KnowBe4 products, which are publicly known primarily in the context of security awareness training and phishing simulation, perform the claimed path-based, router-cooperative traffic management functions.
- Technical Questions: A central technical question is what evidence the plaintiff will offer to show that the accused products actually perform the claimed steps. For example, the complaint does not explain how the accused systems are alleged to "determin[e] a path... via packet marks provided by routers" or how they "classify[] data packets... by path" as required by the claims (’497 Patent, cl. 10).
V. Key Claim Terms for Construction
The Term: "path... via packet marks provided by routers"
Context and Importance: This phrase is the technical core of the asserted claims, defining the specific mechanism for identifying traffic streams. The outcome of the infringement analysis will likely depend on whether the accused systems use a "path" determined by "packet marks" from multiple routers, as opposed to other traffic analysis techniques such as filtering by source IP address or protocol type.
Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent's summary states the goal is to use "attacker-independent information about the path" (’497 Patent, col. 4:4-5), which a party could argue covers any method of determining a packet's route that does not rely on attacker-controlled data.
- Evidence for a Narrower Interpretation: Claim 10 explicitly requires the path be determined "via packet marks provided by routers" (’497 Patent, col. 15:30-32). The specification consistently describes a distributed system where routers and sites cooperate, and Figure 1 illustrates distinct routers (e.g., Router 3, Router 5) as part of the defense system, suggesting the term requires a specific, multi-component marking and tracing architecture (’497 Patent, Fig. 1).
The Term: "classifying data packets... by path"
Context and Importance: This limitation dictates how traffic is sorted into categories (e.g., "wanted" and "unwanted") for rate-limiting. Practitioners may focus on this term because if the accused system classifies packets based on criteria other than the traced "path"—such as by using content signatures or source reputation—it may not infringe.
Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: A party might argue that any classification that ultimately correlates with a traffic route constitutes classification "by path," even if the path itself is not the direct input to the classification logic.
- Evidence for a Narrower Interpretation: Claim 10 directly links the classification to the path determined via packet marks (’497 Patent, col. 15:34-36). The summary of the invention reinforces this, stating that "Bandwidth is allocated based upon path (which is done via packet marks provided by routers...)" (’497 Patent, col. 4:63-65), indicating that the path is the dispositive factor in the classification step.
VI. Other Allegations
- Indirect Infringement: The complaint alleges inducement by asserting that Defendant instructs its customers on how to use its products and services in an infringing manner (Compl. ¶15). It also pleads contributory infringement, alleging there are "no substantial noninfringing uses" for the accused products (Compl. ¶16).
- Willful Infringement: Willfulness is alleged based on Defendant’s knowledge of the ’497 Patent from "at least the filing date of the lawsuit" (Compl. ¶15, ¶16). The complaint also asserts in a conclusory manner that Defendant has made "no attempt to design around the claims" (Compl. ¶18).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of evidentiary proof: The complaint does not specify how the accused KnowBe4 products operate. A central question for the court will be whether Plaintiff can produce evidence demonstrating that Defendant's "firewall systems" actually implement the specific, multi-step method of the asserted claims, which requires determining a packet's "path via packet marks provided by routers" and allocating bandwidth "by path."
- The case will also present a key question of technical scope: Can the claims, which describe a distributed, cooperative system of routers and endpoints for tracing and managing traffic flow, be construed to read on the functionality of Defendant’s security products? The resolution will depend on whether Defendant's systems employ a functionally equivalent path-tracing mechanism or rely on fundamentally different security techniques that fall outside the scope of the claims.