DCT
1:24-cv-09998
Conexus LLC v. Datadog Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Conexus LLC (NM)
- Defendant: Datadog, Inc. (DE)
- Plaintiff’s Counsel: Rabicoff Law LLC
- Case Identification: 1:24-cv-09998, S.D.N.Y., 12/29/2024
- Venue Allegations: Plaintiff alleges venue is proper because Defendant maintains an established place of business in the Southern District of New York and has committed the alleged acts of patent infringement in the district.
- Core Dispute: Plaintiff alleges that Defendant’s software products infringe a patent related to the detection of malicious code injection exploits by modeling and monitoring application behavior.
- Technical Context: The technology involves cybersecurity for web applications, specifically detecting attacks like SQL injection by creating behavioral baselines and alerting on deviations, a critical function in application security monitoring.
- Key Procedural History: The complaint is the initiating document in this litigation and does not mention any prior litigations, inter partes review proceedings, or licensing history related to the patent-in-suit.
Case Timeline
| Date | Event |
|---|---|
| 2019-04-09 | '499 Patent Priority Date |
| 2020-04-09 | '499 Patent Application Filing Date |
| 2023-08-23 | '499 Patent Issue Date |
| 2024-12-29 | Complaint Filing Date |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 11,736,499 - Systems and methods for detecting injection exploits
- Issued: August 22, 2023
The Invention Explained
- Problem Addressed: The patent describes the vulnerability of enterprise computer systems to "injection flaws" (e.g., SQL, NoSQL, OS, and LDAP injection), where untrusted data is sent to a software interpreter as part of a command or query, potentially leading to unauthorized database access or the installation of malware ('499 Patent, col. 4:16-27).
- The Patented Solution: The invention proposes a method where a system monitors web applications and, upon invocation of a function that accepts external data, it generates a "model of legitimate behavior" (such as an Abstract Syntax Tree or SQL parse tree). The system then compares the application's actual behavior to this model and generates an alert if a deviation is detected. A final step involves validating whether the deviation was caused by a function that accepts external input ('499 Patent, col. 1:50-65; Fig. 6).
- Technical Importance: This behavioral analysis approach is designed to detect not only known attack signatures but also novel "zero-day" vulnerabilities by focusing on deviations from an application's normal execution flow rather than on the signature of the exploit itself ('499 Patent, col. 25:15-20).
Key Claims at a Glance
- The complaint asserts infringement of one or more claims of the '499 Patent, identifying Claim 1 as an exemplary claim (Compl. ¶11).
- Independent Claim 1 is a method claim with the following essential elements:
- using a collector server, monitoring web applications that are executing;
- detecting when an execution function that accepts external free-form data values is received and invoked;
- detecting malicious code by:
- generating a model of legitimate behavior subsequent to the invocation;
- comparing the actual behavior to the model; and
- generating an alert when the actual behavior deviates from the model;
- validating whether the deviation is due to one or more functions that accept external input.
- The complaint reserves the right to assert other claims, including dependent claims (Compl. ¶11).
III. The Accused Instrumentality
Product Identification
- The complaint identifies the accused instrumentalities as the "Exemplary Defendant Products" detailed in charts incorporated as Exhibit 2 (Compl. ¶11).
Functionality and Market Context
- The complaint does not provide Exhibit 2 or describe the specific functionality of the accused products. It alleges, in general terms, that the products practice the technology claimed by the '499 Patent (Compl. ¶16). Datadog, Inc. operates in the application performance and security monitoring market.
IV. Analysis of Infringement Allegations
The complaint incorporates claim charts by reference in Exhibit 2, but this exhibit was not provided with the filed complaint (Compl. ¶16, ¶17). As such, a detailed claim chart summary cannot be constructed.
The narrative infringement theory is that the "Exemplary Defendant Products" perform the method of the '499 Patent (Compl. ¶16). Based on the patent's claims, this suggests an allegation that Datadog's products monitor customer applications, create behavioral models, compare real-time execution against those models to find deviations, and validate those deviations to detect security threats like injection attacks ('499 Patent, Claim 1).
No probative visual evidence provided in complaint.
- Identified Points of Contention:
- Scope Questions: A central question may be whether the term "model of legitimate behavior" as used in the patent, which the specification exemplifies with specific code-parsing structures like an "abstract syntax tree (AST)" or "SQL parse tree" ('499 Patent, col. 4:43-45), reads on the security analysis techniques used by the accused products.
- Technical Questions: The infringement analysis may focus on the "validating" step. The claim requires "validating whether the deviation of the actual behavior is due to one or more functions that accept external input" ('499 Patent, col. 39:10-14). A key technical question will be what evidence demonstrates that the accused products perform this specific causal analysis, as opposed to a more general process of flagging an anomaly and its associated input.
V. Key Claim Terms for Construction
The Term: "model of legitimate behavior"
- Context and Importance: This term is at the core of the claimed invention. Its construction will likely determine whether the security analysis methods employed by the accused products fall within the scope of the claims.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: A party might argue the term is not explicitly defined and should be given its plain and ordinary meaning, potentially encompassing any baseline, signature, or profile of normal application activity ('499 Patent, col. 1:56-58).
- Evidence for a Narrower Interpretation: The specification provides specific, technical examples, stating that "These models can include, but are not limited to, abstract syntax tree (AST), program dependency graph (PDG) and/or SQL parse tree" ('499 Patent, col. 4:43-45). A party may argue these examples limit the term to structural, code-aware models rather than more general statistical baselines.
The Term: "validating"
- Context and Importance: This term describes the final analytical step of the claimed method. The interpretation of "validating" is critical for determining whether the accused products perform the complete claimed process.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: An argument could be made that any process that links a detected anomaly to the user input that triggered it, such as in a log entry, constitutes "validating."
- Evidence for a Narrower Interpretation: The claim language "validating whether the deviation... is due to one or more functions that accept external input" ('499 Patent, col. 39:10-14) suggests an affirmative causal analysis rather than a simple correlation. The use of this specific phrasing in the patent's abstract may also support a more rigorous interpretation ('499 Patent, Abstract).
VI. Other Allegations
- Indirect Infringement: The complaint alleges induced infringement, stating that Defendant distributes "product literature and website materials" that instruct customers on how to use the accused products in a manner that infringes the '499 Patent (Compl. ¶14). The allegation is predicated on knowledge acquired upon service of the complaint (Compl. ¶15).
- Willful Infringement: The complaint asserts that service of the complaint itself provides Defendant with "actual knowledge of infringement" (Compl. ¶13). The willfulness claim appears to be based on alleged post-filing conduct, as no pre-suit knowledge is alleged (Compl. ¶14, ¶15).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of definitional scope: can the claim term "model of legitimate behavior," which the patent illustrates with specific code-parsing structures like Abstract Syntax Trees ('499 Patent, col. 4:43-45), be construed to cover the specific security analysis and anomaly detection techniques used in Datadog's accused products?
- A key evidentiary question will be one of functional performance: does the evidence show that the accused products perform the specific claim step of "validating whether the deviation...is due to" external input ('499 Patent, col. 39:10-14), or do they perform a more general function of flagging anomalies that merely correlate with user input?