Taasera Licensing LLC v. Check Point Software Tech Ltd

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Taasera Licensing LLC (Texas)
  • Defendant: Check Point Software Technologies Ltd. (Israel)
  • Plaintiff’s Counsel: Fabricant LLP; Truelove Law Firm, PLLC
• Case Identification: 2:22-cv-00063, E.D. Tex., 02/25/2022
• Venue Allegations: Venue is alleged to be proper because Defendant is not a resident of the United States and may therefore be sued in any judicial district.
• Core Dispute: Plaintiff alleges that Defendant’s network security products, including its Next Generation Firewalls and endpoint security solutions, infringe seven U.S. patents related to network security, application attestation, and data loss prevention.
• Technical Context: The patents address various aspects of modern cybersecurity, including identifying sensitive data in network traffic, verifying the integrity of running applications, and managing endpoint device compliance based on known security vulnerabilities.
• Key Procedural History: The complaint asserts seven patents, four of which originated with IBM and three with TaaSera, Inc. A significant post-filing development relates to the ’796 Patent: on January 29, 2025, the USPTO issued an Ex Parte Reexamination Certificate cancelling all claims (1-25) of the patent, which may render the infringement count for this patent moot.

Case Timeline

Date	Event
2001-07-03	Priority Date for U.S. Patent No. 6,842,796
2005-01-11	Issue Date for U.S. Patent No. 6,842,796
2005-12-21	Priority Date for U.S. Patent Nos. 8,955,038; 9,608,997; 9,923,918
2011-02-17	Priority Date for U.S. Patent No. 8,327,441
2012-05-01	Priority Date for U.S. Patent Nos. 8,990,948; 9,092,616
2012-12-04	Issue Date for U.S. Patent No. 8,327,441
2015-02-10	Issue Date for U.S. Patent No. 8,955,038
2015-03-24	Issue Date for U.S. Patent No. 8,990,948
2015-07-28	Issue Date for U.S. Patent No. 9,092,616
2017-03-28	Issue Date for U.S. Patent No. 9,608,997
2018-03-20	Issue Date for U.S. Patent No. 9,923,918
2022-02-25	Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 6,842,796 - “Information Extraction from Documents with Regular Expression Matching,” Issued Jan. 11, 2005

The Invention Explained

• Problem Addressed: The patent describes the technical challenge of efficiently extracting key pieces of information (e.g., names, phone numbers, job objectives) from unstructured documents like transcribed voicemails or résumés. It notes that prior statistical "tagging" methods were complex and required large, annotated "training" databases. (’796 Patent, col. 1:11-44).
• The Patented Solution: The invention proposes a simpler method using "regularly identifiable or stereotypical phrases" that people commonly use to convey information. An input data stream is processed by identifying these phrases (e.g., "call me back at") and then extracting the associated information (e.g., the phone number that follows the phrase). The process involves normalizing the input data, annotating it with pre-defined classes (e.g., marking proper names), and then matching the data against a stored list of these "regular expressions." (’796 Patent, Abstract; col. 2:10-21; FIG. 1).
• Technical Importance: This approach enabled fast pattern matching and information extraction without the expensive and time-consuming step of gathering and annotating a large training database required by statistical systems. (’796 Patent, col. 2:31-38).

Key Claims at a Glance

• The complaint alleges infringement of one or more claims without specifying them; the allegations track the language of independent claim 1. (Compl. ¶30).
• Independent Claim 1 recites a method with the essential elements of:
  • identifying at least one regularly identifiable expression in an input sequence of data symbols
  • wherein the expression represents a pattern that is matchable in accordance with a programming language that supports such a regularly identifiable expression
  • identifying at least a portion of information associated with the expression
  • extracting the portion of information
• The complaint does not explicitly reserve the right to assert dependent claims.

U.S. Patent No. 8,327,441 - “System and Method for Application Attestation,” Issued Dec. 4, 2012

The Invention Explained

• Problem Addressed: In distributed and cloud computing environments, it is difficult to establish trust in applications running on remote platforms. Traditional security relied on static credentials, but a more dynamic, real-time assessment of an application's security posture was needed to authorize user-to-application connections. (’441 Patent, col. 2:35-45).
• The Patented Solution: The invention describes a system where an "attestation server" remotely verifies the integrity of an application at runtime. The server receives two key pieces of data from the remote platform: a "runtime execution context" (which includes executable file binaries and loaded components) and a "security context" (which includes an analysis of those components). The server then generates a report indicating security risks and sends this "attestation result" back, allowing for a trust decision to be made. (’441 Patent, Abstract; col. 3:56-65; FIG. 8).
• Technical Importance: The technology allows security and access control to be based on the dynamic, runtime trustworthiness of an application, rather than static, topology-based coordinates like IP addresses. (’441 Patent, col. 2:40-50).

Key Claims at a Glance

• The complaint asserts infringement of one or more claims, with narrative allegations mirroring independent claim 1. (Compl. ¶41).
• Independent Claim 1 recites a method with the essential elements of:
  • receiving, by an attestation server remote from a computing platform: a runtime execution context indicating attributes of an application at runtime (including executable file binaries and loaded components); and a security context providing security information about the application (including an execution analysis of the binaries and components)
  • generating, by the attestation server, a report indicating security risks associated with the application based on the received contexts
  • sending, by the attestation server, the attestation result associated with the application
• The complaint does not explicitly reserve the right to assert dependent claims.

U.S. Patent No. 8,955,038 - “Methods and Systems for Controlling Access to Computing Resources Based on Known Security Vulnerabilities,” Issued Feb. 10, 2015 (Multi-Patent Capsule)

• Technology Synopsis: This patent describes a method for managing endpoint security from a remote computing system. The system allows an administrator to configure security policies, which are then used to monitor operating conditions on the endpoint via software agents. Based on the monitored status and the policies, the system determines a "compliance state" and can initiate an action on the endpoint. (’038 Patent, Abstract).
• Asserted Claims: The complaint's allegations track the language of independent method claim 1. (Compl. ¶52).
• Accused Features: The accused features are the compliance and access control capabilities of the Check Point Infinity Portal with Harmony Endpoint. (Compl. ¶52).

U.S. Patent No. 8,990,948 - “Systems and Methods for Orchestrating Runtime Operational Integrity,” Issued Mar. 24, 2015 (Multi-Patent Capsule)

• Technology Synopsis: This patent details a system for providing real-time operational integrity of an application. It involves monitoring various application behaviors (network dialogs, system operations, resource use) using sensory inputs, generating behavior-based events, and correlating these events to classify threats. The system then displays real-time status indicators on administrative dashboards. (’948 Patent, Abstract).
• Asserted Claims: The complaint’s infringement narrative tracks the language of independent method claim 1. (Compl. ¶67).
• Accused Features: The accused features are the Runtime Detection and Protection and MITRE ATT&CK Framework features within the Check Point Infinity Portal with Harmony Endpoint. (Compl. ¶67).

U.S. Patent No. 9,092,616 - “Systems and Methods for Threat Identification and Remediation,” Issued Jul. 28, 2015 (Multi-Patent Capsule)

• Technology Synopsis: This patent describes a system for providing runtime operational integrity using a trust orchestration server, a network trust agent, and an endpoint trust agent. The endpoint agent sends a "dynamic context" (endpoint events and actions) to the server. The server analyzes these events, incorporates third-party network assessments, correlates the data, and generates an overall "integrity profile" for the system. (’616 Patent, Abstract).
• Asserted Claims: The complaint's allegations track the language of independent method claim 1. (Compl. ¶80).
• Accused Features: The accused features are the Runtime Detection and Protection and MITRE ATT&CK Framework features of the Check Point Infinity Portal with Harmony Endpoint. (Compl. ¶80).

U.S. Patent No. 9,608,997 - “Methods and Systems for Controlling Access to Computing Resources Based on Known Security Vulnerabilities,” Issued Mar. 28, 2017 (Multi-Patent Capsule)

• Technology Synopsis: This patent is related to the ’038 Patent and describes a method for remotely controlling an endpoint's compliance. A remote computing system provides a user interface for configuring policies, which are then used to monitor the endpoint. The system determines a compliance state and initiates an action on the endpoint, with the distinction that the system "remotely ensures" compliance with the stored policies. (’997 Patent, Abstract).
• Asserted Claims: The complaint's allegations track the language of independent method claim 1. (Compl. ¶96).
• Accused Features: The accused features are the compliance and access control functions of the Check Point Infinity Portal with Harmony Endpoint. (Compl. ¶96).

U.S. Patent No. 9,923,918 - “Methods and Systems for Controlling Access to Computing Resources Based on Known Security Vulnerabilities,” Issued Mar. 20, 2018 (Multi-Patent Capsule)

• Technology Synopsis: This patent, also related to the ’038 and ’997 patents, describes a system for controlling an endpoint. A key distinction is the addition of "user information that identifies a user of the endpoint" as an input to the compliance determination. Access to a network resource is then authorized based on this user information, status information, and compliance policies. (’918 Patent, Abstract).
• Asserted Claims: The complaint's infringement allegations track the language of independent system claim 1. (Compl. ¶111).
• Accused Features: The accused features are the compliance and access control functions of the Check Point Infinity Portal with Harmony Endpoint. (Compl. ¶111).

III. The Accused Instrumentality

• Product Identification: The complaint identifies the accused products as at least Check Point Next Generation Firewalls, Check Point Data Loss Prevention Software Blade, and Checkpoint Infinity Portal with Harmony Endpoint (collectively, "the Accused Products"). (Compl. ¶26).
• Functionality and Market Context: The complaint alleges that the Accused Products collectively form a network security suite. The "Data Loss Prevention (DLP) feature," available in the Firewalls and as a Software Blade, is accused of infringing the ’796 Patent by using DLP rules with patterns and regular expressions to identify and prevent the loss of sensitive data. (Compl. ¶30, ¶32). The "Check Point Infinity Portal with Harmony Endpoint" is accused of infringing the remaining patents by functioning as a centralized security management and endpoint compliance system. The complaint alleges that the Harmony Endpoint agent on a user's device sends runtime data to the remote Infinity Portal, which analyzes the data, determines compliance, generates forensic reports, and enforces access control policies. (Compl. ¶41, ¶43, ¶52). A datasheet included in the complaint describes Check Point Infinity as a "consolidated cyber security architecture" providing "real-time threat prevention" across networks, endpoints, and cloud deployments. (Compl. p. 11).

IV. Analysis of Infringement Allegations

’796 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
a method of automatically processing an input sequence of data symbols, the method comprising the steps of: identifying at least one regularly identifiable expression in the input sequence of data symbols...	The Check Point DLP feature enforces DLP rules created using patterns and regular expressions that are matched against content in data transmissions. (Compl. p. 8).	¶32	col. 2:10-21
wherein the at least one regularly identifiable expression represents a pattern that is matchable in accordance with a programming language that supports such a regularly identifiable expression;	The accused product uses "Check Point supported regular expression syntax" to create a data type representation of a pattern. (Compl. p. 8).	¶32	col. 2:22-29
identifying at least a portion of information associated with the at least one regularly identifiable expression;	The complaint alleges the DLP product practices this step, but provides no specific factual support beyond a conclusory statement.	¶33	col. 2:17-18
and extracting the portion of information.	The accused DLP product allegedly extracts information to use in the notification of a match to a DLP rule. (Compl. p. 9).	¶33	col. 2:18-21

• Identified Points of Contention:
  • Scope Questions: A central dispute may arise over the term "regularly identifiable expression." The patent specification describes this term in the context of "stereotypical phrases that people commonly use" in "common linguistic usage," such as "Hi John, it's Bob." (Compl. ¶30; ’796 Patent, col. 2:1-8). The complaint alleges infringement based on the use of user-defined patterns to match data like credit card numbers. (Compl. p. 8). The question for the court will be whether the patent's scope, informed by its specification, can be construed to cover such user-defined data patterns, or if it is limited to the natural language phrases disclosed as examples.
  • Technical Questions: The complaint's allegation for the "extracting" element relies on the product generating a notification of a DLP rule match. (Compl. ¶33). The question will be whether simply flagging a match for a notification constitutes "extracting the portion of information" as required by the claim, or if the claim requires isolating and outputting the matched data itself (e.g., the credit card number) as a discrete data element.

’441 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
receiving, by the attestation server remote from the computing platform: a runtime execution context indicating attributes of the application at runtime, wherein the attributes comprise one or more executable file binaries of the application and loaded components of the application; and a security context providing security information about the application...	The Check Point Infinity Portal (the alleged server) receives process attributes, context information, and behavior information for detected events from the Check Point Harmony Endpoint (the alleged computing platform). (Compl. p. 12).	¶43	col. 7:1-10
wherein the security information comprises an execution analysis of the one or more executable file binaries and the loaded components;	The accused products' "Behavioral Guard" feature allegedly "identifies, classifies, and blocks malware mutations in real time based on minimal process execution tree similarities." The complaint also points to "Auto-generated forensic reports" that monitor endpoint events. (Compl. p. 12).	¶43	col. 7:10-13
generating, by the attestation server, a report indicating security risks associated with the application based on the received runtime execution context and the received security context, as an attestation result;	The Check Point Infinity Portal allegedly provides automatic forensic reports with "detailed visibility into infected assets" and "attack flow," which constitutes the alleged report. (Compl. p. 12).	¶44	col. 7:14-19
and sending, by the attestation server, the attestation result associated with the application.	The complaint alleges the system sends the automatically generated forensic reports, which serve as the attestation result.	¶44	col. 7:19-21

• Identified Points of Contention:
  • Scope Questions: A primary dispute may focus on the definition of "runtime execution context." The claim requires this context to comprise "one or more executable file binaries...and loaded components." The complaint alleges the accused product receives "process attributes, context information, and behavior information." (Compl. ¶43). The question is whether these high-level descriptions of data categories can be proven to meet the specific claim requirement of receiving the actual binaries and components.
  • Technical Questions: What evidence does the complaint provide that the "Auto-generated forensic reports" perform an "execution analysis of the one or more executable file binaries and the loaded components" as claimed? (Compl. ¶43, p. 12). The accused product is described as monitoring "behavior" and "endpoint events," which may or may not be the same as performing a direct analysis of the binary files themselves as the claim language suggests.

V. Key Claim Terms for Construction

For the ’796 Patent:

• The Term: "regularly identifiable expression"
• Context and Importance: This term is the core of the invention. Its construction will determine whether the patent applies only to natural language phrases or more broadly to any data pattern. Practitioners may focus on this term because the patent's examples are all linguistic phrases, while the accused technology applies to structured data patterns.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: Claim 1 itself defines the term functionally as "a pattern that is matchable in accordance with a programming language that supports such a regularly identifiable expression," which could be argued to cover any supported regex pattern. (’796 Patent, col. 9:8-12).
  • Evidence for a Narrower Interpretation: The specification repeatedly frames the invention in terms of "stereotypical phrases that people commonly use to convey particular information" in "common linguistic usage." (’796 Patent, col. 2:1-15). The detailed description provides examples like "call me back at" and "my name is," suggesting the term is tied to natural language conventions. (’796 Patent, col. 6:20-22, col. 7:1-4).

For the ’441 Patent:

• The Term: "runtime execution context"
• Context and Importance: The infringement case for the ’441 Patent hinges on whether the data sent from the Harmony Endpoint to the Infinity Portal constitutes a "runtime execution context" as claimed. The dispute will likely center on the technical composition of this data.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The term is broadly introduced in the specification as describing "the examined runtime local execution and introspection based derived security context." (’441 Patent, Abstract). This could support an argument that any data reflecting runtime state is covered.
  • Evidence for a Narrower Interpretation: Claim 1 explicitly states that the attributes of the runtime execution context "comprise one or more executable file binaries of the application and loaded components of the application." (’441 Patent, col. 10:51-54). This language provides a specific definition within the claim itself, which could be used to argue that receiving metadata about processes is insufficient without receiving the actual binary files and components.

VI. Other Allegations

• Indirect Infringement: For all asserted patents, the complaint alleges induced infringement. The allegations are based on Defendant providing the Accused Products to customers and end-users with the knowledge and intent that they will be used in an infringing manner, or with willful blindness to that infringement. (Compl. ¶¶34-36, 45-47).
• Willful Infringement: The complaint alleges that Defendant had knowledge of the patents "at least as of the date of this Complaint" and continued to infringe. (Compl. ¶¶35, 46). This frames the willfulness allegation primarily on post-suit conduct. The complaint also makes alternative allegations of willful blindness, which could support a claim based on pre-suit conduct. (Compl. ¶¶36, 47).

VII. Analyst’s Conclusion: Key Questions for the Case

• A threshold legal issue will be the viability of the ’796 Patent, given that all of its claims were cancelled in an ex parte reexamination that concluded after the complaint was filed. The court will need to determine what effect, if any, this cancellation has on the allegations in Count I.
• A core issue will be one of definitional scope: can the term "regularly identifiable expression," rooted in the patent's context of stereotypical natural language phrases, be construed to cover the user-defined data patterns (e.g., for credit card numbers or social security numbers) used in the accused Data Loss Prevention system?
• A key evidentiary question will be one of technical equivalence: does the accused system's receipt of "process attributes, context information, and behavior information" from an endpoint meet the ’441 Patent’s claim requirement of receiving a "runtime execution context" that specifically comprises "one or more executable file binaries" and "loaded components"?