Taasera Licensing LLC v. CrowdStrike Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Taasera Licensing LLC (Texas)
  • Defendant: CrowdStrike, Inc. and CrowdStrike Holdings, Inc. (Delaware)
  • Plaintiff’s Counsel: The Mort Law Firm, PLLC; Fabricant LLP
• Case Identification: 6:22-cv-01094, W.D. Tex., 10/21/2022
• Venue Allegations: Venue is based on Defendants’ principal place of business being located in Austin, Texas, within the district, and on alleged acts of infringement occurring within the district.
• Core Dispute: Plaintiff alleges that Defendant’s CrowdStrike Falcon endpoint security products infringe eight patents related to network security systems, including methods for application monitoring, runtime risk detection, and vulnerability-based access control.
• Technical Context: The technology lies in the field of enterprise cybersecurity, specifically Endpoint Detection and Response (EDR), a market focused on protecting corporate computers and servers from sophisticated malware and cyberattacks.
• Key Procedural History: The complaint notes that four of the patents-in-suit were originally developed by IBM and four were developed by TaaSera, Inc., suggesting the portfolio was aggregated from multiple technology pioneers in the network security field. No prior litigation or administrative patent challenges are mentioned in the complaint.

Case Timeline

Date	Event
2002-01-04	Priority Date for U.S. Patent No. 7,673,137
2005-12-21	Priority Date for U.S. Patent Nos. 8,955,038; 9,608,997; 9,923,918
2010-03-02	U.S. Patent No. 7,673,137 Issues
2011-02-17	Priority Date for U.S. Patent No. 8,327,441
2012-01-15	Priority Date for U.S. Patent No. 8,850,517
2012-05-01	Priority Date for U.S. Patent Nos. 8,990,948; 9,092,616
2012-12-04	U.S. Patent No. 8,327,441 Issues
2014-09-30	U.S. Patent No. 8,850,517 Issues
2015-02-10	U.S. Patent No. 8,955,038 Issues
2015-03-24	U.S. Patent No. 8,990,948 Issues
2015-07-28	U.S. Patent No. 9,092,616 Issues
2017-03-28	U.S. Patent No. 9,608,997 Issues
2018-03-20	U.S. Patent No. 9,923,918 Issues
2022-10-21	Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 7,673,137 - “System and Method for the Managed Security Control of Processes on a Computer System,” Issued March 2, 2010

The Invention Explained

• Problem Addressed: The patent’s background section describes the inadequacy of then-current network security approaches. It notes that "virtual execution" techniques for pre-screening code produce a high number of false positives, while real-time, packet-based monitoring systems often detect malicious activity only after harm has already begun (U.S. Patent No. 7,673,137, col. 2:9-30).
• The Patented Solution: The invention proposes a two-phase, kernel-level process to protect a computer. In the first "pre-execution" phase, the system interrupts the loading of a new program to perform a validation check, for example by comparing its checksum to a list of approved programs. If validated, the program is allowed to execute with minimal monitoring. If not validated, it enters a second phase where it is monitored at the operating system kernel level for suspicious activities as it executes, allowing threats to be addressed before they can cause harm (’137 Patent, Abstract; col. 3:20-44).
• Technical Importance: This approach represented a move toward proactive, behavioral security that operates at a low level of the operating system, designed to be more effective against novel and sophisticated malware than traditional signature-based antivirus or network-level filters.

Key Claims at a Glance

• The complaint asserts at least claim 6 (Compl. ¶38). Claim 6 is an independent method claim.
• The essential elements of Claim 6 are:
  • Interrupting the loading of a new program for operation with the computing device.
  • Validating the new program.
  • If the new program is validated, permitting the new program to continue loading and to execute.
  • If the new program is not validated, monitoring the new program while it loads and executes in connection with the computing device, wherein the step of monitoring is performed at the operating system kernel of the computing device.
• The complaint does not explicitly reserve the right to assert dependent claims for this patent.

U.S. Patent No. 8,327,441 - “System and Method for Application Attestation,” Issued December 4, 2012

The Invention Explained

• Problem Addressed: The patent identifies challenges arising from the shift to cloud computing, where enterprise software is often provided as a service by third parties rather than being owned and operated by the customer. This model creates a need for a new way to verify the security and integrity of applications at runtime in a distributed environment (’441 Patent, col. 1:19-2:2).
• The Patented Solution: The invention discloses an attestation service where a remote "attestation server" receives information from a computing platform where an application is running. This information includes a "runtime execution context" (e.g., the application's binary files and loaded components) and a "security context" (e.g., an analysis of those components). The server then generates and sends back an "attestation result" in the form of a report on the application's security risks, enabling a near real-time assessment of its trustworthiness (’441 Patent, Abstract; col. 2:27-3:5).
• Technical Importance: This technology provides a framework for dynamic, continuous verification of software integrity, which is more suitable for modern virtualized and cloud environments than older, static analysis methods.

Key Claims at a Glance

• The complaint asserts at least claim 1 (Compl. ¶51). Claim 1 is an independent method claim.
• The essential elements of Claim 1 are:
  • Receiving, by an attestation server remote from the computing platform, a runtime execution context (including executable file binaries and loaded components) and a security context (including an execution analysis of those binaries and components).
  • Generating, by the attestation server, a report indicating security risks based on the received contexts, as an attestation result.
  • Sending, by the attestation server, the attestation result associated with the application.
• The complaint does not explicitly reserve the right to assert dependent claims for this patent.

U.S. Patent No. 8,955,038 - “Methods and Systems for Controlling Access to Computing Resources Based on Known Security Vulnerabilities,” Issued February 10, 2015

• Technology Synopsis: The patent describes a system for controlling an endpoint's operation based on compliance with security policies. A remote computing system provides a user interface to configure policies, which are then monitored by software agents on the endpoint; the remote system determines a compliance state and can initiate actions on the endpoint based on that state (’038 Patent, Abstract).
• Asserted Claims: At least claim 1 is asserted (Compl. ¶64).
• Accused Features: The complaint alleges that the CrowdStrike Falcon Insight EDR platform, in conjunction with Falcon Spotlight, infringes by using a remote user interface to configure security policies that are monitored by an on-device "Falcon sensor," with the remote system determining compliance and initiating actions like patching (Compl. ¶65-70).

U.S. Patent No. 8,990,948 - “Systems and Methods for Orchestrating Runtime Operational Integrity,” Issued March 24, 2015

• Technology Synopsis: The patent relates to a method for providing real-time operational integrity of an application. The method involves monitoring various sensory inputs (e.g., network dialogs, system operations), generating real-time behavior-based events, correlating those events to classify threats, and displaying status indications on an administrative dashboard (’948 Patent, Abstract).
• Asserted Claims: At least claim 1 is asserted (Compl. ¶80).
• Accused Features: The complaint alleges infringement by Falcon Insight EDR's features for application integrity monitoring and behavior analysis, which allegedly monitor endpoint activity via sensory inputs, generate behavior-based events, correlate them using frameworks like MITRE ATT&CK, and display status in runtime dashboards (Compl. ¶81-85).

U.S. Patent No. 9,092,616 - “Systems and Methods for Threat Identification and Remediation,” Issued July 28, 2015

• Technology Synopsis: The patent describes a method for providing runtime operational integrity of a system using a "trust orchestration server" and an "endpoint trust agent." The agent sends a dynamic context of endpoint events to the server, which analyzes the events, receives third-party assessments, correlates the data, and generates an integrity profile for the system (’616 Patent, Abstract).
• Asserted Claims: At least claim 1 is asserted (Compl. ¶95).
• Accused Features: The complaint accuses Falcon Insight EDR's architecture, alleging its cloud components function as the claimed "trust orchestration server" and its endpoint agents function as the claimed "endpoint trust agent" to provide operational integrity by sending, receiving, and analyzing endpoint events and third-party data to generate system integrity profiles (Compl. ¶96-103).

U.S. Patent No. 9,608,997 - “Methods and Systems for Controlling Access to Computing Resources Based on Known Security Vulnerabilities,” Issued March 28, 2017

• Technology Synopsis: This patent describes a system for remotely controlling an endpoint to ensure compliance with security policies. A remote computing system with a UI and data store determines the endpoint's compliance state based on status information gathered by software services on the endpoint, and can remotely initiate an action that is carried out by a processor on the endpoint (’997 Patent, Abstract).
• Asserted Claims: At least claim 21 is asserted (Compl. ¶113).
• Accused Features: The infringement allegations target the Falcon Insight EDR with Falcon Spotlight platform, which is alleged to be a system for controlling endpoints by using a remote UI to set policies, receiving status information from the on-device Falcon sensor, determining a compliance state, and initiating remote actions like patching (Compl. ¶114-119).

U.S. Patent No. 9,923,918 - “Methods and Systems for Controlling Access to Computing Resources Based on Known Security Vulnerabilities,” Issued March 20, 2018

• Technology Synopsis: The patent describes a system for controlling endpoint operation that also authorizes access to a network resource. A remote computing system determines an endpoint's compliance state based on status information and user information, and in response, determines whether to authorize the endpoint's access to a computing resource on the network (’918 Patent, Abstract).
• Asserted Claims: At least claim 1 is asserted (Compl. ¶129).
• Accused Features: The complaint targets Falcon Insight EDR's "Zero Trust Assessment" feature, which allegedly determines an endpoint's compliance state and authorizes conditional access to network resources based on device health and compliance checks (Compl. ¶134-135).

U.S. Patent No. 8,850,517 - “Runtime Risk Detection Based on User, Application, and System Action Sequence Correlation,” Issued September 30, 2014

• Technology Synopsis: The patent discloses a system for assessing runtime risk by monitoring sequences of actions. A runtime monitor identifies a risk by comparing a sequence of at least two actions (a user action, application action, or system action) against rules in a database and identifies a behavior score based on that risk (’517 Patent, Abstract).
• Asserted Claims: At least claim 13 is asserted (Compl. ¶145).
• Accused Features: Infringement is alleged based on Falcon Insight EDR's "Indicators of Attack (IOA)" and "CrowdScore" features, which allegedly assess runtime risk by identifying and scoring action sequences performed on an endpoint (Compl. ¶146-149).

III. The Accused Instrumentality

• Product Identification: The accused products are at least CrowdStrike Falcon Insight EDR (with Falcon Agent), and versions that include Falcon Agent and Falcon Spotlight (collectively, the "Accused Products") (Compl. ¶33, ¶64).
• Functionality and Market Context: The Accused Products are endpoint security software and services that provide endpoint detection and response (EDR) (Compl. ¶11, ¶33). A "Falcon Agent" software component is installed on endpoint computers (Compl. ¶45), where it monitors operating conditions such as file I/O operations and behavioral indicators of attack (IOAs) (Compl. ¶67). This agent sends data, including "process attributes, context information, and processes behavior information," across a network to a remote computing system for analysis (Compl. ¶53). The remote system analyzes this data to "automatically identify attacker behavior" (Compl. ¶52), generate alerts, and provide reports on a user dashboard (Compl. ¶54). The system allows for the configuration of security policies, such as custom application blocking based on file hashes (Compl. ¶39), and can initiate remedial actions, such as deploying a patch to an endpoint (Compl. ¶70). The complaint includes a screenshot of the "Preventing malware with custom blocking" feature, illustrating how an administrator can block or never block an application based on its hash (Compl. p. 9). Another screenshot shows the user interface for enabling "Kernel Exploit Prevention," which monitors drivers found to be malicious (Compl. p. 11).

IV. Analysis of Infringement Allegations

7,673,137 Patent Infringement Allegations

Claim Element (from Independent Claim 6)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
interrupting the loading of a new program for operation with the computing device;	The "Custom Application Blocking" feature interrupts the operation of a new program by preventing it from running based on its hash.	¶39	col. 8:58-62
validating the new program;	The system validates the program by checking its hash against blacklists or whitelists to determine if it should be blocked or allowed to run.	¶39	col. 9:8-20
if the new program is validated, permitting the new program to continue loading and to execute in connection with the computing device;	If a program is not blocked by the Custom Application Blocking feature (i.e., is validated), it is permitted to run.	¶40	col. 9:21-25
if the new program is not validated, monitoring the new program while it loads and executes in connection with the computing device, wherein the step of monitoring the new program while it executes is performed at the operating system kernel of the computing device.	If a program passes the initial block/allow check, it is monitored by "CrowdStrike Kernel Exploit Prevention" to detect suspicious behavior at the kernel level.	¶41	col. 3:38-44

• Identified Points of Contention:
  • Scope Questions: The dispute may center on the term "validating the new program". The complaint alleges this is met by checking a program’s hash against a block/allow list. A question for the court may be whether this term, in the context of the patent, requires a more specific process, such as the checksum comparison against a pre-approved software list described in the specification, rather than a simple blacklist/whitelist check.
  • Technical Questions: A factual question may arise over whether the accused product's blocking feature performs a true "interrupting the loading" step that occurs pre-execution, as required by the claim. The complaint’s evidence does not detail the precise timing of when the agent intervenes, raising the question of whether it acts before any part of the program executes or merely monitors the process as it initiates.

8,327,441 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
receiving, by the attestation server remote from the computing platform: a runtime execution context indicating attributes of the application at runtime, wherein the attributes comprise one or more executable file binaries of the application and loaded components of the application; and a security context providing security information about the application, wherein the security information comprises an execution analysis of the one or more executable file binaries and the loaded components;	The remote CrowdStrike server receives "process attributes, context information, and processes behavior information" from the Falcon Agent on the endpoint, which allegedly constitutes the claimed contexts. A screenshot of a process tree illustrates the types of runtime data collected (Compl. p. 14).	¶53	col. 16:35-49
generating, by the attestation server, a report indicating security risks associated with the application based on the received runtime execution context and the received security context, as an attestation result;	The CrowdStrike server generates "alerts and reports prioritized detected threats" based on the received endpoint data. A screenshot of a detection dashboard shows a list of generated alerts with severity levels (Compl. p. 15).	¶54	col. 16:50-55
sending, by the attestation server, the attestation result associated with the application.	The generated alerts and reports are sent from the server and made available on a user-facing dashboard, thereby conveying the attestation result to the user.	¶54	col. 16:56-58

• Identified Points of Contention:
  • Scope Questions: A central dispute may be whether the data package sent from the Falcon Agent to the CrowdStrike server can be technically separated into the distinct "runtime execution context" and "security context" required by the claim. The defense may argue that the product sends a single stream of telemetry data that does not map to the claim’s two-part structure.
  • Technical Questions: The claim requires the received "security context" to comprise an "execution analysis". A potential point of contention is whether this analysis is performed on the endpoint before the data is sent, or whether the server receives raw data and performs the analysis itself. The claim language suggests the analysis is part of the received information, which will be a key factual question regarding the accused system's operation.

V. Key Claim Terms for Construction

• ’137 Patent

  • The Term: "validating the new program"
  • Context and Importance: This term is critical because its scope determines whether CrowdStrike's use of hash-based whitelists and blacklists meets the claim limitation. Practitioners may focus on this term because if it is construed narrowly to require the specific checksum-based method in the patent's embodiments, the infringement argument could be weakened.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The plain language of the term "validating" is not explicitly limited in the claim itself and could encompass any process of confirming whether a program is authorized or legitimate.
    • Evidence for a Narrower Interpretation: The specification consistently describes the validation step in terms of calculating a checksum for a new executable and comparing it to a checksum stored in a database for an allowed program (’137 Patent, col. 9:8-20, FIG. 5). This specific embodiment could be used to argue for a narrower construction.

• ’441 Patent

  • The Term: "security context"
  • Context and Importance: The definition of this term is central to whether the data received by the CrowdStrike server satisfies this element, distinct from the "runtime execution context". Practitioners may focus on whether the data alleged to be the "security context" (e.g., behavioral information) is distinct from the data alleged to be the "runtime execution context" (e.g., process attributes).
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The claim defines the term functionally as "providing security information about the application, wherein the security information comprises an execution analysis." This broad functional language could support reading the term on a wide variety of security-related data.
    • Evidence for a Narrower Interpretation: The specification provides examples of security context information, such as results from collaboration services like "an application whitelisting services... a vulnerability assessment service; a patch management service; [or] an anti-virus service" (’441 Patent, col. 2:62-66). This list of external, analysis-based security checks could be used to argue for a narrower definition than general behavioral data collected at runtime.

VI. Other Allegations

• Indirect Infringement: The complaint alleges inducement of infringement for all asserted patents. The allegations are based on Defendants providing the Accused Products to customers and end-users along with "instruction and installation manuals on their support portal, and providing customer service... that instruct end-users to use the products in an infringing manner" (e.g., Compl. ¶43, ¶56, ¶72).
• Willful Infringement: The complaint does not contain a separate count for willful infringement. However, the inducement allegations state that Defendants had knowledge of the patents "at least as of the date of this Complaint," which may support a claim for post-filing willfulness (e.g., Compl. ¶43, ¶56). The prayer for relief also seeks a declaration that the case is "exceptional" and an award of attorney fees, which is consistent with an intent to prove willfulness (Compl. p. 56).

VII. Analyst’s Conclusion: Key Questions for the Case

• A core issue will be one of definitional scope: can the term "validating the new program" from the ’137 Patent, which is described in the specification via checksum comparisons against pre-approved lists, be construed broadly enough to cover the accused product's use of hash-based blacklists and whitelists for application blocking?
• A key evidentiary question will be one of technical separation: does the telemetry data sent from the accused Falcon Agent to its remote server, as a matter of technical fact, contain two distinct and separable sets of information corresponding to the "runtime execution context" and "security context" limitations of the ’441 Patent, or is it a single, undifferentiated data stream?
• A central theme across multiple asserted patents will be the locus of analysis: for claims requiring analysis of endpoint conditions to determine compliance or risk, the case may turn on whether the accused system performs the critical analytical steps on the endpoint (via the agent) versus on the remote server, and how that operational reality maps to the specific sequence and location of steps required by the asserted claims.