DCT

2:23-cv-00113

Taasera Licensing LLC v. Palo Alto Networks Inc

Log In

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 2:23-cv-00113, E.D. Tex., 03/15/2023
  • Venue Allegations: Venue is alleged to be proper based on Defendant maintaining a regular and established place of business in Plano, Texas, within the Eastern District of Texas, and having committed alleged acts of infringement in the district.
  • Core Dispute: Plaintiff alleges that Defendant’s network security products, including its Cortex XDR, Pan-OS, and Next Generation Firewalls, infringe nine U.S. patents related to information extraction, endpoint security, and threat detection.
  • Technical Context: The technologies at issue relate to network security systems designed to identify and remediate cyber threats, control application behavior on endpoint devices, and prevent the exfiltration of sensitive data.
  • Key Procedural History: The complaint alleges that Defendant had knowledge of the asserted patents at least as of the date of a prior complaint filed by Plaintiff against Defendant on February 25, 2022. It further alleges that Plaintiff provided Defendant with infringement contentions for the patents-in-suit on January 17, 2023, which may be relevant to the allegations of willful infringement.

Case Timeline

Date Event
2001-07-03 Priority Date for U.S. Patent No. 6,842,796
2002-01-04 Priority Date for U.S. Patent No. 7,673,137
2003-08-27 Priority Date for U.S. Patent No. 8,127,356
2005-01-11 U.S. Patent No. 6,842,796 Issues
2006-06-13 Priority Date for U.S. Patent No. 8,955,038
2010-03-02 U.S. Patent No. 7,673,137 Issues
2011-02-17 Priority Date for U.S. Patent No. 8,327,441
2012-02-28 U.S. Patent No. 8,127,356 Issues
2012-05-01 Priority Date for U.S. Patents Nos. 8,850,517, 8,990,948, 9,092,616
2012-12-04 U.S. Patent No. 8,327,441 Issues
2014-09-30 U.S. Patent No. 8,850,517 Issues
2015-02-10 Priority Date for U.S. Patent No. 9,923,918
2015-02-10 U.S. Patent No. 8,955,038 Issues
2015-03-24 U.S. Patent No. 8,990,948 Issues
2015-07-28 U.S. Patent No. 9,092,616 Issues
2018-03-20 U.S. Patent No. 9,923,918 Issues
2022-02-25 Plaintiff files prior complaint against Defendant
2023-01-17 Plaintiff serves infringement contentions on Defendant
2023-03-15 Current Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 6,842,796 - "Information Extraction from Documents with Regular Expression Matching"

  • Patent Identification: U.S. Patent No. 6,842,796, "Information Extraction from Documents with Regular Expression Matching," issued January 11, 2005. (Compl. ¶7).

The Invention Explained

  • Problem Addressed: The patent describes the problem of automatically extracting key pieces of information (e.g., a caller's name from a voicemail) from documents, noting that prior statistical "tagging" approaches failed to explicitly identify the important portions of text. (’796 Patent, col. 1:13-46).
  • The Patented Solution: The invention proposes using "regular expressions," defined as stereotypical phrases people commonly use (e.g., "call me back at"), to automatically identify patterns in a data stream. (’796 Patent, col. 2:3-10). Once a pattern is matched, the system can extract the specific information associated with that phrase, such as the phone number that follows. (’796 Patent, Abstract; Fig. 1).
  • Technical Importance: This method allowed for fast and efficient information extraction using standard programming languages with built-in support for regular expressions, which could obviate the need for expensive and time-consuming creation of large "training" databases required by some statistical methods. (’796 Patent, col. 2:22-34).

Key Claims at a Glance

  • The complaint alleges infringement of one or more claims, including claim 1. (Compl. ¶39). Independent claim 1 recites a method with the following essential elements:
    • Automatically processing an input sequence of data symbols;
    • Identifying at least one regularly identifiable expression in the input sequence, where the expression represents a pattern matchable by a programming language that supports such expressions;
    • Identifying at least a portion of information associated with the expression; and
    • Extracting the portion of information.

U.S. Patent No. 7,673,137 - "System and Method for the Managed Security Control of Processes on a Computer System"

  • Patent Identification: U.S. Patent No. 7,673,137, "System and Method for the Managed Security Control of Processes on a Computer System," issued March 2, 2010. (Compl. ¶8).

The Invention Explained

  • Problem Addressed: The patent addresses the shortcomings of security systems that either detect malicious activity only after harm has begun (real-time monitoring) or produce a high number of false positives (virtual execution). (’137 Patent, col. 1:56-col. 2:67).
  • The Patented Solution: The invention discloses a two-phased, kernel-level approach to security. In a pre-execution phase, a new program is rapidly checked to see if it has been previously approved or "validated." If validated, it is allowed to run with minimal monitoring. If not validated, the system enters a second phase where the program's execution is monitored at the operating system kernel level, allowing for the detection of suspicious activities before they can cause harm. (’137 Patent, Abstract; col. 3:24-41).
  • Technical Importance: This two-step process aimed to provide efficient security with minimal user interruption by applying lightweight validation for known programs and reserving intensive, kernel-level monitoring for unknown or unvalidated programs. (’137 Patent, col. 3:5-19).

Key Claims at a Glance

  • The complaint alleges infringement of one or more claims, focusing on the method of claim 6. (Compl. ¶46). Independent claim 6 recites a method with the following essential elements:
    • Interrupting the loading of a new program for operation with the computing device;
    • Validating the new program;
    • If the new program is validated, permitting the new program to continue loading and to execute;
    • If the new program is not validated, monitoring the new program while it loads and executes, wherein the monitoring is performed at the operating system kernel of the computing device.

U.S. Patent No. 8,127,356 - "System, Method and Program Product for Detecting Unknown Computer Attacks"

  • Patent Identification: U.S. Patent No. 8,127,356, "System, Method and Program Product for Detecting Unknown Computer Attacks," issued February 28, 2012. (Compl. ¶9).
  • Technology Synopsis: The patent relates to technology for automatically determining if a network packet is a new "exploit candidate." (Compl. ¶22). The invention describes using a series of program instructions to filter out known exploits and various types of benign traffic (e.g., broadcast, network administration) to isolate and report packets that are unknown and thus potential candidates for exploits. (Compl. ¶59).
  • Asserted Claims: The complaint alleges infringement of "one or more claims" of the ’356 Patent. (Compl. ¶59).
  • Accused Features: The PAN-OS and Wildfire software features within Palo Alto VM and PA Series Firewalls. (Compl. ¶59).

U.S. Patent No. 8,327,441 - "System and Method for Application Attestation"

  • Patent Identification: U.S. Patent No. 8,327,441, "System and Method for Application Attestation," issued December 4, 2012. (Compl. ¶10).
  • Technology Synopsis: The patent relates to technology for application attestation, which involves providing a remote attestation service for an application executing at runtime. (Compl. ¶23). The service receives runtime execution and security context information, generates a report on security risks, and sends this attestation result back. (Compl. ¶76).
  • Asserted Claims: The complaint alleges infringement of "one or more claims" of the ’441 Patent. (Compl. ¶76).
  • Accused Features: The Malicious Process Prevention and Behavioral Threat Protection features of the Palo Alto Cortex XDR product. (Compl. ¶76).

U.S. Patent No. 8,850,517 - "Runtime Risk Detection Based on User, Application, and System Action Sequence Correlation"

  • Patent Identification: U.S. Patent No. 8,850,517, "Runtime Risk Detection Based on User, Application, and System Action Sequence Correlation," issued September 30, 2014. (Compl. ¶11).
  • Technology Synopsis: The patent generally relates to runtime risk detection based on correlating sequences of user, application, and/or system actions. (Compl. ¶24). The technology assesses risk by identifying action sequences, storing rules that define such sequences, and generating a behavior score based on the identified risk. (Compl. ¶150).
  • Asserted Claims: The complaint alleges infringement of "one or more claims" of the ’517 Patent. (Compl. ¶150).
  • Accused Features: The Malicious Process Prevention and Behavioral Threat Protection features of the Palo Alto Cortex XDR product. (Compl. ¶150).

U.S. Patent No. 8,955,038 - "Methods and Systems for Controlling Access to Computing Resources Based on Known Security Vulnerabilities"

  • Patent Identification: U.S. Patent No. 8,955,038, "Methods and Systems for Controlling Access to Computing Resources Based on Known Security Vulnerabilities," issued February 10, 2015. (Compl. ¶12).
  • Technology Synopsis: This patent relates to technology that acts based on known security vulnerabilities to ensure endpoint compliance. (Compl. ¶25). The method involves a remote system providing a user interface to configure policies, which are then monitored by software agents on an endpoint to determine a compliance state and initiate actions. (Compl. ¶88).
  • Asserted Claims: The complaint alleges infringement of "one or more claims" of the ’038 Patent. (Compl. ¶88).
  • Accused Features: The Malicious Process Prevention and Behavioral Threat Protection features of the Palo Alto Cortex XDR product. (Compl. ¶88).

U.S. Patent No. 8,990,948 - "Systems and Methods for Orchestrating Runtime Operational Integrity"

  • Patent Identification: U.S. Patent No. 8,990,948, "Systems and Methods for Orchestrating Runtime Operational Integrity," issued March 24, 2015. (Compl. ¶13).
  • Technology Synopsis: The technology relates to providing runtime operational integrity profiles that identify a threat level. (Compl. ¶26). The method involves monitoring network dialogs and system operations, generating real-time behavior-based events, correlating threat classifications, and displaying status indications in a dashboard. (Compl. ¶104).
  • Asserted Claims: The complaint alleges infringement of "one or more claims" of the ’948 Patent. (Compl. ¶104).
  • Accused Features: The Malicious Process Prevention and Behavioral Threat Protection features of the Palo Alto Cortex XDR product. (Compl. ¶104).

U.S. Patent No. 9,092,616 - "Systems and Methods for Threat Identification and Remediation"

  • Patent Identification: U.S. Patent No. 9,092,616, "Systems and Methods for Threat Identification and Remediation," issued July 28, 2015. (Compl. ¶14).
  • Technology Synopsis: The patent relates to technology that provides integrity profiles for identifying a system's threat level. (Compl. ¶27). The method involves an endpoint agent sending context about events and actions to a trust orchestration server, which analyzes the events, receives third-party assessments, and generates an integrity profile for the system. (Compl. ¶118).
  • Asserted Claims: The complaint alleges infringement of "one or more claims" of the ’616 Patent. (Compl. ¶118).
  • Accused Features: The Malicious Process Prevention and Behavioral Threat Protection features of the Palo Alto Cortex XDR product. (Compl. ¶118).

U.S. Patent No. 9,923,918 - "Methods and Systems for Controlling Access to Computing Resources Based on Known Security Vulnerabilities"

  • Patent Identification: U.S. Patent No. 9,923,918, "Methods and Systems for Controlling Access to Computing Resources Based on Known Security Vulnerabilities," issued March 20, 2018. (Compl. ¶15).
  • Technology Synopsis: The patent describes technology that controls access to computing resources based on known security vulnerabilities. (Compl. ¶28). The system uses a remote user interface to configure policies, which are evaluated by software services on an endpoint; the remote system then determines a compliance state and authorizes or denies access to a network resource. (Compl. ¶135).
  • Asserted Claims: The complaint alleges infringement of "one or more claims" of the ’918 Patent. (Compl. ¶135).
  • Accused Features: The Endpoint Protection features of the Palo Alto Cortex XDR product. (Compl. ¶135).

III. The Accused Instrumentality

Product Identification

  • The accused instrumentalities are Palo Alto Networks’ Cortex XDR, Pan-OS, and Next Generation Firewalls (NGFW). (Compl. ¶29).

Functionality and Market Context

  • The complaint identifies the accused instrumentalities as network security products. (Compl. ¶29). The Palo Alto NGFWs running the PAN-OS operating system are alleged to perform "Data Filtering based on Data Patterns," a feature that uses predefined and custom regular expressions to scan network traffic for sensitive information and can capture matching data. (Compl. ¶¶ 34-37).
  • The Palo Alto Cortex XDR product is described as an endpoint security solution that provides "multi-method" malware and exploit protection. (Compl. ¶¶ 47, 18). It allegedly operates by first checking new programs against lists of known malware, trusted signers, and cloud-based threat intelligence ("WildFire verdict"), and if a program is not validated, it monitors the program's behavior at the kernel level throughout its execution. (Compl. ¶¶ 48-50). A screenshot from product documentation shows a diagram of Cortex XDR's multi-stage protection approach, covering pre-execution, cloud-based analysis, and post-execution monitoring. (Compl. p. 18).

IV. Analysis of Infringement Allegations

'796 Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
a method of automatically processing an input sequence of data symbols Palo Alto PAN-OS performs Data Filtering based on Data Patterns to process input data symbols. ¶35 col. 3:55-59
identifying at least one regularly identifiable expression in the input sequence of data symbols, wherein the at least one regularly identifiable expression represents a pattern ... Palo Alto PAN-OS enforces Data Filtering rules created using pre-defined and regular expressions. A screenshot shows "Regular Expression" as a data pattern type. ¶36, p. 11 col. 2:11-17
identifying at least a portion of information associated with the at least one regularly identifiable expression; and extracting the portion of information. Palo Alto PAN-OS extracts filtered information for "Data Capture." A screenshot shows a "Data Capture" option in the Data Filtering Profile Settings. ¶37, p. 14 col. 2:18-21
  • Identified Points of Contention:
    • Scope Questions: A central question may be whether the term "regularly identifiable expression," which the patent’s background and abstract exemplify primarily with stereotypical natural language phrases (e.g., "Hi John, it's Bob"), can be construed to cover the technical data patterns (e.g., credit card number formats) that the accused products are designed to filter. (Compl. p. 11; ’796 Patent, Abstract, col. 2:3-10).
    • Technical Questions: What evidence does the complaint provide that the "pre-defined" data patterns for items like social security numbers in the accused product function by matching a "regularly identifiable expression" as required by the claim, versus another technical method? (Compl. p. 11).

'137 Infringement Allegations

Claim Element (from Independent Claim 6) Alleged Infringing Functionality Complaint Citation Patent Citation
interrupting the loading of a new program for operation with the computing device When a new program is executed, Palo Alto Cortex XDR first checks if the program is known malware before it fully loads. ¶48 col. 8:44-51
validating the new program Cortex XDR validates programs by checking against whitelists, blacklists, "highly trusted signers," and a cloud-based "WildFire" verdict. ¶49 col. 8:52-54
if the new program is validated, permitting the new program to continue loading and to execute in connection with the computing device Cortex XDR permits new programs to run if they are signed by a "highly trusted signer." A flowchart visual depicts this evaluation path. ¶49, p. 19 col. 8:55-57
if the new program is not validated, monitoring the new program while it loads and executes ... wherein the step of monitoring ... is performed at the operating system kernel If no malicious behavior is detected initially, Cortex XDR permits the program to run but "continues to monitor the behavior for the lifetime of the process" at the kernel level on supported operating systems like Linux. ¶50, p. 20 col. 8:58-63
  • Identified Points of Contention:
    • Scope Questions: A potential dispute may arise over the term "validating." The defense may argue that the accused product's complex, multi-stage, cloud-integrated analysis (including "WildFire verdict") is technically distinct from the "validating" process described in the patent's specification, which focuses on comparing a program to a "predetermined list of approved programs" or checking its checksum. (’137 Patent, col. 3:42-50; Compl. ¶49).
    • Technical Questions: What is the specific timing and mechanism of the "interrupting" step in the accused Cortex XDR product, and does it occur during "loading" as required by the claim or after loading is complete but before execution begins?

V. Key Claim Terms for Construction

U.S. Patent No. 6,842,796

  • The Term: "regularly identifiable expression"
  • Context and Importance: The scope of this term is central to the infringement analysis. Practitioners may focus on whether this term is limited to the natural language phrases used as examples in the patent, or if it is broad enough to encompass the technical data patterns (e.g., for credit card numbers) used by the accused product.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The specification states that the invention "applies to many input forms other than typed text or spoken messages," including "DNA... RNA... amino-acid sequences, and audio and video sequences," which are non-linguistic data streams. (’796 Patent, col. 3:57-65). This could support a construction that is not limited to natural language.
    • Evidence for a Narrower Interpretation: The patent's Abstract and Background sections repeatedly use examples of stereotypical spoken phrases like "Hi , it's " to define and explain the invention. (’796 Patent, Abstract; col. 2:3-10). This context may be used to argue that the term should be construed as being limited to such linguistic patterns.

U.S. Patent No. 7,673,137

  • The Term: "validating the new program"
  • Context and Importance: Infringement of claim 6 turns on whether the accused Cortex XDR product's security checks constitute "validating." Practitioners may focus on this term because the accused product's complex, cloud-based threat analysis appears more advanced than the specific validation methods detailed in the patent.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The claim language itself does not specify a particular method of validation. The specification describes a "validation module to determine whether the user has already validated the new program," which is a general description that could encompass a variety of techniques. (’137 Patent, col. 4:6-8).
    • Evidence for a Narrower Interpretation: The specification's detailed description of an embodiment explains validation as comparing a program "to the predetermined list of approved programs" and using a checksum to verify the program has not been altered. (’137 Patent, col. 3:42-50). A party could argue this provides a definitional context that limits the scope of "validating" to these specific types of checks.

VI. Other Allegations

  • Indirect Infringement: The complaint alleges inducement of infringement for all asserted patents. The allegations are based on Defendant providing product manuals, technical documentation, and customer support websites that allegedly instruct customers and end-users on how to use the accused features in an infringing manner. (Compl. ¶¶ 38-40, 51-53).
  • Willful Infringement: Willfulness is alleged for all asserted patents based on Defendant’s alleged knowledge. The complaint asserts Defendant had actual knowledge of the patents-in-suit as of a prior complaint filed on February 25, 2022, and that its continued infringement after receiving infringement contentions on January 17, 2023, constitutes willful misconduct. (Compl. ¶¶ 43, 56, 73, 85, 101, 115, 132, 147, 160).

VII. Analyst’s Conclusion: Key Questions for the Case

  • A core issue will be one of definitional scope: can the term "regularly identifiable expression," which the ’796 Patent illustrates with stereotypical natural language phrases, be construed to cover the technical data patterns, such as credit card number formats, used in the accused PAN-OS Data Filtering feature?
  • A key technical question will be one of operational correspondence: does the accused Cortex XDR's multi-faceted, cloud-connected evaluation process—involving trusted signers and the "WildFire verdict"—perform the same function as the "validating" step described in the ’137 Patent, which focuses primarily on pre-approved lists and checksums, or is there a fundamental mismatch in technical operation?
  • A central factual dispute will concern willfulness: given the allegations of a prior lawsuit filed in February 2022 and the service of infringement contentions in January 2023, the case will likely examine Defendant's state of mind regarding its continued alleged infringement and whether it maintained a good faith basis for its actions.