Skysong Innovations Inc v. Fortinet Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Skysong Innovations, LLC (Arizona)
  • Defendant: Fortinet, Inc. (Delaware)
  • Plaintiff’s Counsel: Key Kesan Dallmann PLLC
• Case Identification: Skysong Innovations, LLC v. Fortinet, Inc., 2:25-cv-00098, E.D. Tex., 01/31/2025
• Venue Allegations: Plaintiff alleges venue is proper in the Eastern District of Texas because Defendant Fortinet maintains a regular and established place of business in Frisco, Texas, and employs hundreds of individuals within the district.
• Core Dispute: Plaintiff, the exclusive intellectual property management organization for Arizona State University, alleges that Defendant’s integrated cybersecurity platform, the Fortinet Security Fabric, infringes four patents related to advanced cyber threat detection, mitigation, and prediction technologies.
• Technical Context: The technology at issue involves using data from unconventional sources like darknet forums and applying game theory and machine learning models to proactively identify, classify, and neutralize sophisticated cyber threats.
• Key Procedural History: The complaint states that the Asserted Patents were invented by Arizona State University faculty and researchers and are now exclusively owned by Plaintiff Skysong Innovations. No other significant procedural events are mentioned.

Case Timeline

Date	Event
2015-11-30	U.S. Patent No. 10,313,385 Priority Date
2016-09-26	U.S. Patent No. 11,775,831 Priority Date
2017-11-03	U.S. Patent No. 11,892,897 Priority Date
2018-05-09	U.S. Patent No. 11,275,900 Priority Date
2019-06-04	U.S. Patent No. 10,313,385 Issue Date
2022-03-15	U.S. Patent No. 11,275,900 Issue Date
2023-10-03	U.S. Patent No. 11,775,831 Issue Date
2024-02-06	U.S. Patent No. 11,892,897 Issue Date
2025-01-31	Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 10,313,385 - "Systems and methods for data driven game theoretic cyber threat mitigation"

• Issued: June 4, 2019

The Invention Explained

• Problem Addressed: The patent’s background section identifies a lack of game-theoretic approaches to cybersecurity that are informed by "un-conventional" sources, specifically data from darknet markets where cyber exploits are sold (Compl. ¶22; ’385 Patent, col. 2:26-31). This makes it difficult for organizations to anticipate and model real-world attacker behavior for penetration testing and defense.
• The Patented Solution: The invention provides a security game framework that models an attacker based on real-world exploit market data mined from the darknet (’385 Patent, Abstract; col. 1:15-20). This framework allows a defender to analyze vulnerabilities and develop optimal defense strategies by systematically modeling the choices a budget-constrained attacker would make when purchasing exploits to attack a target system (Compl. ¶22; ’385 Patent, col. 3:8-15).
• Technical Importance: The invention provided a rigorous framework for incorporating real-world economic and intelligence data from clandestine online markets into formal cybersecurity defense models (Compl. ¶22).

Key Claims at a Glance

• The complaint asserts independent claim 8 (Compl. ¶46).
• The essential elements of independent claim 8 include:
  • accessing data comprising dark net information associated with a computer system;
  • obtaining a set of exploits from the dark net information configured to bypass a security feature;
  • applying an exploit function which takes the exploits as input and returns a set of vulnerabilities;
  • creating a constraint set of vulnerabilities comprising a minimum set of dependencies to operate the computer system;
  • analyzing an application associated with the exploits to detect a particular vulnerability; and
  • altering a configuration of the computer system in response to the analysis to reduce potential damage.
• The complaint alleges infringement of "one or more claims" of the patent (Compl. ¶45).

U.S. Patent No. 11,275,900 - "Systems and methods for automatically assigning one or more labels to discussion topics shown in online forums on the dark web"

• Issued: March 15, 2022

The Invention Explained

• Problem Addressed: The patent addresses the challenge of classifying vast amounts of unstructured information found on deep and dark web forums, which are not indexed by conventional search engines (’900 Patent, col. 1:63-66). Traditional methods for labeling this data for machine learning are manual, time-consuming, and struggle with data scarcity and imbalanced classes (Compl. ¶27; ’900 Patent, col. 2:10-15).
• The Patented Solution: The invention is a computer-implemented system that automatically assigns one or more labels, or tags, to discussion topics from deep-web forums in a hierarchical structure (’900 Patent, col. 3:10-14). It uses a Doc2vec vectorization technique to perform feature extraction on topic titles and applies machine classifiers to assign multiple relevant tags, thereby structuring the unstructured data (’900 Patent, col. 4:1-12).
• Technical Importance: This technology automates the analysis and categorization of threat intelligence from dark web forums, enabling more efficient and scalable monitoring of criminal activities and emerging cyber threats (Compl. ¶27).

Key Claims at a Glance

• The complaint asserts independent claim 12 (Compl. ¶69).
• The essential elements of independent claim 12 include:
  • accessing data associated with a deep web forum, the data defining a topic for classification;
  • extracting a set of features from the data as inputs for a machine classifier;
  • applying a machine classifier to the set of features to generate a prediction list of tags for classifying the topic, including a prediction probability value for each tag; and
  • adding all parent tags associated with a tag to the prediction list based on a comparison between the prediction probability value and a predetermined threshold.
• The complaint alleges infringement of "one or more claims" of the patent (Compl. ¶68).

U.S. Patent No. 11,775,831 - "Cascaded computing for convolutional neural networks"

• Issued: October 3, 2023 (Compl. ¶30)
• Technology Synopsis: The patent addresses the high computational cost of Convolutional Neural Networks (CNNs), which makes real-time classification difficult on low-power systems (’831 Patent, col. 1:22-29). The solution is a "cascaded" computing method that first performs a computationally inexpensive analysis using only the most significant bits (MSBs) of data to identify a likely maximum value, and only then performs a full-precision computation on that specific data set, thereby reducing the total computation required (Compl. ¶32; ’831 Patent, col. 1:37-50).
• Asserted Claims: Claim 1 (Compl. ¶90).
• Accused Features: The complaint alleges that Fortinet's AI-powered threat detection systems, which use machine learning and specialized processors (SPU, vSPU), embody the claimed invention (Compl. ¶91-92).

U.S. Patent No. 11,892,897 - "Systems and methods for predicting which software vulnerabilities will be exploited by malicious hackers to prioritize for patching"

• Issued: February 6, 2024 (Compl. ¶35)
• Technology Synopsis: The patent addresses the problem that prior methods for prioritizing software patches were ineffective, often over-reporting vulnerabilities as severe without accurately predicting which ones would actually be exploited (’897 Patent, col. 1:45-2:7). The invention leverages machine learning models that analyze data from multiple sources, including dark/deep web forums and the National Vulnerability Database, to more accurately predict which vulnerabilities will be exploited "in the wild" (Compl. ¶37; ’897 Patent, col. 3:55-56, col. 4:20-23).
• Asserted Claims: Claim 1 (Compl. ¶109).
• Accused Features: The complaint alleges that Fortinet’s FortiRecon service, which uses AI and machine learning to monitor threats and "prioritize remediations," infringes the patent by assessing the likelihood of exploitation of software vulnerabilities (Compl. ¶110-111).

III. The Accused Instrumentality

Product Identification

• The complaint accuses the "Fortinet Security Fabric," described as an integrated platform, and its component products and services, including FortiGuard, FortiRecon, FortiGate, FortiSandbox, FortiEDR, and FortiDLP (Compl. ¶6, 40-42).

Functionality and Market Context

• The Accused Products constitute a comprehensive cybersecurity platform that provides secure networking, endpoint protection, and AI-driven security operations (Compl. ¶40). A central alleged feature is its use of AI and machine learning to provide threat intelligence (Compl. ¶15). This includes FortiRecon's function to monitor dark web sources for threats and FortiSandbox's function to analyze potential malware in a controlled environment to understand its behavior (Compl. ¶17, 22, 50, 53). A marketing graphic in the complaint depicts FortiEDR providing automated cycles of pre-infection prevention, detection, and post-infection response (Compl. p. 12). Another graphic shows a dashboard for the FortiDLP product, which is designed to anticipate and prevent data theft by monitoring user activity and data flows (Compl. p. 13).

IV. Analysis of Infringement Allegations

'385 Patent Infringement Allegations

Claim Element (from Independent Claim 8)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
accessing data comprising dark net information associated with a computer system;	Fortinet's FortiRecon service actively monitors and collects data from dark web sources to understand threats.	¶50	col. 14:19-21
obtaining a set of exploits from the dark net information, the set of exploits configured to bypass a security feature of the computer system;	FortiRecon obtains information about exploits from the dark net as part of its counter-adversary operations.	¶51	col. 14:22-25
applying an exploit function which takes the set of exploits as input and returns a set of vulnerabilities;	FortiGuard Labs analyzes attack techniques and FortiRecon provides intelligence on threat actor tools and tactics to identify system vulnerabilities.	¶52	col. 14:26-28
creating a constraint set of vulnerabilities of the computer system from the set of vulnerabilities comprising a minimum set of dependencies to operate the computer system...	FortiSandbox executes files and URLs in a controlled environment, which allegedly involves determining the effect of exploits on a system's core dependencies.	¶53	col. 14:29-36
analyzing an application associated with the set of exploits on the computer system to detect a particular vulnerability...; and	FortiSandbox conducts detailed examinations of how exploits are applied to identify specific vulnerabilities that adversaries could exploit.	¶54	col. 14:37-41
altering a configuration of the computer system in response to the analysis of the application of the set of exploits to reduce potential damage of a cyberattack.	The Fortinet Security Fabric implements configuration changes based on intelligence gathered to protect systems against identified threats.	¶55	col. 14:42-46

Identified Points of Contention

• Scope Questions: The complaint maps broad cybersecurity functions to specific, formal claim limitations. A central question may be whether the term "creating a constraint set of vulnerabilities... comprising a minimum set of dependencies," as defined in the context of the patent's game-theoretic model, can read on the general function of executing a file in a sandbox as performed by FortiSandbox (Compl. ¶53).
• Technical Questions: What evidence does the complaint provide that FortiSandbox's analysis involves the specific step of creating a "constraint set" of system dependencies? The complaint alleges this function (Compl. ¶53), but the provided screenshots describe behavior analysis and threat detection more generally. A screenshot showing FortiRecon's dark web monitoring capabilities is cited as evidence for accessing dark net information (Compl. p. 17).

'900 Patent Infringement Allegations

Claim Element (from Independent Claim 12)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
accessing data associated with a deep web forum, the data defining a topic for classification;	Fortinet's FortiGuard Labs monitors the "darknet," which it defines as a "division of the deep web," to obtain data about criminal activities for classification.	¶71	col. 17:5-7
extracting a set of features from the data as inputs for a machine classifier;	FortiRecon's "Adversary Centric Intelligence" uses machine learning tools that employ "feature vectors" as inputs to process data from deep-web sources.	¶73-74	col. 17:8-10
apply a machine classifier to the set of features to generate a prediction list of tags for classifying the topic, wherein the prediction list includes a prediction probability value for each tag...; and	FortiGuard uses machine learning to classify information from "Hacker Sites/Forums" and derive "indicators of compromise" that allegedly predict topics associated with a threat.	¶75	col. 17:10-14
adding all parent tags associated with a tag of the plurality of tags to the prediction list based on a comparison between the prediction probability value for the tag and a first predetermined threshold value.	FortiGuard's tools are alleged to correlate information from various sources to "apply all relevant categorizations to the information (e.g., add all parent tags)."	¶76	col. 17:15-19

Identified Points of Contention

• Scope Questions: The final element requires a specific, conditional step: "adding all parent tags... based on a comparison between the prediction probability value... and a first predetermined threshold value." The key legal question will be whether the accused system's general function of "correlat[ing] information" and "apply[ing] all relevant categorizations" (Compl. ¶76) meets this precise algorithmic limitation.
• Technical Questions: Does the accused system generate a "prediction list of tags" with an explicit "prediction probability value for each tag," as recited in the claim? The complaint's evidence, including a diagram of Fortiguard Labs' IOC collection methods (Compl. p. 33), shows data collection and classification but does not explicitly detail the generation of a probabilistic tag list.

V. Key Claim Terms for Construction

Term: "constraint set of vulnerabilities... comprising a minimum set of dependencies to operate the computer system" (’385 Patent, Claim 8)

• Context and Importance: This term is central to the infringement theory against the '385 patent, as it connects the patent's formal, game-theoretic model to the practical function of FortiSandbox. The defendant may argue this term requires a specific, formally defined data structure, while the plaintiff's theory appears to interpret it more broadly.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The specification defines a "constraint set" generally as "vulnerabilities required for some system functionality" and notes that for a given system, an administrator selects which vulnerabilities may be present to allow applications to function (’385 Patent, col. 3:28-49). This could support an interpretation covering the implicit dependencies of any operating system.
  • Evidence for a Narrower Interpretation: The term is introduced within a detailed "security game" framework designed to model attacker and defender strategies (’385 Patent, col. 3:10-15). This context suggests the "constraint set" may be a specific element within that formal model, rather than a general description of system dependencies.

Term: "adding all parent tags... based on a comparison between the prediction probability value for the tag and a first predetermined threshold value" (’900 Patent, Claim 12)

• Context and Importance: This is the final, dispositive step of the asserted method claim. The plaintiff’s infringement allegation for this element relies on a high-level description of "correlation." Practitioners may focus on this term because its construction will determine whether a specific, quantitative, threshold-based algorithm is required for infringement.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The patent's "Leveraging Tag Hierarchy" section describes the general concept of adding parent tags if a child tag is predicted, to ensure hierarchical consistency (’900 Patent, col. 6:28-34). This could support a view that any process enforcing hierarchy meets the claim.
  • Evidence for a Narrower Interpretation: The specification provides "Algorithm 1," which explicitly defines an "add parent threshold value (α)" and a "remove child threshold value (β)" used to regulate how parent tags are added (’900 Patent, col. 6:45-68). This provides strong intrinsic evidence that the claim requires a specific algorithmic step involving a numerical comparison against a defined threshold.

VI. Other Allegations

• Indirect Infringement: For all four asserted patents, the complaint alleges induced infringement. The stated basis is that Fortinet provides its products along with marketing materials, user manuals, and technical support that allegedly encourage and instruct customers and partners to use the Accused Products in an infringing manner (Compl. ¶58-62, 79-83, 98-102, 124-128).
• Willful Infringement: The complaint alleges willful infringement for all four patents based on Fortinet’s alleged knowledge "since at least the filing of this Complaint" (Compl. ¶56, 77, 96, 122). It also includes a general allegation that Fortinet "made the deliberate decision to sell products and services that it knew infringe" but provides no specific facts to support pre-suit knowledge (Compl. ¶65, 86, 105, 131).

VII. Analyst’s Conclusion: Key Questions for the Case

• A core issue will be one of algorithmic specificity: do the accused products' general AI-driven threat analysis and classification functions perform the specific, multi-step, and conditional algorithmic processes required by the asserted claims, such as creating a formal "constraint set of vulnerabilities" (’385 Patent) or performing a threshold-based "adding all parent tags" operation (’900 Patent)?
• A key evidentiary question will be one of technical mapping: what discovery evidence will be produced to demonstrate that the high-level product descriptions of the Fortinet Security Fabric, cited extensively in the complaint, correspond to the detailed technical limitations recited in the patent claims, particularly where claims describe specific data structures or formal processes that are not apparent from marketing materials?