DCT

2:25-cv-01195

Stealthpath IP Inc v. Fortinet Inc

Log In
Key Events
Complaint

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: StealthPath IP Inc. v. Fortinet, Inc., 2:25-cv-01195, E.D. Tex., 12/08/2025
  • Venue Allegations: Plaintiff alleges venue is proper because Defendant maintains a regular and established place of business in the district (a Frisco, Texas office) and has committed acts of patent infringement in the district through the actions of its employees.
  • Core Dispute: Plaintiff alleges that Defendant’s Secure SD-WAN products, including its FortiGate and FortiWiFi lines, infringe three patents related to "zero trust" cybersecurity and securing communications in software-defined networks.
  • Technical Context: The technology at issue involves methods for securing computer network communications, particularly within virtualized environments and between trusted and untrusted network segments.
  • Key Procedural History: The complaint alleges that U.S. Patent No. 11,729,143 is a continuation of the application that issued as U.S. Patent No. 10,965,646. For willfulness, the complaint alleges Defendant had pre-suit knowledge of U.S. Patent No. 10,374,803 as of February 9, 2024, when it was cited by a USPTO examiner during the prosecution of a Fortinet patent application.

Case Timeline

Date Event
2017-10-06 Earliest Priority Date for ’803, ’646, and ’143 Patents
2019-08-06 U.S. Patent No. 10,374,803 Issues
2021-03-30 U.S. Patent No. 10,965,646 Issues
2023-08-15 U.S. Patent No. 11,729,143 Issues
2024-02-09 Alleged Pre-Suit Knowledge of ’803 Patent by Defendant
2025-12-08 Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 10,374,803 - Methods for Internet Communication Security (Issued August 6, 2019)

The Invention Explained

  • Problem Addressed: The patent background identifies a "need to address security threats that can arise during hypervisor-mediated communications" where malware could attack applications within virtual machines, either directly or by exploiting the hypervisor itself (Compl. ¶17; ’803 Patent, col. 1:31-36). This includes vulnerabilities such as "holes in memory management" within hypervisors (Compl. ¶18; ’803 Patent, col. 22:59-61).
  • The Patented Solution: The invention proposes embedding "a network security layer resident in the hypervisor that authenticates and authorizes incoming communications before transmission to virtualized components" (’803 Patent, col. 1:45-52). By operating at the hypervisor level, which manages the virtual machines, the system can intercept, decrypt, inspect, and authorize network packets before they ever reach the potentially vulnerable operating system or applications running inside a virtual machine (Compl. ¶18; ’803 Patent, col. 283:58-284:8).
  • Technical Importance: This architecture provides a more fundamental layer of security for virtualized environments, as it is more difficult for malware within a compromised virtual machine to bypass security controls that are enforced by the underlying hypervisor (Compl. ¶18).

Key Claims at a Glance

  • The complaint asserts infringement of at least independent Claim 1 (Compl. ¶32).
  • The essential elements of Claim 1 include:
    • A product for authorizing network communications in a hypervisor, comprising a non-transitory computer-readable storage medium with program code executable in a hypervisor.
    • Intercepting a first network packet in the hypervisor, where the packet includes a portion higher than OSI layer three.
    • Decrypting at least a portion of this higher-layer data with a single-use cryptographic key to obtain packet parameters.
    • Authorizing the network packet in the hypervisor by comparing the obtained packet parameters with expected values.
    • Passing the authorized packet to a virtual device.

U.S. Patent No. 10,965,646 - Methods For Internet Communication Security (Issued March 30, 2021)

The Invention Explained

  • Problem Addressed: The patent addresses vulnerabilities created by "weak-links in the network security in the form of legacy systems and devices" that cannot support modern security techniques. This creates a need for "interfaces to immunize, or to at least limit the attendant risks of, communications between protected and unsecure networks" (Compl. ¶20; ’646 Patent, col. 1:30-50).
  • The Patented Solution: The invention describes a method for "bridging network communications between device networks sharing protected, trusted Ethernet-based communications with the large body of relatively unsecure legacy devices and networks" (’646 Patent, col. 1:51-56). The claimed solution involves a multi-step process where a secure pathway is established through an exchange and comparison of "application identifiers" between two devices. The system then confirms that the data payload being sent conforms to a pre-assigned data model for that specific application before passing it through the secure pathway (Compl. ¶22; ’646 Patent, col. 308:32-55).
  • Technical Importance: This technology allows for the secure integration of legacy or less-secure devices into a trusted network without requiring modifications to the legacy devices themselves, thereby bridging a common security gap in heterogeneous networks (Compl. ¶21).

Key Claims at a Glance

  • The complaint asserts infringement of at least independent Claim 1 and dependent Claim 15 (Compl. ¶¶22-23, 53).
  • The essential elements of Claim 1 include:
    • A product for securing communications, comprising a non-transitory computer-readable storage medium with program code executable by a processor.
    • Receiving a first port-to-port network packet from a first computing device.
    • Establishing a secure communication pathway with a user-application at a second computing device, which comprises the steps of: sending a first application identifier, receiving a second application identifier in response, and comparing the second identifier with a pre-established value.
    • Confirming a payload of the packet conforms to a data model pre-assigned to the pre-established value for that user-application.
    • Passing the payload to the second computing device via the secure pathway.

Multi-Patent Capsule

  • Patent Identification: U.S. Patent No. 11,729,143, "Methods For Internet Communication Security," issued August 15, 2023 (Compl. ¶15).
  • Technology Synopsis: This patent, a continuation of the ’646 Patent, also relates to securing communications between networked devices. The claimed method involves consuming a network packet to obtain its payload and destination port number, confirming that the payload conforms to a pre-assigned data model for that port, and then forming a new, second network packet that includes the payload along with local program and data model identification codes for transmission via a secure pathway (Compl. ¶24).
  • Asserted Claims: Independent Claim 1 and dependent Claim 19 (Compl. ¶¶24-25, 72).
  • Accused Features: The complaint alleges that Fortinet's application control features, which "recognize network traffic generated by a large number of applications" and use "sensors [to] specify what action to take," infringe by consuming packets, obtaining payloads and port numbers, confirming conformity with data models, and transmitting new packets (Compl. ¶¶75-80).

III. The Accused Instrumentality

Product Identification

The accused instrumentalities are Fortinet products that support Secure SD-WAN, including the FortiGate and FortiWiFi product lines (collectively, the "Accused Products") (Compl. ¶26).

Functionality and Market Context

  • The Accused Products are described as "Converged Next-Generation Firewall and SD-WAN" appliances that integrate firewalling, SD-WAN, and security functions (Compl. ¶34). A central component of the infringement allegations is the FortiGate-VM, a virtual appliance designed to run on hypervisors such as Nutanix Acropolis Hypervisor (AHV) (Compl. ¶35). Its functions include network perimeter security, application control, threat detection, and segmentation (Compl. p. 12, "FortiGate VM Use Cases" figure).
  • The complaint focuses on the "deep packet inspection" feature, which allows the Accused Products to intercept encrypted traffic (e.g., HTTPS), decrypt it for "Content scanning," and then re-encrypt and pass it to its destination (Compl. ¶¶36, 38). An annotated diagram from Fortinet's documentation shows this decryption and re-encryption process (Compl. p. 13, Figure 9). The complaint alleges this functionality enables the Accused Products to perform "Protocol enforcement" by comparing traffic against known protocols for specific ports (Compl. ¶40).
  • The complaint cites a "Gartner® Magic Quadrant™" that positions Fortinet as a "Leader" for both Network Firewalls and SD-WAN, suggesting the commercial importance of the Accused Products (Compl. p. 10, Figure).

IV. Analysis of Infringement Allegations

10,374,803 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
intercepting a first network packet in the hypervisor, the first network packet comprising a first higher-than-OSI layer three portion FortiGate-VM runs in a hypervisor and intercepts network packets, including encrypted HTTPS packets, which contain data above OSI layer three. ¶36 col. 22:53-58
decrypting, with a single-use cryptographic key, at least a portion of the first higher-than-OSI layer three portion to obtain one or more first packet parameters The Accused Products perform deep packet inspection of SSL traffic, which requires decryption. The complaint cites a Fortinet glossary stating that keys should be generated for a "specific single-use encrypt/decrypt purpose." ¶¶38-39 col. 10:35-42
authorizing the first network packet in the hypervisor, comprising: comparing the one or more first packet parameters with one or more first expected values After decryption, the Accused Products perform "Content scanning" and "Protocol enforcement," which compares the packet's contents and protocol against pre-defined rules and expected values to determine if the traffic should be blocked or monitored. ¶40 col. 12:40-54
passing the authorized first network packet to a virtual device After the packet is authorized through content scanning and protocol enforcement, it is re-encrypted and passed on to its destination, such as a web server, which may be a virtual device. ¶41 col. 23:3-6
  • Identified Points of Contention:
    • Scope Questions: The complaint alleges the FortiGate-VM, itself a virtual machine, operates "in the hypervisor" to satisfy the claim preamble. A potential issue is whether a virtual appliance performing security for other virtual devices meets the claim's framing, which describes a security layer "resident in the hypervisor" that passes packets to a virtual device.
    • Technical Questions: A significant technical question will be whether the Accused Products actually employ a "single-use cryptographic key" as required by the claim. The complaint's sole evidence for this limitation is a general statement from a glossary, not a technical document detailing the product's cryptographic implementation (Compl. ¶39). The defense may argue that standard SSL/TLS session keys, while unique to a session, do not meet the specific "single-use" limitation as construed from the patent.

10,965,646 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
receiving a first port-to-port network packet from a first computing device The FortiGate appliance receives network packets from other devices on the network, such as a user on the internet or an endpoint device. A diagram shows traffic flowing from the internet to the FortiGate (Compl. p. 21, Figure 21). ¶56 col. 2:28-31
establishing a secure communication pathway with a user-application at a second computing device, comprising: sending an application identifier...; receiving...a second application identifier...; and comparing... This is alleged to be met by the TLS handshake process, where the FortiGate (acting as server or intermediary) sends its server certificate ("first application identifier") and receives a client certificate ("second application identifier") for verification. ¶¶57-59 col. 4:54-5:12
confirming a payload of the first port-to-port network packet conforms to a data model pre-assigned to the pre-established value for the user-application This is alleged to be met by the "Port enforcement check" feature, where an IPS engine checks if an application signature in a packet's payload conforms to the expected protocol ("data model") for the port on which it is running. ¶60 col. 2:31-35
passing the payload to the second computing device via the secure communication pathway Once the packet is validated and the secure pathway (TLS session) is established, the payload is passed to the destination computing device. ¶61 col. 6:30-34
  • Identified Points of Contention:
    • Scope Questions: A central dispute will likely be whether a standard TLS certificate qualifies as the "application identifier" recited in the claim. The defense may argue that the patent contemplates a more specific or proprietary identifier used for application-level authentication, rather than a general-purpose certificate used for transport-layer security.
    • Technical Questions: The infringement theory maps the "data model pre-assigned to the pre-established value" to Fortinet's "Port enforcement check." The analysis will question whether this feature performs the specific confirmation required by the claim or a more general policy enforcement function that is technically distinct from what is patented.

V. Key Claim Terms for Construction

From the ’803 Patent

  • The Term: "single-use cryptographic key"
  • Context and Importance: This term is critical because the infringement allegation relies on equating it with keys used in Fortinet's SSL inspection. The definition will determine whether standard, session-based cryptographic practices fall within the claim scope. Practitioners may focus on this term because the complaint's supporting evidence is a general marketing document rather than a specific technical implementation guide (Compl. ¶39).
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The patent does not explicitly define the term, which may allow for an argument that any key used for a discrete cryptographic operation (like decrypting a single packet or a single session's data) qualifies. The specification notes that "the single-use cryptographic key may be used to decrypt the subsequent network packet" (’803 Patent, col. 10:35-37), which could be argued to cover a key used for one session.
    • Evidence for a Narrower Interpretation: The repeated use of "single-use" suggests an intent to claim something more specific than a standard session key. The specification also discusses rotating the key to obtain a "further single-use cryptographic key" (’803 Patent, col. 10:43-45), which suggests a key is used and then immediately replaced, a practice that may be narrower than how keys are managed in a typical TLS session.

From the ’646 Patent

  • The Term: "application identifier"
  • Context and Importance: The complaint's infringement theory for the "establishing a secure communication pathway" step depends on construing this term to read on digital certificates used in TLS handshakes (Compl. ¶¶57-59). The viability of this theory rests entirely on the term's construction.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The patent abstract refers generally to exchanging "application identifiers," and the term itself is not explicitly defined or limited in the claims. This lack of a specific definition may support a construction that covers any data used to identify an application, including a certificate.
    • Evidence for a Narrower Interpretation: The specification provides context that may support a narrower reading. It describes embodiments with a "pre-provisioned user-application identifier" (’646 Patent, col. 17:17-18) and a system of comparing these identifiers against pre-established values. This could suggest the patent contemplates a specific, pre-configured identifier within the security system itself, rather than a general-purpose, publicly-verifiable certificate.

VI. Other Allegations

  • Indirect Infringement: The complaint alleges active inducement of infringement under 35 U.S.C. § 271(b) by asserting that Fortinet provides instructions, customer support, and "regularly-scheduled webinars to instruct users regarding operation" of the Accused Products in an infringing manner (Compl. ¶¶44, 64). Allegations of contributory infringement under § 271(c) are based on the assertion that the Accused Products are "especially made and/or adapted for infringement" and are not staple articles of commerce (Compl. ¶¶45, 65).
  • Willful Infringement: The complaint alleges willful infringement based on both pre-suit and post-suit knowledge. Pre-suit knowledge of the ’803 patent is alleged to have occurred "at least as early as February 9, 2024, when the examiner cited the ’803 patent during prosecution of Fortinet’s United States Patent No. 12,063,207" (Compl. ¶47). For all Asserted Patents, knowledge is alleged at least as of the date of service of the complaint (Compl. ¶28).

VII. Analyst’s Conclusion: Key Questions for the Case

  • A core issue will be one of technical implementation: does the cryptographic process used in Fortinet’s commercial "deep packet inspection" feature employ a "single-use cryptographic key" as specifically required by Claim 1 of the ’803 patent, or does it utilize standard session key management practices that fall outside the claim's scope?
  • A central question of definitional scope will be whether the term "application identifier", as recited in the multi-step authentication process of Claim 1 of the ’646 patent, can be construed to read on standard digital certificates exchanged during a TLS handshake, or if the patent's specification limits the term to a more specific, proprietary identifier.
  • A key evidentiary question will concern functional operation: does the FortiGate-VM, which functions as a virtual security intermediary, perform the claimed step of "passing the authorized first network packet to a virtual device" (’803 Patent) in the manner contemplated by the patent, which appears to describe a system where the "virtual device" is the communication's endpoint rather than an intermediary.