DCT

2:25-cv-01201

Athena Security LLP v. Cisco Systems Inc

Log In
Key Events
Complaint

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 2:25-cv-01201, E.D. Tex., 12/09/2025
  • Venue Allegations: Plaintiff alleges venue is proper in the Eastern District of Texas because Defendant Cisco has regular and established places of business in the district, including specific office locations in Richardson, Texas.
  • Core Dispute: Plaintiff alleges that Defendant’s network security, switching, and wireless access point products infringe three patents related to secure computer code execution, network packet relaying methods, and wireless access point configuration.
  • Technical Context: The technologies at issue cover fundamental aspects of modern computer networking, including cybersecurity threat prevention, network traffic load balancing, and wireless network performance optimization.
  • Key Procedural History: The complaint does not reference any prior litigation, Inter Partes Review (IPR) proceedings, or licensing history related to the patents-in-suit.

Case Timeline

Date Event
2004-12-03 U.S. Patent No. 7,698,744 Priority Date
2006-08-11 U.S. Patent No. 7,969,880 Priority Date
2010-04-13 U.S. Patent No. 7,698,744 Issues
2011-06-28 U.S. Patent No. 7,969,880 Issues
2014-09-17 U.S. Patent No. 10,015,791 Priority Date
2018-07-03 U.S. Patent No. 10,015,791 Issues
2025-12-09 Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 7,698,744 - "Secure system for allowing the execution of authorized computer program code"

The Invention Explained

  • Problem Addressed: The patent’s background section describes the ineffectiveness of traditional malware detection methods, which rely on scanning for known malware signatures, against novel or rapidly changing threats (’744 Patent, col. 1:36-54).
  • The Patented Solution: The invention proposes a "proactive whitelist approach" where a kernel-level driver intercepts requests to execute code before they occur. This system then authenticates the code by comparing its "content authenticator" (e.g., a cryptographic hash) against a multi-level whitelist architecture to determine if it is pre-authorized for execution (’744 Patent, Abstract; col. 2:3-12).
  • Technical Importance: This approach represents a shift from a reactive "blacklist" security model (blocking known malicious files) to a proactive "whitelist" model (allowing only known-good files), a strategy intended to be more effective against "zero-day" or unknown threats (’744 Patent, col. 1:46-54).

Key Claims at a Glance

  • The complaint asserts infringement of claims of the patent, referencing independent claim 37 in an attached exhibit (Compl. ¶13). However, Claim 37 as issued is dependent on independent claim 23.
  • Independent Claim 23 recites a code execution authorization system comprising:
    • A kernel driver implemented in one or more computer processors and computer-readable storage media.
    • The kernel driver is operable to perform a method of allowing authorized code to execute.
    • The method includes intercepting a request to create a process associated with a code module.
    • It further includes determining whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated with reference to a remote whitelist database maintained by a trusted service provider.
    • The remote whitelist database contains cryptographic hash values of approved code modules known not to contain viruses or malicious code.
    • The method allows the code module to be loaded and executed if its hash value matches a hash value within the remote whitelist database.

U.S. Patent No. 7,969,880 - "Device and method for relaying packets"

The Invention Explained

  • Problem Addressed: The patent’s background discusses communication load imbalance in computer networks, where traffic over redundant pathways (such as those created by link aggregation) is not distributed evenly, potentially leading to performance degradation (’880 Patent, col. 1:31-39).
  • The Patented Solution: The invention describes a network relay device that uses a "computational expression," such as a hash function, to process packet header information and select an output port for packet transmission. Crucially, the device includes a "modifying module" that can change the computational expression itself, thereby altering the logic of traffic distribution to alleviate load imbalances without reconfiguring the physical port associations (’880 Patent, Abstract; col. 2:4-16).
  • Technical Importance: This technology provides a method for dynamic and flexible network traffic load balancing, offering an alternative to static hashing algorithms that may result in persistent, unbalanced traffic flows (’880 Patent, col. 2:17-21).

Key Claims at a Glance

  • The complaint asserts infringement of claims of the patent, referencing independent claim 1 in an attached exhibit (Compl. ¶21).
  • Independent Claim 1 recites a network relay device for relaying packets, comprising:
    • An interface module with a plurality of physical ports.
    • A computing module configured to execute a computing process with a "computational expression" using "seed information" (e.g., packet header data).
    • A destination search module that, based on the computation's result, selects a physical port for transmission.
    • A "modifying module" configured to modify the computational expression "without modifying the associations between computation results and output physical ports."

U.S. Patent No. 10,015,791 - "Wireless radio access point configuration"

  • Technology Synopsis: The patent addresses co-channel interference in dense wireless network environments where many access points (APs) operate in close proximity (’791 Patent, col. 2:17-24). The described solution involves a wireless network architecture using dual-radio APs where both radios are configured to operate in the same frequency band (e.g., 5 GHz) but are assigned different, non-overlapping channels arranged in a cell pattern to maximize throughput and reduce interference (’791 Patent, Abstract).
  • Asserted Claims: The complaint asserts infringement of claims of the patent, referencing independent claim 1 in an attached exhibit (Compl. ¶29).
  • Accused Features: The complaint accuses Cisco access points, such as the Cisco Catalyst 9100 Access Points, of infringement (Compl. ¶26).

III. The Accused Instrumentality

Product Identification

The complaint identifies three categories of accused products:

  • Endpoint security products: Cisco Secure Endpoint (formerly AMP for Endpoints) and Cisco Talos File Reputation (Compl. ¶10).
  • Network switches: Cisco Nexus 9000 Series (Compl. ¶18).
  • Wireless access points: Cisco Catalyst 9100 Access Points (Compl. ¶26).

Functionality and Market Context

The complaint alleges that Defendant "makes, uses, offers for sale, sell, and/or imports" these products (Compl. ¶¶10, 18, 26). The complaint does not provide specific details on the technical functionality of the accused products beyond their general product classifications, nor does it make specific allegations regarding their market position or commercial importance.

IV. Analysis of Infringement Allegations

The complaint alleges that the Accused Products satisfy all limitations of the asserted claims but provides the detailed infringement theories in claim chart exhibits that were not included with the complaint filing (Compl. ¶¶13, 21, 29). The narrative infringement allegations are conclusory. No probative visual evidence provided in complaint.

  • ’744 Patent Infringement Allegations: The complaint alleges that products including Cisco Secure Endpoint and Cisco Talos File Reputation directly infringe the ’744 Patent (Compl. ¶10). The specific theory of how these products meet the limitations of claim 23 (and dependent claim 37), such as the use of a kernel driver and authentication against a global whitelist from a "trusted third party service provider," is contained within the un-provided Exhibit 2 (Compl. ¶13).

  • ’880 Patent Infringement Allegations: The complaint alleges that Cisco network switches, including the Cisco Nexus 9000 Series, directly infringe the ’880 Patent (Compl. ¶18). The detailed explanation of how these switches allegedly implement a "modifying module" to alter a "computational expression" for packet relaying, as required by claim 1, is located in the un-provided Exhibit 4 (Compl. ¶21).

  • Identified Points of Contention:

    • Scope Questions (’744 Patent): A central question may be whether Cisco’s own cloud-based threat intelligence service (Talos) constitutes a "global whitelist database hosted by a trusted third party service provider" as recited in claim 23. The definition of "trusted third party" in the context of a service provided by the same vendor as the endpoint software could be a key point of dispute.
    • Technical Questions (’880 Patent): A key factual question will be whether the accused Cisco Nexus 9000 switches contain the specific functionality of a "modifying module" that alters the "computational expression" for load balancing, as distinct from more static hashing or port-mapping configurations. The evidence of the accused product's actual operational capabilities will be critical to this analysis.

V. Key Claim Terms for Construction

  • Term from ’744 Patent, Claim 23: "global whitelist database hosted by a trusted third party service provider"

    • Context and Importance: This term is central to the infringement analysis for the ’744 Patent. The construction will determine whether a security ecosystem where the software vendor also provides the cloud-based reputation database (a common industry model) falls within the claim's scope.
    • Intrinsic Evidence for Interpretation:
      • Evidence for a Broader Interpretation: The specification discusses a "trusted service provider may maintain a global whitelist" but does not explicitly require that provider to be a legally separate entity from the software vendor (’744 Patent, col. 8:30-32). A party could argue that from the perspective of the local computer system, any external, trusted entity providing the service qualifies.
      • Evidence for a Narrower Interpretation: The use of the term "third party" could be argued to imply an entity separate from the two primary parties to the software transaction (the vendor and the user). The patent does not appear to provide an explicit definition, making this term a likely focus for claim construction.

  • Term from ’880 Patent, Claim 1: "modifying module configured to modify the computational expression"

    • Context and Importance: This limitation defines the core inventive concept of dynamically altering the load-balancing logic itself, rather than just its output. Infringement will depend on whether the accused switches possess this specific capability.
    • Intrinsic Evidence for Interpretation:
      • Evidence for a Broader Interpretation: The specification notes that the modifying module can act based on "an instruction by a user" (’880 Patent, col. 2:54-55). This could support an argument that any user-configurable setting that changes the hashing algorithm (e.g., selecting from a predefined list) meets this limitation.
      • Evidence for a Narrower Interpretation: The specification also discusses the module acting automatically to alleviate load imbalance (’880 Patent, col. 2:56-65), suggesting a more dynamic and integrated capability beyond a static configuration choice. A party could argue that the term requires a mechanism for runtime alteration of the expression's logic.

VI. Other Allegations

  • Indirect Infringement: The complaint alleges induced infringement for all three patents, asserting that Defendant had knowledge of the patents "at least as early as when this Complaint was filed" (Compl. ¶¶12, 20, 28). It further alleges that Defendant encourages and instructs infringement through user manuals and online materials (Compl. ¶¶12, 20, 28).
  • Willful Infringement: The complaint does not contain an explicit allegation of willful infringement or a request for enhanced damages under 35 U.S.C. § 284. It does request an award of attorneys' fees, alleging the case is "exceptional" under 35 U.S.C. § 285 (Compl., Prayer for Relief, ¶e).

VII. Analyst’s Conclusion: Key Questions for the Case

  • A core issue will be one of definitional scope: can the term "trusted third party service provider," as used in the ’744 Patent, be construed to cover a cloud-based reputation service operated by the same company that provides the endpoint security software?
  • A key evidentiary question will be one of functional operation: do the accused Cisco Nexus switches possess the specific capability to "modify the computational expression" for load balancing as claimed in the ’880 Patent, or is there a fundamental mismatch in their technical operation compared to the claim requirements?
  • A threshold procedural question will be one of pleading sufficiency: given the complaint’s conclusory narrative and reliance on un-provided exhibits for its infringement theories, the case may face early challenges regarding whether the allegations meet the plausibility standard required to proceed.