Cupp Cybersecurity LLC v. Trend Micro Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: CUPP Cybersecurity, LLC (Delaware) and CUPP Computing AS (Norway)
  • Defendant: Trend Micro, Inc. (California), Trend Micro America, Inc. (Delaware), and Trend Micro Inc (Japan)
  • Plaintiff’s Counsel: Barnes & Thornburg LLP; Kramer Levin Naftalis & Frankel LLP
• Case Identification: 3:18-cv-01251, N.D. Tex., 05/15/2018
• Venue Allegations: Plaintiff alleges venue is proper in the Northern District of Texas because Defendant Trend Micro maintains its "USA Headquarters" in the district, which constitutes a regular and established place of business.
• Core Dispute: Plaintiff alleges that Defendant’s broad portfolio of cybersecurity products infringes eight patents related to mobile device security, power management security services, removable media monitoring, and network firewall protection.
• Technical Context: The lawsuit concerns the cybersecurity field, specifically technologies for protecting mobile devices and enterprise endpoints from malware, unauthorized data access, and network-based threats.
• Key Procedural History: The complaint does not provide sufficient detail for analysis of Key Procedural History.

Case Timeline

Date	Event
2005-12-23	Priority Date for ’164 and ’444 Patents
2007-05-30	Priority Date for ’272 and ’079 Patents
2008-08-04	Priority Date for ’488, ’683, and ’595 Patents
2008-11-19	Priority Date for ’202 Patent
2012-01-01	Accused Power Management Module "new model" launched (approx.)
2013-01-29	U.S. Patent No. 8,365,272 ('272 Patent) Issued
2014-01-14	U.S. Patent No. 8,631,488 ('488 Patent) Issued
2014-07-22	U.S. Patent No. 8,789,202 ('202 Patent) Issued
2015-08-11	U.S. Patent No. 9,106,683 ('683 Patent) Issued
2017-08-29	U.S. Patent No. 9,747,444 ('444 Patent) Issued
2017-09-05	U.S. Patent No. 9,756,079 ('079 Patent) Issued
2017-10-03	U.S. Patent No. 9,781,164 ('164 Patent) Issued
2017-12-12	U.S. Patent No. 9,843,595 ('595 Patent) Issued
2018-05-15	Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 8,631,488 - "SYSTEMS AND METHODS FOR PROVIDING SECURITY SERVICES DURING POWER MANAGEMENT MODE"

• Issued: January 14, 2014

The Invention Explained

• Problem Addressed: The patent addresses the inefficiency of performing security tasks like malware scans and updates on mobile devices. Such tasks require significant CPU power, and users often cannot leave their devices, particularly laptops, active overnight to complete them ('488 Patent, col. 2:40-49).
• The Patented Solution: The invention proposes a separate "mobile security system" with its own processor that can operate semi-independently. This system detects a "wake event" (e.g., a scheduled time), sends a signal to wake the main mobile device from a low-power state, and then executes security instructions to manage services like scanning or updating before allowing the device to return to a power-saving mode ('488 Patent, Abstract; col. 3:5-13).
• Technical Importance: This approach allows for the maintenance of robust security on power-constrained mobile devices without requiring user intervention or significant disruption to battery life ('488 Patent, col. 2:40-49).

Key Claims at a Glance

• The complaint asserts independent claim 1 and dependent claims 2-20 (Compl. ¶52).
• Independent Claim 1 requires:
  • Detecting by a mobile security system processor of a mobile security system a wake event;
  • Providing from the mobile security system a wake signal to a mobile device, where the mobile device has a processor different than the mobile security system processor, with the signal adapted to wake at least a portion of the mobile device from a power management mode; and
  • After providing the wake signal, executing security instructions by the mobile security system processor to manage security services to protect the mobile device, with the instructions stored on the mobile security system.

---

U.S. Patent No. 8,789,202 - "SYSTEMS AND METHODS FOR PROVIDING REAL TIME ACCESS MONITORING OF A REMOVABLE MEDIA DEVICE"

• Issued: July 22, 2014

The Invention Explained

• Problem Addressed: Removable media devices (e.g., USB flash drives) are a common vector for introducing malware to a host computer and for the unauthorized removal of sensitive data. Existing security measures are often insufficient to address these risks in real time ('202 Patent, col. 2:20-25).
• The Patented Solution: The invention describes a method where, upon connection of a removable media device, "redirection code" is injected into the host digital device. This code intercepts function calls related to data on the removable media, allowing a security policy to determine whether to grant access. The code is configured to execute a second, security-oriented function call in place of the original function call to enforce this policy ('202 Patent, Abstract; col. 4:45-52).
• Technical Importance: This method provides a real-time, policy-based security gateway for removable media access without requiring security software to be pre-installed on the host computer ('202 Patent, col. 4:5-10).

Key Claims at a Glance

• The complaint asserts independent claim 1 and dependent claims 2-21 (Compl. ¶76).
• Independent Claim 1 requires:
  • Detecting a removable media device coupled to a digital device;
  • Injecting redirection code into the digital device, where the code is configured to intercept a first function call and execute a second function call in its place;
  • Intercepting, with the redirection code, a request for data on the removable media device;
  • Determining whether to allow the intercepted request based on a security policy implementing content analysis and risk assessment algorithms; and
  • Providing the requested data based on that determination.

---

Multi-Patent Capsules

• *U.S. Patent No. 9,106,683 - "SYSTEMS AND METHODS FOR PROVIDING SECURITY SERVICES DURING POWER MANAGEMENT MODE", issued Aug. 11, 2015.*

  • Technology Synopsis: This patent is related to the ’488 Patent and describes a method for a mobile security system to detect a wake event associated with a mobile device and, in response, send a wake signal to bring the device out of a power management mode to manage its security services (Compl. ¶17, ¶100).
  • Asserted Claims: Claims 1-20 (Compl. ¶96).
  • Accused Features: The "’683 Accused Products" include Trend Micro's User Protection, Worry-Free, and Home Products, as well as products incorporating Mobile Security, Control Manager, XGen Security, or Power Management Technologies (Compl. ¶99).

• *U.S. Patent No. 9,843,595 - "SYSTEMS AND METHODS FOR PROVIDING SECURITY SERVICES DURING POWER MANAGEMENT MODE", issued Dec. 12, 2017.*

  • Technology Synopsis: This patent, also related to the ’488 Patent family, describes a security system architecture involving a security administrator device, a mobile device with a security agent, and a separate security system. The security system is configured to detect a wake event, send a wake signal to the agent on the mobile device, which then wakes the device from a power management mode to perform security services (Compl. ¶20, ¶124).
  • Asserted Claims: Claims 1-30 (Compl. ¶120).
  • Accused Features: The "’595 Accused Products" encompass Trend Micro products incorporating Mobile Security, Control Manager, XGen Security, or Power Management Technologies (Compl. ¶123).

• *U.S. Patent No. 9,781,164 - "SYSTEM AND METHOD FOR PROVIDING NETWORK SECURITY TO MOBILE DEVICES", issued Oct. 3, 2017.*

  • Technology Synopsis: This patent describes a security system managed by IT administrators over a trusted network. The system stores security code, policies, and data, and is configured to receive and execute remote update commands from the IT administrator to update these security components on a mobile device (Compl. ¶23, ¶149).
  • Asserted Claims: Claims 1-18 (Compl. ¶145).
  • Accused Features: The "’164 Accused Products" include a wide range of Trend Micro's portfolio, including those with Mobile Security, Control Manager, Smart Protection Network, or XGen Security Technologies (Compl. ¶148).

• *U.S. Patent No. 9,756,079 - "SYSTEM AND METHOD FOR PROVIDING NETWORK AND COMPUTER FIREWALL PROTECTION WITH DYNAMIC ADDRESS ISOLATION TO A DEVICE", issued Sep. 5, 2017.*

  • Technology Synopsis: This patent describes a firewall protection method using dynamic address isolation. It involves an address translation engine that translates between an application's internal address and an external network address, and a driver that forwards incoming packets to a firewall for inspection against a security policy before they reach the application (Compl. ¶26, ¶171).
  • Asserted Claims: Claims 1-12 (Compl. ¶167).
  • Accused Features: The "’079 Accused Products" are alleged to be Trend Micro offerings that incorporate technologies such as Mobile Security, Control Manager, Smart Protection Network, or XGen Security (Compl. ¶170).

• *U.S. Patent No. 9,747,444 - "SYSTEM AND METHOD FOR PROVIDING NETWORK SECURITY TO MOBILE DEVICES", issued Aug. 29, 2017.*

  • Technology Synopsis: This patent describes a security system that uses a policy to identify trusted networks. When a mobile device is on an untrusted network, the system scans network data for malicious content before forwarding it. When on a trusted network, the data is forwarded without scanning (Compl. ¶29, ¶187).
  • Asserted Claims: Claims 1-21 (Compl. ¶183).
  • Accused Features: The "’444 Accused Products" include Trend Micro products incorporating Mobile Security, Control Manager, Smart Protection Network, or XGen Security Technologies (Compl. ¶186).

• *U.S. Patent No. 8,365,272 - "SYSTEM AND METHOD FOR PROVIDING NETWORK AND COMPUTER FIREWALL PROTECTION WITH DYNAMIC ADDRESS ISOLATION TO A DEVICE", issued Jan. 29, 2013.*

  • Technology Synopsis: This patent is related to the ’079 Patent and describes a method for firewall protection that involves translating between an application address and a public address. It uses a driver to forward data packets between a network interface and a network address translation engine, which then passes incoming data to a firewall for inspection based on a security policy (Compl. ¶32, ¶211).
  • Asserted Claims: Claims 1-19 (Compl. ¶207).
  • Accused Features: The "’272 Accused Products" include Trend Micro products incorporating Mobile Security, Control Manager, Smart Protection Network, or XGen Security Technologies (Compl. ¶210).

III. The Accused Instrumentality

Product Identification

• The complaint accuses a wide range of Trend Micro products and services, grouped into several categories: User Protection Products, Network Defense Products, Hybrid Cloud Security Products, Worry-Free Products, Home Products, and Portable Security Products (Compl. ¶34-42, ¶49). Specific technologies cited as infringing include Mobile Security, Control Manager, XGen Security, Smart Protection Network, and Power Management Technologies (Compl. ¶49).

Functionality and Market Context

• The accused functionalities relevant to the ’488 Patent are embodied in Trend Micro's "Power Management Module." This module is described as resolving the conflict "between system shutdown for conservation and keeping the system on for IT to install updates and patches" (Compl. ¶59). A marketing document states this module allows IT teams to "install automatic software updates, security patches, and protection policies" (Compl. Exhibit 28). This visual, from Exhibit 28, describes the functionality of the Power Management Module (Compl. p. 20).
• The functionalities accused of infringing the ’202 Patent are found in "Trend Micro Portable Security" products. These are described as antivirus security programs in a portable USB device format that can "find and remove security threats from computers or devices without having to install an antivirus program" (Compl. ¶81, Exhibit 32). The complaint alleges that when scanning, these products temporarily create drivers and files on the target terminal to perform their function (Compl. ¶82). A diagram from Exhibit 19 shows the operational flow of this scanning tool (Compl. p. 12).
• The complaint alleges these products and technologies are central to Trend Micro's business, powering its endpoint, network, and cloud security offerings for both enterprise and consumer markets (Compl. ¶34-47).

IV. Analysis of Infringement Allegations

8,631,488 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
detecting by a mobile security system processor of a mobile security system a wake event;	A mobile security system (e.g., a Management Server) detects a "wake event," such as the need to apply updates or policies to a device that is in a power management mode.	¶56, ¶58	col. 4:1-4
providing from the mobile security system a wake signal to a mobile device, the mobile device having a mobile device processor different than the mobile security system processor...adapted to wake at least a portion of the mobile device from a power management mode;	The Power Management Module provides a signal or instruction that keeps the mobile device active or wakes it from a power management mode, enabling IT tasks to proceed. This is managed by a server processor distinct from the mobile device's own processor.	¶56, ¶58-59	col. 3:7-11
and after providing the wake signal to the mobile device, executing security instructions by the mobile security system processor to manage security services configured to protect the mobile device...	The mobile security system's processor, via components like the Management Server, executes instructions to install "automatic software updates, security patches, and protection policies" on the mobile device. This is a form of managed security service.	¶56, ¶59, ¶63	col. 3:9-13

Identified Points of Contention

• Scope Questions: A central question may be whether Trend Micro's server-based "Management Server" and "Communication Server" (Compl. ¶58, Exhibit 29) constitute the claimed "mobile security system processor" that is "different than the mobile device processor." The defense could argue the patent contemplates a physically distinct, device-proximate hardware component, whereas the accused system is a distributed, network-based management architecture. The complaint provides a table from Trend Micro's documentation showing the required server components (Compl. Exhibit 29).
• Technical Questions: The interpretation of "wake event" and "wake signal" will be critical. The complaint alleges that the Power Management Module's function of keeping a system on for updates constitutes detecting a wake event and providing a wake signal (Compl. ¶59). The court will have to determine if this scheduling and power-state management function maps onto the specific "event" detection and "signal" provision required by the claim.

8,789,202 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
detecting a removable media device coupled to a digital device;	The accused "Portable Security Products" are removable USB devices that are coupled to a host computer to perform security scans.	¶80-81	col. 5:22-24
injecting redirection code into the digital device...the redirection code configured to intercept a first function call and configured to execute a second function call in place of the first function call;	When scanning for malware, the accused products "create drivers...to the target terminal and files to the local HDD temporarily" which allegedly function as the claimed "redirection code" to intercept system operations.	¶80, ¶82	col. 5:25-32
intercepting, with the redirection code, a request for data on the removable media device;	The temporary drivers intercept requests for data to scan for malware before allowing access.	¶80, ¶82	col. 5:33-35
determining whether to allow the intercepted request for data based on a security policy, the security policy implementing content analysis and risk assessment algorithms; and	The product's "Management Program" uses "pattern file and scan engine components" to analyze data and determine whether to allow or block it based on a configurable security policy.	¶80, ¶83	col. 5:36-39
providing requested data based on the determination.	Based on the scan's determination, the product either allows access to the data or removes the threat before access is granted.	¶80, ¶82	col. 5:40-41

Identified Points of Contention

• Scope Questions: A primary dispute may arise over the term "injecting redirection code". The complaint alleges this is met by the temporary creation of drivers and files on the host computer (Compl. ¶82). The defense may argue that installing a driver is a conventional OS procedure and is technically distinct from the patent's more specific teaching of "injecting" code that intercepts and replaces a "first function call" with a "second function call."
• Technical Questions: What evidence does the complaint provide that the accused product's temporary drivers perform the specific function of replacing one function call with another, as opposed to operating as a standard file system filter driver that inspects I/O without replacing function calls in the manner claimed? A diagram illustrates the product's standalone operation but does not detail the code injection mechanism (Compl. Exhibit 19).

V. Key Claim Terms for Construction

For the ’488 Patent:

• The Term: "mobile security system processor different than the mobile device processor"
• Context and Importance: This term is central to the architectural requirements of the invention. The infringement theory depends on whether Trend Micro's remote "Management Server" (Compl. ¶58) can be considered the claimed "mobile security system processor." Practitioners may focus on this term because it distinguishes between a security function running on the device's main CPU and one offloaded to a separate, dedicated processor.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The specification describes the mobile security system as potentially being a "miniature server" ('488 Patent, col. 6:52) and mentions remote management by an IT administrator ('488 Patent, col. 5:21-25), which may support a distributed or server-based interpretation.
  • Evidence for a Narrower Interpretation: Claim 1 requires the "mobile security system" to provide the wake signal to the "mobile device," suggesting two distinct but cooperative entities. Figures in the patent depict a self-contained "Mobile Security System" component (e.g., '488 Patent, Fig. 17, item 1702), which could imply a physically co-located or integrated hardware module rather than a remote server.

For the ’202 Patent:

• The Term: "injecting redirection code"
• Context and Importance: The definition of this term is critical to determining whether the accused product's mechanism of installing temporary drivers (Compl. ¶82) falls within the claim scope. The case may turn on whether "injecting code" is limited to a specific software technique (like DLL injection) or can broadly cover the installation of any software that redirects data flow.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The patent's abstract broadly describes injecting "redirection code into the digital device after detecting that the removable media device is coupled to the digital device," which could be argued to cover the temporary installation of a driver upon device connection ('202 Patent, Abstract).
  • Evidence for a Narrower Interpretation: The detailed description and figures provide specific examples focused on injecting Dynamic-Link Libraries (DLLs) into user processes to intercept function calls ('202 Patent, col. 7:21-23; Fig. 22-23). This could support an argument that the claims are limited to that specific implementation and do not cover general-purpose driver installation.

VI. Other Allegations

Indirect Infringement

• The complaint alleges induced infringement for all asserted patents. The basis for inducement is that Trend Micro allegedly instructs and encourages its customers and users to operate the accused products in an infringing manner through materials such as "guides and operating instructions" available on its website (Compl. ¶69-71, ¶89-91).

Willful Infringement

• While not pleaded as a separate count, the complaint alleges that Trend Micro "knew or was willfully blind to the fact that it was inducing others...to infringe" (Compl. ¶69, ¶89). This language suggests an intent to pursue a claim for willful infringement based on alleged knowledge of the infringing acts.

VII. Analyst’s Conclusion: Key Questions for the Case

• A core issue will be one of architectural scope: does Trend Micro's server-based security administration architecture, which manages devices over a network, satisfy the ’488 patent family's requirement for a "mobile security system processor" that is "different than the mobile device processor," or does the patent language and specification imply a physically distinct, device-level hardware component?
• A key evidentiary question will be one of functional equivalence: does the temporary installation of drivers by Trend Micro's Portable Security product (accused of infringing the '202 patent family) perform the specific claimed function of "injecting redirection code...to intercept a first function call and...execute a second function call in [its] place," or is there a fundamental mismatch in the technical mechanism of operation?
• A central question of claim construction will be whether the general act of scheduling security updates for a device in a low-power state, as performed by the accused Power Management Module, constitutes the specific sequence of "detecting a wake event" and "providing a wake signal" as recited in the claims of the '488 patent family.