DCT
4:24-cv-05008
PacSec3 LLC v. Cyberark Software Inc
Key Events
Complaint
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: PacSec3, LLC (Texas)
- Defendant: CyberArk Software, Inc. (Massachusetts)
- Plaintiff’s Counsel: Ramey, LLP
- Case Identification: 4:24-cv-05008, S.D. Tex., 12/19/2024
- Venue Allegations: Plaintiff alleges venue is proper in the Southern District of Texas because Defendant maintains a "regular and established place of business" in Houston, Texas, and has committed acts of infringement in the district.
- Core Dispute: Plaintiff alleges that Defendant’s privileged access management products and firewall systems infringe a patent related to defending against network-based packet flooding attacks.
- Technical Context: The technology concerns cybersecurity methods for mitigating denial-of-service (DoS) attacks, a common threat where attackers overwhelm a network resource with traffic to make it unavailable to legitimate users.
- Key Procedural History: Plaintiff identifies itself as a non-practicing entity and states it has entered into prior settlement licenses related to its patents, though asserts that none of these licenses were for a product practicing the patent-in-suit. The asserted patent is a continuation of an earlier application, which is now U.S. Patent No. 6,789,190. An ex parte reexamination certificate for the patent-in-suit was issued on May 22, 2023, which cancelled claims 1, 4, 13, and 16, and confirmed the patentability of claims 7 and 10.
Case Timeline
| Date | Event |
|---|---|
| 2000-11-16 | Earliest Patent Priority Date |
| 2009-04-21 | U.S. Patent No. 7,523,497 Issues |
| 2023-05-22 | Ex Parte Reexamination Certificate Issues |
| 2024-12-19 | Complaint Filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 7,523,497 - "PACKET FLOODING DEFENSE SYSTEM"
The Invention Explained
- Problem Addressed: The patent addresses "packet flooding attacks," where an attacker attempts to consume a victim's entire network bandwidth with useless data, rendering the victim's services slow or inaccessible. A key challenge identified is that attackers can "falsify the source address" of attack packets, which can "confound" traditional defenses that rely on that information. (’497 Patent, col. 2:3-14).
- The Patented Solution: The invention proposes a distributed defense system where routers and the target site (the "victim") cooperate. Instead of relying on the easily forged source address, the system uses "attacker-independent" information about the actual path a packet travels through the network. Cooperating routers add "packet marks" to data, allowing the destination to determine the forwarding path. The destination can then classify packets based on their path and request that an upstream router limit the transmission rate of unwanted data from a specific path, thereby mitigating the attack without having to process all the malicious traffic itself. (’497 Patent, Abstract; col. 2:30-41; col. 4:1-5).
- Technical Importance: This approach was designed to be more robust against attacks using spoofed IP addresses, a common technique for obfuscating the source of a denial-of-service attack. (’497 Patent, col. 4:1-5).
Key Claims at a Glance
- The complaint asserts independent method claim 10. (Compl. ¶14).
- The essential elements of independent claim 10 are:
- Determining a path by which data packets arrive at a router via packet marks provided by other routers leading to a host computer, where the path comprises all routers in the network via which the packets are routed.
- Classifying the received data packets by their determined path.
- Associating a maximum acceptable transmission rate with each class of data packet.
- Allocating a transmission rate for unwanted data packets that is equal to or less than the associated maximum rate.
- The complaint does not explicitly reserve the right to assert dependent claims.
III. The Accused Instrumentality
Product Identification
- The "Cyberark Privileged Session manager and related components and products," which are also characterized as "firewall systems." (Compl. ¶¶14-15).
Functionality and Market Context
- The complaint alleges these are "firewall systems" that infringe the ’497 Patent. (Compl. ¶14). It does not, however, provide specific details about the technical operation of the Cyberark Privileged Session Manager, particularly how it allegedly monitors, classifies, or rate-limits network traffic in a manner relevant to the patent's claims. The product name suggests a focus on controlling and monitoring access for privileged user accounts within an organization. The complaint does not contain allegations regarding the product's specific commercial importance beyond its general availability. (Compl. ¶19).
IV. Analysis of Infringement Allegations
The complaint references a claim chart in "Exhibit B" purporting to detail the infringement of claim 10; however, this exhibit was not attached to the filed complaint. (Compl. ¶¶15, 21). The infringement theory must therefore be inferred from the complaint's narrative allegations. Plaintiff alleges that Defendant's "firewall systems," specifically the "Cyberark Privileged Session manager," practice the method of claim 10. (Compl. ¶14). The core of this allegation is that the accused product performs a method of classifying and rate-limiting network traffic based on its path through a network to defend against data floods. (Compl. ¶13). No probative visual evidence provided in complaint.
- Identified Points of Contention:
- Scope Questions: A primary question will be whether the functions of a "Privileged Session manager"—a product category typically associated with identity security and access control—fall within the scope of the claimed "packet flooding defense" method.
- Technical Questions: A key technical question is what evidence exists that the accused product performs the specific steps of claim 10. For example, what evidence does the complaint provide that the accused product determines a packet's "path" using "packet marks provided by routers" and that this path comprises "all routers in said network" as the claim requires? The complaint does not allege facts to support this specific mechanism.
V. Key Claim Terms for Construction
The Term: "packet marks provided by routers"
- Context and Importance: This term is the central mechanism for the claimed invention. The infringement case hinges on whether the accused product uses a comparable technique to trace a packet's path. Practitioners may focus on this term because its construction will determine whether any traffic-source-identifying information used by the accused product qualifies as a "packet mark provided by routers."
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent does not define a specific format for the "packet marks," which could support an argument that any data inserted by a router that helps identify a packet's path meets this limitation.
- Evidence for a Narrower Interpretation: The specification repeatedly describes the system as a "cooperating neighborhood" of routers and describes the path information as "attacker-independent." (’497 Patent, col. 2:30-38, col. 4:1-5). A party could argue this requires a specific, pre-arranged protocol between multiple routers to generate the marks, not merely information available from a single, isolated router (e.g., its own interface identifier).
The Term: "path ... comprising all routers in said network via which said packets are routed to said computer"
- Context and Importance: Claim 10 recites a specific, and arguably demanding, definition for the "path" that must be determined. The viability of the infringement allegation may depend on whether the accused product can be shown to identify such a complete path.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: A plaintiff might argue that "all routers in said network" should be interpreted in the context of the "cooperating neighborhood" described in the specification, meaning all participating routers, rather than every single network hop between the ultimate source and destination.
- Evidence for a Narrower Interpretation: The plain language of the claim itself appears to provide a definition. A defendant could argue this requires a literal, hop-for-hop trace of the packet's journey, a technically challenging feat that the accused product may not perform. (’497 Patent, col. 9:48-53).
VI. Other Allegations
- Indirect Infringement: The complaint alleges inducement of infringement, stating Defendant provides infringing products and instructs others on their use. (Compl., Prayer for Relief ¶a).
- Willful Infringement: The complaint alleges that Defendant's infringement has been willful, but does not plead specific facts supporting pre-suit knowledge of the patent. (Compl. ¶16). The claim appears to be based on conduct that will be revealed in discovery or post-suit continuation of infringement.
VII. Analyst’s Conclusion: Key Questions for the Case
- A central evidentiary question will be one of technical mapping: Can the plaintiff produce evidence that the accused "Privileged Session manager," a product primarily for user access control, in fact performs the specific network-level traffic analysis method recited in claim 10? The complaint currently lacks the factual allegations to connect the accused product's function to the claimed method.
- The case may also turn on a question of definitional scope: Assuming the accused product does perform some form of traffic analysis, does its method of identifying a traffic's origin meet the specific claim requirement of using "packet marks provided by routers" to determine a "path" that comprises "all routers in said network"? The construction of these terms will be critical to the outcome of the infringement analysis.