GoSecure Inc v. CrowdStrike Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: GoSecure, Inc. (Delaware)
  • Defendant: CrowdStrike, Inc. and CrowdStrike Holdings, Inc. (Delaware)
  • Plaintiff’s Counsel: LATHAM AND WATKINS LLP
• Case Identification: 1:24-cv-00526, W.D. Tex., 05/16/2024
• Venue Allegations: Plaintiff alleges venue is proper because Defendants maintain their principal executive offices in the district, have regular and systematic contacts, and have committed the alleged acts of infringement within the district.
• Core Dispute: Plaintiff alleges that Defendant’s Falcon Platform and related cybersecurity products infringe patents related to behavioral analysis techniques for endpoint threat detection.
• Technical Context: The technology resides in the field of endpoint detection and response (EDR), a cybersecurity market focused on protecting computer systems from sophisticated threats like zero-day attacks by analyzing behavior rather than relying on known malware signatures.
• Key Procedural History: The complaint alleges a detailed pre-suit history, asserting that CrowdStrike’s founders received technical information about Plaintiff’s patented technology before founding CrowdStrike. It is alleged that one founder, Dmitri Alperovitch, served on the board of Plaintiff's predecessor and was privy to information regarding the patent application that became the ’697 Patent. The complaint also notes that CrowdStrike cited the publication of the ’697 Patent application as a prior art reference in a 2022 inter partes review proceeding involving a third party. These allegations form the basis of the claims for willful infringement.

Case Timeline

Date	Event
2010-06-24	Earliest Priority Date for ’872 and ’697 Patents (Provisional Application No. 61/358,367)
2011-01-01	CrowdStrike Co-founded (approximate date)
2015-08-11	U.S. Patent No. 9,106,697 Issues
2018-04-24	U.S. Patent No. 9,954,872 Issues
2022-10-31	CrowdStrike allegedly cites ’697 Patent application in an IPR proceeding
2024-05-16	Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 9,954,872 - “System and method for identifying unauthorized activities on a computer system using a data structure model”

The Invention Explained

• Problem Addressed: The patent describes conventional network security systems as being reliant on a library of known malware “fingerprints.” This approach left systems vulnerable to so-called “zero-day attacks,” which exploit previously unknown security vulnerabilities for which no fingerprint is available for comparison (’872 Patent, col. 2:9-17; Compl. ¶40).
• The Patented Solution: The invention provides a method for detecting malicious activity based on behavior rather than pre-existing signatures. The system monitors activities on a computer, identifying relationships between an “activity source” (e.g., a software process) and an “activity target” (e.g., a file or network socket). These relationships, or associations, are stored in a data structure and can be transmitted to other computer systems to help prevent future attacks, effectively creating and sharing behavioral threat intelligence (’872 Patent, Abstract; col. 2:27-31).
• Technical Importance: This behavioral analysis method represents a shift from traditional signature-based antivirus to modern Endpoint Detection and Response (EDR), a technology essential for identifying and combating sophisticated cyberattacks that do not use known malware (Compl. ¶24, ¶41).

Key Claims at a Glance

• The complaint asserts independent claim 1 and dependent claims 2, 3, 7, 10, 12, and 14 (Compl. ¶61, ¶71).
• Independent Claim 1 recites the following essential elements:
  • A computer-implemented method of identifying unauthorized activities on a first computer system attached to a computer network.
  • Monitoring activity on the first computer system.
  • Identifying a plurality of activities, where each activity includes an activity source, an activity target, and an association between them.
  • Storing in memory a data structure that identifies the activity sources, targets, and their associations.
  • Transmitting information identifying one or more of these sources, targets, and associations to other computer systems for preventing future attacks.

U.S. Patent No. 9,106,697 - “System and method for identifying unauthorized activities on a computer system using a data structure model”

The Invention Explained

• Problem Addressed: The patent addresses the same core problem as the ’872 Patent—the failure of signature-based security to stop zero-day attacks—but applies the solution within the specific context of a "decoy computer system" operating in a virtualized environment (’697 Patent, col. 2:6-17).
• The Patented Solution: The invention uses a virtual machine monitor (or hypervisor) to oversee activity within a decoy virtual machine set up to attract attackers. The system monitors and identifies activities (sources, targets, associations) within this isolated environment, creates a behavioral "fingerprint" from the observed activities, and transmits this fingerprint to other devices to protect them from similar attacks. This allows for the safe analysis of novel attack methods (’697 Patent, Abstract; col. 4:43-60).
• Technical Importance: The technology combines virtualization with "honeypot" security concepts, enabling the capture and analysis of unknown threats in a controlled setting to generate and disseminate new, behavior-based threat intelligence (’697 Patent, col. 4:43-49; Compl. ¶44).

Key Claims at a Glance

• The complaint asserts independent claim 1 and dependent claims 2, 11, and 22 (Compl. ¶89, ¶102).
• Independent Claim 1 recites the following essential elements:
  • A computer-implemented method of identifying unauthorized activities on a "decoy computer system" comprising a virtual machine and a supervising virtual machine monitor.
  • Monitoring activity on the virtual machine.
  • Identifying a plurality of activities, each including an activity source, target, and association.
  • Storing the activity sources, targets, and associations in memory.
  • Creating, from the stored activities, a fingerprint indicative of the activity on the virtual machine.
  • Transmitting the fingerprint to prevent future attacks.

III. The Accused Instrumentality

Product Identification

The complaint names the CrowdStrike "Falcon Platform" as the primary accused instrumentality, along with its constituent modules such as Falcon Insight XDR, Falcon Prevent, Falcon Threat Graph, and Falcon Cloud Security (Compl. ¶8, ¶46).

Functionality and Market Context

• The Falcon Platform is described as a cloud-based endpoint protection solution that deploys a single, lightweight software agent, the "Falcon sensor," onto endpoint devices like workstations, servers, and virtual machines (Compl. ¶47, ¶62).
• This sensor is alleged to constantly monitor and record endpoint activity, including process executions, network connections, and file system activity, and streams this telemetry to the cloud (Compl. ¶64).
• The data is aggregated in the "CrowdStrike Threat Graph," a cloud database that "keeps track of all the relationships and contacts between each endpoint event" to enable threat detection and investigation (Compl. ¶52, ¶70). The complaint alleges the platform uses this behavioral data to identify threats via "behavior-based indicators of attack ('IOA')" (Compl. ¶50). A screenshot from Defendant's marketing materials describes the platform as "The leader in endpoint security" (Compl. p. 14).

IV. Analysis of Infringement Allegations

’872 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
monitoring activity on the first computer system;	The Falcon agent "is constantly monitoring and recording endpoint activity," including process execution, network connections, and file system activity.	¶64	col. 6:1-6
identifying a plurality of activities being performed at the first computer system, wherein each of the activities includes an activity source, an activity target, and an association between the activity source and the activity target;	The Falcon platform tracks security-related events and their relationships, which are graphically displayed to users as a process tree showing, for example, one executable launching another. A provided screenshot shows a "Detections" table with columns for scenario, user account, and machine.	¶66, ¶74	col. 6:31-36
storing in the memory a data structure that identifies the activity sources, the activity targets, and the associations for the plurality of activities;	When an endpoint is offline, "event details will be cached on the endpoint until connectivity is re-established." The complaint also states data is "recorded on the endpoint from an activity perspective."	¶67, ¶68	col. 6:31-36
transmitting to one or more computer systems other than the first computer system information identifying one or more of the activity sources, the activity targets, and the associations for preventing future attacks...	The Falcon agent streams collected endpoint activity to the cloud-based Threat Graph, a "massive, powerful graph database," which "enables security teams to quickly investigate incidents" and prevent future attacks.	¶64, ¶69, ¶70	col. 6:50-57

Visual Evidence Referenced: A screenshot of a process tree shows a chain of executables from WINLOGON.EXE to EVIL.EXE, illustrating the identification of sources, targets, and associations (Compl. ¶74).

• Identified Points of Contention:
  • Scope Questions: Does the "data structure" required by the claim to be stored "in the memory" of the first computer system read on the alleged functionality of the Falcon sensor, which "cached" event details temporarily before transmitting them to a cloud database (Compl. ¶68, ¶70)? A court may need to determine if this temporary cache meets the claim's requirement of a data structure that "identifies" the sources, targets, and associations, or if that identifying structure is only created later in the cloud.
  • Technical Questions: The claim requires "transmitting... information identifying one or more of the activity sources, the activity targets, and the associations for preventing future attacks." Does the telemetry streamed from the Falcon agent to the Threat Graph (Compl. ¶70) meet this limitation directly, or is extensive cloud-side processing required before the information is usable "for preventing future attacks"? This raises a question about whether all claimed steps are performed by a single entity as required.

’697 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
A computer implemented method of identifying unauthorized activities on a decoy computer system...comprises...a virtual machine; and a virtual machine monitor supervising the virtual machine...	The Accused Products allegedly operate on and secure customer virtual machines (e.g., in Microsoft Azure) and include "hypervisors," which are described as another term for virtual machine monitors.	¶90, ¶92, ¶93	col. 2:40-44
monitoring activity on the virtual machine;	Falcon for Azure "[c]ontinuously monitors events to provide visibility into workload activities" and Falcon Horizon "monitors rapidly growing public cloud environments."	¶90, ¶94, ¶95	col. 9:55-61
identifying a plurality of activities being performed at the virtual machine, wherein each of the activities includes an activity source, an activity target, and an association...	The complaint provides a process-tree diagram from the accused product showing identified activities, such as BASH executing WGET, demonstrating the identification of sources, targets, and associations.	¶96	col. 10:27-32
creating, from the stored activities, a fingerprint indicative of the activity on the virtual machine;	Falcon Cloud Security allegedly detects threats using "indicators of attack (IOAs)" and "indicators of misconfiguration (IOMs)," which the complaint alleges are a form of the claimed "fingerprint."	¶98, ¶99	col. 10:20-24
transmitting the fingerprint to prevent future attacks that comprise the same or similar activities as indicated by the fingerprint.	The Accused Products allegedly maintain and leverage "the largest threat intelligence database and behavior base TTP/IOA across the entire cloud estate to stop breaches," implying transmission for prevention.	¶100, ¶101	col. 10:24-28

Visual Evidence Referenced: A marketing graphic for Falcon for Azure states that it "[c]ontinuously monitors events to provide visibility into workload activities" on virtual machines (Compl. ¶90). A process tree diagram shows relationships between various processes like NETSTAT, BASH, and JAVA within a monitored environment, illustrating the identification of activities (Compl. ¶96).

• Identified Points of Contention:
  • Scope Questions: Does a customer's production virtual machine, which the Accused Products are sold to protect, qualify as a "decoy computer system" under the claim? The patent specification describes a decoy system as being "intentionally kept vulnerable" specifically to attract and analyze attacks, which appears to be technically distinct from a customer's operational system (’697 Patent, col. 4:46-51).
  • Technical Questions: Are the "Indicators of Attack (IOAs)" and "Indicators of Misconfiguration (IOMs)" used by the Accused Products (Compl. ¶98) technically equivalent to the claimed "fingerprint indicative of the activity on the virtual machine"? The claim requires the fingerprint to be created "from the stored activities," whereas IOAs and IOMs may be pre-defined rules or policies rather than dynamically generated artifacts of observed behavior.

V. Key Claim Terms for Construction

Term from the ’872 Patent: "data structure that identifies the activity sources, the activity targets, and the associations"

• Context and Importance: The definition of this term is central to whether the local agent on the endpoint performs a key step of the claimed method. Practitioners may focus on this term because its construction will determine whether a temporary, transient cache of event data satisfies the claim, or if a more permanent, organized relational database is required to be stored locally.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The claim language itself does not specify a particular format, duration of storage, or level of organization, which may support an argument that any structure containing the requisite information, however temporary, meets the limitation (’872 Patent, Claim 1).
  • Evidence for a Narrower Interpretation: The patent’s Figure 5A depicts the "Unauthorized Activity Data" as a highly structured table with specific fields for source, target, action, type, and timestamps, which may support an argument that a simple, unstructured cache of raw data does not meet the "data structure that identifies" limitation (’872 Patent, Fig. 5A).

Term from the ’697 Patent: "decoy computer system"

• Context and Importance: The construction of this term appears dispositive for the infringement analysis of the ’697 Patent. The dispute will likely center on whether a customer's production system being protected by security software can be considered a "decoy."
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: A plaintiff may argue that from an attacker's perspective, any system they are lured into and monitored within can function as a decoy, and the claim itself does not import limitations from the specification about the system's primary purpose.
  • Evidence for a Narrower Interpretation: The patent specification repeatedly describes the decoy system as one that is purpose-built to be a "honeypot." It is described as "intentionally kept vulnerable to unauthorized or malicious activities" and is used "to collect fingerprint data" on attacks (’697 Patent, col. 4:46-49). This is in direct contrast to a production system that a customer pays the defendant to secure and protect from vulnerability.

VI. Other Allegations

• Indirect Infringement: The complaint alleges that Defendant induces infringement by providing customers with instructions, user guides, and technical support that instruct and encourage them to install and operate the Accused Products in a manner that performs the claimed methods (Compl. ¶77, ¶106).
• Willful Infringement: The complaint makes detailed allegations to support willfulness. It asserts that Defendant had pre-suit knowledge of the patented technology through its founders, one of whom allegedly served on the board of Plaintiff's predecessor and was exposed to the patent application for the ’697 Patent (Compl. ¶26, ¶33). Knowledge is alleged from the patents' issue dates, and willful blindness is pleaded in the alternative (Compl. ¶36, ¶37).

VII. Analyst’s Conclusion: Key Questions for the Case

• A core issue will be one of definitional scope: can the term "decoy computer system," which the patent specification describes as a purpose-built and vulnerable "honeypot," be construed to cover a customer's live, production virtual machine that the accused product is marketed and sold to protect?
• A key evidentiary question will be one of technical operation and location: does the accused product's endpoint agent "store" the complete, relational "data structure" required by Claim 1 of the ’872 Patent, or is this structure only fully created and stored in the cloud, raising potential questions of claim construction and divided infringement?
• A central theme of the case will be knowledge and intent: what evidence will discovery produce regarding the complaint's detailed allegations of the founders' pre-suit interactions with Plaintiff's predecessor, which will be critical to the determination of willful infringement?