DCT

6:20-cv-01031

KMizra LLC v. Cisco Systems Inc

Log In

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 6:20-cv-01031, W.D. Tex., 11/06/2020
  • Venue Allegations: Venue is based on Defendant's regular and established places of business within the Western District of Texas, including campuses in Austin and San Antonio, and alleged acts of infringement within the district.
  • Core Dispute: Plaintiff alleges that Defendant’s network access control products infringe a patent on quarantining potentially infected devices, and that its email security products infringe a patent on identity-based content filtering.
  • Technical Context: The technologies at issue relate to enterprise network security, a critical field focused on protecting corporate data from threats introduced by devices connecting to the network and from malicious electronic communications.
  • Key Procedural History: While the complaint does not mention any prior proceedings, a subsequent inter partes review (IPR) of U.S. Patent No. 8,965,892, initiated after the filing of this complaint, resulted in the cancellation of all claims asserted in this case against that patent. This development is potentially dispositive for the infringement allegations concerning the ’892 patent.

Case Timeline

Date Event
2004-09-27 '705 Patent - Earliest Priority Date
2007-01-04 '892 Patent - Earliest Priority Date
2012-07-31 '705 Patent - Issue Date
2015-02-24 '892 Patent - Issue Date
2020-11-06 Complaint Filing Date
2023-02-27 '892 Patent - IPR Certificate Issued (Claims 14 & 15 Cancelled)

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 8,234,705, “Contagion Isolation and Inoculation,” issued July 31, 2012

The Invention Explained

  • Problem Addressed: The patent identifies the security threat posed by mobile devices, such as laptops, that connect to untrusted public networks, become infected with malware, and then reconnect to a protected enterprise network, potentially spreading the infection before it can be detected (Compl. ¶20; ’705 Patent, col. 1:14-38).
  • The Patented Solution: The invention proposes a system that, upon receiving a connection request from a host, determines if the host must be quarantined. A quarantined host is given only limited network access, sufficient to remedy the condition that caused the quarantine (e.g., to download a software patch or run a scan). Communication attempts to other parts of the network are redirected to a quarantine server that can provide instructions or notifications to the user (’705 Patent, Abstract; col. 3:8-23).
  • Technical Importance: This approach provides a mechanism to contain threats from potentially compromised endpoints at the moment of connection, creating a secure "on-ramp" that verifies device health before granting broader network access (Compl. ¶22).

Key Claims at a Glance

  • The complaint asserts independent claim 19.
  • The essential elements of claim 19, a computer program product, include instructions for:
    • Detecting an insecure condition on a host attempting to connect to a protected network.
    • This detection includes contacting a "trusted computing base" associated with a "trusted platform module" on the host and receiving a "valid digitally signed attestation of cleanliness".
    • The attestation must confirm the host is not infested and has a required software patch level.
    • If a valid attestation is not received, "quarantining" the host by preventing it from sending data to other hosts on the network.
    • The quarantine process includes redirecting web or DNS requests to a "quarantine server" that provides notification.
    • Permitting the host to communicate with a designated "remediation host" to fix the insecure condition.
  • The complaint asserts at least claim 12 and reserves the right to assert other claims (Compl. ¶35).

U.S. Patent No. 8,965,892, “Identity-Based Filtering,” issued February 24, 2015

The Invention Explained

  • Problem Addressed: The patent describes the shortcomings of conventional content filtering, such as URL blacklisting, which cannot distinguish between desirable and undesirable content creators operating within the same website or service (Compl. ¶29; ’892 Patent, col. 1:23-32). This can lead to either blocking good content or allowing bad content.
  • The Patented Solution: The invention discloses a method of filtering based on the reputation of a person's "identity" and their "group" affiliations. Instead of just blocking a URL, the system determines the identity of the content creator, the reputation of that identity, the reputation of any groups the identity belongs to, and then uses that combined reputational data to determine a final reputation for the electronic document itself, which informs the filtering decision (’892 Patent, Abstract; col. 2:50-55).
  • Technical Importance: This technology allows for more granular and intelligent content filtering by focusing on the trustworthiness of the source (the person and their affiliations) rather than just the location of the data (the URL) (Compl. ¶31).

Key Claims at a Glance

  • The complaint asserts independent claim 15. The asserted claims (14 and 15) were subsequently cancelled in an inter partes review proceeding (IPR2021-00594).
  • The essential elements of claim 15, a computer program product, include instructions for:
    • Determining an "identity" relating to a person associated with an electronic document.
    • Determining that the person is a member of a "group" that has an associated "group reputation".
    • Determining an "identity reputation" for the person that is based at least in part on the "group reputation".
    • Determining a "document reputation" that uses the determined "identity reputation".
  • The complaint asserts at least claim 14 and reserves the right to assert other claims (Compl. ¶50).

III. The Accused Instrumentality

Product Identification

  • The complaint accuses Cisco’s Identity Services Engine (“ISE”) of infringing the ’705 patent and Cisco’s Email Security products of infringing the ’892 patent (Compl. ¶¶ 2-3).

Functionality and Market Context

  • Cisco ISE: The complaint alleges that ISE is a network access control product that acts as a "centerpiece in zero-trust security for the workplace" (Compl. ¶38). Its accused functionality includes performing a "posture assessment" on devices connecting to a network to check for compliance with security policies, such as having up-to-date software patches and antivirus definitions. If a device is non-compliant, ISE is alleged to grant limited access for remediation or place the device in quarantine (Compl. ¶¶ 39, 43). The "Posture Assessment Flow" diagram provided in the complaint illustrates a multi-step process of authentication, limited access, assessment, remediation, and authorization (Compl. p. 13).
  • Cisco Email Security: The complaint describes these products as providing email protection using "reputation filtering" based on threat intelligence from Cisco's Talos group (Compl. ¶54, Exhibit H). This filtering allegedly involves performing a reputation check on hyperlinks within emails and blocking those from sources with known bad reputations. The system is alleged to determine reputation verdicts for email messages based on the sender's identity and domain (Compl. ¶¶ 56, 58).

IV. Analysis of Infringement Allegations

’705 Patent Infringement Allegations

Claim Element (from Independent Claim 19) Alleged Infringing Functionality Complaint Citation Patent Citation
[A] detecting an insecure condition on a first host that has connected or is attempting to connect to a protected network, Cisco ISE performs a "posture assessment" to check if a device is compliant with the network's security policy. ¶39 col. 11:15-19
[B1] contacting a trusted computing base associated with a trusted platform module within the first host, ISE uses a "trusted posture agent such as Cisco AnyConnect" that resides on the client machine to enable detection of an insecure condition. ¶40 col. 11:21-23
[B2] receiving a response, and determining whether the response includes a valid digitally signed attestation of cleanliness, ISE receives a response indicating whether the device is compliant. A "Posture Log" screenshot shows a "result: compliant" finding. ¶41 col. 11:23-25
[C] wherein the valid digitally signed attestation of cleanliness includes...an attestation that the first host is not infested, and an attestation that the trusted computing base has ascertained the presence of a patch or a patch level... ISE is alleged to check for the "latest OS patch, antivirus and antispyware packages," confirming the device is not infested and has appropriate patches. ¶42 col. 11:26-34
[D] when it is determined that the response does not include a valid digitally signed attestation of cleanliness, quarantining the first host... If ISE detects an insecure condition, it places the endpoint in quarantine via "adaptive network control policies" that deny or limit access. ¶43 col. 11:35-41
[E] wherein preventing the first host from sending data...includes [E1] receiving a service request...serving a quarantine notification page...[E2]...providing in response an IP address of a quarantine server... When a device is quarantined, ISE can provide limited access by redirecting it to a different portal, such as a quarantine page. A screenshot shows a "Cisco NAC Web Agent" quarantine notice. ¶¶44, 45 col. 11:42-59
[F] permitting the first host to communicate with the remediation host. ISE allegedly permits an insecure device to communicate with a remediation host by allowing clients to click a URL to access a remediation page or resource. ¶46 col. 11:60-61
  • Identified Points of Contention:
    • Scope Questions: A central dispute may arise over the meaning of "trusted computing base associated with a trusted platform module." The patent specification refers to hardware-based security standards like the Trusted Computing Group (TCG) specifications (’705 Patent, col. 14:1-6). The infringement case raises the question of whether the accused software-only "posture agent" (Cisco AnyConnect) can meet this limitation, or if the claim requires interaction with a hardware security chip (TPM).
    • Technical Questions: The complaint alleges that ISE receives a "valid digitally signed attestation of cleanliness," but the supporting evidence, such as a "Posture Log" screenshot (Compl. p. 15), does not explicitly mention a digital signature. A key technical question will be what evidence demonstrates that the compliance reports generated by the accused system constitute a "digitally signed attestation" as required by the claim.

’892 Patent Infringement Allegations

Claim Element (from Independent Claim 15) Alleged Infringing Functionality Complaint Citation Patent Citation
[A] determining an identity relating to a person, wherein the identity is associated with the electronic document; Cisco's Syslog software features are alleged to determine the identities of email senders, providing "user identity information" for the source of a network packet. ¶55 col. 2:24-26
[B] determining that the person is a member of a group, wherein the group is associated with a group-related service and wherein the group is associated with a group reputation; Cisco's Sender Domain Reputation (SDR) service allegedly determines an email sender's group or domain and the associated reputation of that group. ¶56 col. 2:29-32
[C] determining an identity reputation, wherein the identity reputation is...based at least in part on the group reputation; The accused products allegedly determine a reputation for the email sender's identity that is based in part on the reputation of the sender's group or domain. ¶57 col. 2:50-55
[D] determining a document reputation, wherein determining the document reputation uses the identity reputation. The accused products allegedly provide a reputation verdict for an email message that is based on the sender's identity reputation. ¶58 col. 2:50-55
  • Identified Points of Contention:
    • Prior to the cancellation of the asserted claims in IPR, the core of the dispute would have centered on questions of scope and technical operation. For instance, a scope question would be whether a sender's email domain constitutes a "group" with a "group reputation" as contemplated by the patent. A technical question would have been whether the accused product's algorithm for combining domain and sender scores maps onto the claimed method of determining an "identity reputation... based at least in part on the group reputation." However, these points are now likely moot.

V. Key Claim Terms for Construction

  • For the ’705 Patent:

    • The Term: "trusted computing base associated with a trusted platform module"
    • Context and Importance: This term is a cornerstone of independent claim 19. The infringement theory depends on construing this term to cover a software agent. If the term is construed more narrowly to require a specific hardware component (a TPM chip), the infringement allegation may fail. Practitioners may focus on this term because it appears to be a specific, technical limitation rather than a generic one.
    • Intrinsic Evidence for Interpretation:
      • Evidence for a Broader Interpretation: The patent does not provide an explicit definition of the term, which a plaintiff might argue leaves room for a functional interpretation where any component, software or hardware, that establishes a root of trust for measurement could qualify.
      • Evidence for a Narrower Interpretation: The specification explicitly references the "Paladium security initiative under development by Microsoft and supported by Intel and American Micro Devices" and "TCG specifications, such as the TCG Architecture Overview" (’705 Patent, col. 14:1-6). These references point directly to industry standards for hardware-based trusted computing, strongly suggesting the term was intended to mean a hardware security module and its associated secure software, not a standalone software agent.

  • For the ’892 Patent:

    • Analysis of key claim terms is moot, as the asserted claims (14 and 15) have been cancelled by the U.S. Patent and Trademark Office. Prior to cancellation, a key term would have been "group reputation".

VI. Other Allegations

  • Indirect Infringement: The complaint does not provide sufficient detail for analysis of indirect infringement. It makes allegations of direct infringement by Cisco through its making and selling of the accused products, but does not plead specific facts to support inducement or contributory infringement, such as alleging that Cisco instructs or encourages its customers to use the products in an infringing manner (Compl. ¶¶ 35, 50).
  • Willful Infringement: The complaint does not contain allegations that would support a claim for willful infringement. There is no mention of pre-suit knowledge of the patents, such as a prior notice letter or a history of licensing negotiations.

VII. Analyst’s Conclusion: Key Questions for the Case

  1. Impact of IPR: The foremost issue is the post-filing cancellation of all asserted claims of the ’892 patent. A central question is whether the plaintiff will voluntarily dismiss this portion of the case or if the defendant will secure its dismissal on the merits, rendering the allegations of infringement of the ’892 patent moot.

  2. Definitional Scope: For the surviving '705 patent, the case will likely turn on claim construction. A core issue will be one of definitional scope: can the term "trusted computing base associated with a trusted platform module," which the patent specification links to specific hardware-based security standards, be construed broadly enough to read on the accused "Cisco AnyConnect" software agent?

  3. Evidentiary Sufficiency: Beyond claim construction, a key evidentiary question will be one of technical proof: does the evidence presented in the complaint, such as screenshots of administrative logs, sufficiently demonstrate that the accused ISE system generates a "valid digitally signed attestation of cleanliness," or is there a mismatch between the system's actual function and this specific technical requirement of the claim?