PacSec3 LLC v. BlackBerry Corp

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: PacSec3, LLC (Texas)
  • Defendant: Blackberry Corporation (Canada)
  • Plaintiff’s Counsel: Ramey LLP
• Case Identification: PacSec3, LLC v. Blackberry Corporation, 6:22-cv-00128, W.D. Tex., 01/05/2024
• Venue Allegations: Venue is based on Defendant having a regular and established place of business in the Western District of Texas and conducting substantial business in the district.
• Core Dispute: Plaintiff alleges that Defendant’s Enterprise System Cylance, a firewall and DDOS protection product, infringes a patent related to a method for defending against network packet flooding attacks.
• Technical Context: The technology addresses distributed denial-of-service (DDoS) attacks by enabling a target system to cooperatively trace the path of malicious traffic through network routers and request that those routers limit the traffic flow.
• Key Procedural History: This filing is a Second Amended Complaint. The patent-in-suit, U.S. Patent No. 7,523,497, was the subject of an ex parte reexamination proceeding. The Reexamination Certificate, issued May 22, 2023, confirmed the patentability of asserted claims 7 and 10, while cancelling several other claims. This history may focus the dispute on the specific language of the confirmed claims.

Case Timeline

Date	Event
2000-11-16	’497 Patent Priority Date
2009-04-21	’497 Patent Issue Date
2023-05-22	’497 Patent Reexamination Certificate Issued
2024-01-05	Plaintiff's Second Amended Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

• Patent Identification: U.S. Patent No. 7,523,497, "PACKET FLOODING DEFENSE SYSTEM," issued April 21, 2009 (’497 Patent). (Compl. ¶6).

The Invention Explained

• Problem Addressed: The patent addresses "packet flooding attacks," where an attacker overwhelms a victim’s network bandwidth with useless data. (’497 Patent, col. 2:7-11). It notes that prior art defenses were often ineffective because they relied on information that an attacker could easily falsify, such as the packet's source address. (’497 Patent, col. 2:2-6).
• The Patented Solution: The invention proposes a distributed defense where a victim computer or firewall cooperates with network routers to mitigate an attack. The core concept is to use "attacker-independent information" about the physical path a packet has traveled through the network to identify and throttle malicious traffic. (’497 Patent, col. 4:1-5). A victim site can identify unwanted packets, use information from routers to determine the path those packets took, and then request the upstream routers on that path to limit the rate at which they forward similar packets. (’497 Patent, Abstract; col. 6:11-25).
• Technical Importance: This approach sought to create a more robust defense by shifting reliance from easily spoofed packet headers to the more stable and verifiable network topology itself. (’497 Patent, col. 3:61-65).

Key Claims at a Glance

• The complaint asserts independent claims 7 and 10, along with dependent claims 8-9, 11-12, 14-15, and 17-18. (Compl. ¶8).
• Independent Claim 7 (Method at a Host Computer):
  • Determining a path by which data packets arrive at a host computer via "packet marks provided by routers" leading to the host.
  • The path comprises "all routers" in the network via which the packets are routed.
  • Classifying received packets into "wanted" and "unwanted" categories "by path."
  • Associating a "maximum acceptable processing rate" for each class of packet.
  • Allocating a processing rate for "unwanted data packets" that is less than or equal to the maximum rate.
• Independent Claim 10 (Method at a Router):
  • Determining a path by which data packets arrive at a router via "packet marks provided by routers" leading to it.
  • The path comprises "all routers" in the network via which the packets are routed.
  • Classifying received packets "by path."
  • Associating a "maximum acceptable transmission rate" for each class.
  • Allocating a transmission rate for "unwanted data packets" equal to or less than the maximum rate.
• The complaint reserves the right to amend its infringement contentions. (Compl. p. 3, fn. 1-2).

III. The Accused Instrumentality

Product Identification

• The accused instrumentality is identified as Blackberry's "Enterprise System Cylance." (Compl. ¶8).

Functionality and Market Context

• The complaint characterizes the accused product as a "firewall system" that provides "DDOS protection systems." (Compl. ¶8, ¶a). It is alleged that Blackberry sells, offers for sale, and manufactures these systems, from which it derives monetary and commercial benefit. (Compl. ¶8). The complaint does not provide specific technical details regarding how the Enterprise System Cylance operates to provide DDOS protection.

No probative visual evidence provided in complaint.

IV. Analysis of Infringement Allegations

The complaint states that support for its infringement allegations may be found in "Exhibit B, a preliminary table," but this exhibit is not included with the complaint. (Compl. ¶9). The complaint itself does not provide an element-by-element breakdown of its infringement theory. The narrative theory is that Blackberry's "Enterprise System Cylance" products practice the methods claimed in the ’497 Patent. (Compl. ¶8).

• Identified Points of Contention:
  • Technical Questions: A central question will be what evidence demonstrates that the Enterprise System Cylance performs the specific functions required by the claims. For example, what evidence shows that the accused system determines a packet's path using "packet marks provided by routers"? Further, does the system classify packets into "wanted" and "unwanted" categories based on this path information, as opposed to other metrics like traffic signatures or behavioral anomalies? The complaint does not contain facts to address these technical points.
  • Scope Questions: The claims require determining a path that comprises "all routers in said network via which said packets are routed." (’497 Patent, col. 9:50-53). A potential point of contention is whether the accused system determines the entire, exhaustive path of a packet, or if it uses a different and potentially more limited method of tracing traffic, and whether such a method falls within the scope of the claim language.

V. Key Claim Terms for Construction

• The Term: "packet marks provided by routers"

• Context and Importance: This term is central to the claimed invention's mechanism for path determination. The infringement analysis will depend heavily on whether the method used by the accused system to trace traffic can be considered "packet marks provided by routers." Practitioners may focus on this term because its construction will determine whether the claims cover only specific, pre-defined marking protocols or a broader range of router-derived data that can be used to trace a packet's path.

• Intrinsic Evidence for Interpretation:

  • Evidence for a Broader Interpretation: The specification describes the goal as using "attacker-independent information about the path a packet takes." (’497 Patent, col. 3:65-col. 4:2). This could suggest that any reliable, router-generated data that reveals path information, not just a specifically formatted "mark," could fall within the term's scope.
  • Evidence for a Narrower Interpretation: The patent repeatedly refers to "cooperating sites and routers," suggesting the marks are part of a specific, collaborative system. (’497 Patent, col. 2:31-32). This could support an interpretation that the term requires a specific protocol implemented on participating routers, rather than passively interpreting standard network data.

• The Term: "path comprising all routers in said network via which said packets are routed"

• Context and Importance: This phrase defines the "path" that is used for classification. Its construction is critical because infringement requires the accused system to determine a path of this specific, exhaustive scope.

• Intrinsic Evidence for Interpretation:

  • Evidence for a Broader Interpretation: A party could argue that in the context of the invention, "all routers" should be understood functionally as "all discoverable routers" or a sufficiently complete path to enable the defense, reflecting the practical realities of network tracing.
  • Evidence for a Narrower Interpretation: The plain language is absolute ("all routers"). This explicit language, which was confirmed during reexamination for claims 7 and 10, provides a strong basis for a narrow construction requiring a complete and exhaustive trace of every router on the path, which may be a high bar for the plaintiff to prove the accused system meets. (’497 Patent, col. 9:50-53).

VI. Other Allegations

• Indirect Infringement: The complaint alleges inducement by stating Blackberry instructs others to use its "DDOS protection systems." (Compl. ¶a). It further alleges Blackberry's actions "caused those claimed-invention embodiments as a whole to perform." (Compl. ¶8). The complaint reserves the right to amend to "re-assert indirect...infringement" pending discovery. (Compl. p. 3, fn. 1-2).
• Willful Infringement: Willfulness is not formally pleaded as a separate count. However, the complaint explicitly reserves the right to assert willful infringement based on pre-suit or post-filing knowledge that may be revealed during discovery. (Compl. p. 3, fn. 1-2).

VII. Analyst’s Conclusion: Key Questions for the Case

• A core issue will be one of definitional scope: can the term "packet marks provided by routers", which implies a specific mechanism for path discovery, be construed to read on the actual trace methodology employed by the Enterprise System Cylance? The outcome may depend on whether the system uses a proprietary cooperative protocol as envisioned by the patent or a more generic network analysis technique.
• A key evidentiary question will be one of factual proof: given the complaint's lack of technical detail, the case will likely turn on whether discovery reveals evidence that the accused system performs the precise sequence of steps recited in the asserted claims. Specifically, can the plaintiff prove that the system classifies traffic "by path" and that the "path" it determines is one "comprising all routers," as strictly required by the claim language that survived reexamination?