DCT
6:22-cv-00167
PacSec3 LLC v. Imperva Inc
Key Events
Complaint
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: PacSec3, LLC (Texas)
- Defendant: Imperva, Inc. (Delaware)
- Plaintiff’s Counsel: Ramey & Schwaller, LLP
- Case Identification: PacSec3, LLC v. Imperva, Inc., 6:22-cv-00167, W.D. Tex., 02/17/2022
- Venue Allegations: Plaintiff alleges venue is proper because Defendant maintains a regular and established place of business in the district, conducts substantial business there, and has committed alleged acts of infringement within the district.
- Core Dispute: Plaintiff alleges that Defendant’s DDoS protection systems and related firewall products infringe a patent related to defending computer networks against packet flooding attacks.
- Technical Context: The technology operates in the field of network security, specifically concerning methods for identifying and mitigating malicious traffic from Distributed Denial-of-Service (DDoS) attacks.
- Key Procedural History: The asserted patent, U.S. 7,523,497, was the subject of an ex parte reexamination proceeding that concluded after the complaint was filed. The Reexamination Certificate, issued May 22, 2023, cancelled several claims, including independent claim 1, and confirmed the patentability of method claims 7 and 10, which are among the claims asserted in this litigation. This development narrows the scope of the dispute to the surviving claims.
Case Timeline
| Date | Event |
|---|---|
| 2000-11-16 | '497 Patent Priority Date |
| 2002-01-01 | Defendant Imperva, Inc. founded (approximate) |
| 2009-04-21 | '497 Patent Issue Date |
| 2022-02-17 | Complaint Filing Date |
| 2023-05-22 | '497 Patent Reexamination Certificate Issue Date |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 7,523,497 - "PACKET FLOODING DEFENSE SYSTEM," Issued April 21, 2009
The Invention Explained
- Problem Addressed: The patent describes the problem of "packet flooding attacks," where an attacker overwhelms a victim's network bandwidth with useless data, rendering it unavailable for legitimate traffic ('497 Patent, col. 2:7-11). The patent notes a key challenge is that attackers can falsify the source address of malicious packets, which can "confound the defense" systems that rely on such information ('497 Patent, col. 2:3-5).
- The Patented Solution: The invention proposes a distributed defense system where routers and the target computer (the "victim") cooperate. Instead of relying on a packet's stated source address, the system determines the actual network path the packet traveled using "packet marks" provided by the routers along that path ('497 Patent, col. 4:62-67). Based on this path information, the victim computer can classify packets as wanted or unwanted and then instruct the responsible upstream routers to rate-limit or block the unwanted traffic at its source, freeing up network resources ('497 Patent, Abstract; col. 6:10-18).
- Technical Importance: The use of attacker-independent path information, rather than easily spoofed source addresses, was intended to create a more resilient defense against sophisticated denial-of-service attacks ('497 Patent, col. 4:1-5).
Key Claims at a Glance
- The complaint asserts claims 1-18, with a specific preliminary claim chart for method claim 7 (Compl. ¶8-9). Following reexamination, independent claim 1 has been cancelled, leaving method claim 7 as a central remaining independent claim.
- Independent Claim 7 (Method):
- determining a path by which data packets arrive at a host computer via packet marks provided by routers leading to said host computer; said path comprising all routers in said network via which said packets are routed to said computer;
- classifying data packets received at said host computer into wanted data packets and unwanted data packets by path;
- associating a maximum acceptable processing rate with each class of data packet received at said host computer; and
- allocating a processing rate less than or equal to said maximum acceptable processing rate for unwanted data packets.
- Plaintiff notes the infringement allegations are preliminary and reserves the right to assert other claims (Compl. ¶9-10).
III. The Accused Instrumentality
Product Identification
- The complaint identifies "one or more firewall systems" manufactured and sold by Imperva, including its "Imperva DDoS Protection" and "DDoS protection for DNS servers" products (Compl. ¶8-9).
Functionality and Market Context
- The complaint alleges the accused products are "always-on" services that protect servers from DDoS attacks by inspecting all incoming traffic (Compl. ¶9, p. 4). A screenshot provided in the complaint states the products use a "combination of reputation and rate-based heuristics to inspect incoming queries" and "filter out malicious packets without impacting legitimate visitors" (Compl. ¶9, p. 4). A separate visual from the complaint indicates the products allow a user to "set a threshold to rate-limit the queries your server receives" (Compl. ¶9, p. 5).
IV. Analysis of Infringement Allegations
'497 Patent Infringement Allegations
| Claim Element (from Independent Claim 7) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| determining a path by which data packets arrive at a host computer via packet marks provided by routers leading to said host computer; said path comprising all routers in said network via which said packets are routed to said computer; | The complaint asserts that Imperva's marketing materials describe "determining a path by which data packets arrive at a host computer via packet marks provided by routers," but the cited text describes inspecting queries using "reputation and rate-based heuristics." | ¶9, p. 4 | col. 8:19-22 |
| classifying data packets received at said host computer into wanted data packets and unwanted data packets by path; | Based on an Imperva datasheet stating the product "filters out malicious packets," the complaint alleges this function constitutes classifying packets into wanted and unwanted classes by path. The screenshot describes this filtering as part of a proxy-based solution that safeguards DNS servers from DDoS attacks. | ¶9, p. 5 | col. 8:12-15 |
| associating a maximum acceptable processing rate with each class of data packet received at said host computer; and | Citing marketing material describing the ability to "set a threshold to rate-limit the queries your server receives," the complaint alleges this feature meets the "associating a maximum acceptable processing rate" limitation. | ¶9, p. 5 | col. 8:16-19 |
| allocating a processing rate less than or equal to said maximum acceptable processing rate for unwanted data packets. | The complaint again points to the ability to "set a threshold to rate-limit the queries" as the infringing functionality for allocating a processing rate to unwanted packets. A screenshot describes this as part of "Improved DNS performance and control." | ¶9, p. 6 | col. 8:22-26 |
Identified Points of Contention
- Scope Questions: A primary question for the court will be whether the accused system's use of "reputation and rate-based heuristics" to inspect traffic (Compl. ¶9, p. 4) falls within the scope of the claim language "determining a path... via packet marks provided by routers." The patent appears to contemplate a specific mechanism involving cooperating routers marking packets, which is not explicitly described in the complaint's evidence.
- Technical Questions: The complaint alleges that Imperva's system classifies packets "by path" (Compl. ¶9, p. 5). A factual question is whether the accused system's filtering is based on the multi-hop network path, as the claim requires, or on other factors such as the packet's content, source reputation, or traffic volume, as the term "heuristics" may suggest. The complaint does not provide specific evidence detailing how the accused system determines a "path" or uses "packet marks."
V. Key Claim Terms for Construction
The Term: "packet marks provided by routers"
- Context and Importance: This term is the central mechanism of the claimed invention. The infringement analysis will depend heavily on whether the functionality of the accused Imperva system can be shown to use or be equivalent to "packet marks provided by routers." Practitioners may focus on this term because the complaint's evidence does not explicitly mention it, creating a potential mismatch.
- Intrinsic Evidence for a Broader Interpretation: The patent does not provide a single, narrow definition of "packet marks," which could suggest that any information added by a router to help trace a packet's origin might suffice.
- Intrinsic Evidence for a Narrower Interpretation: The specification consistently describes the path information as "attacker-independent" ('497 Patent, col. 4:3-4) and used to determine "the actual direction of the packet flow" ('497 Patent, col. 4:62-63). This context suggests the "marks" must originate from the trusted network infrastructure (the routers) rather than from data within the packet that an attacker could control.
The Term: "path comprising all routers in said network via which said packets are routed"
- Context and Importance: This phrase defines the granularity of the "path" that must be determined. The viability of the infringement allegation hinges on whether the accused system identifies a complete, multi-router path or merely an ingress point or source.
- Intrinsic Evidence for a Broader Interpretation: A party might argue that "path" does not require a literal, enumerated list of every router but rather a functional representation of the route sufficient to identify its source for rate-limiting.
- Intrinsic Evidence for a Narrower Interpretation: The use of the strong qualifier "all routers" in the claim itself ('497 Patent, col. 8:20-22) suggests a high bar for this limitation, potentially requiring the identification of the complete, hop-by-hop route the packet traveled through the network.
VI. Other Allegations
Indirect Infringement
- The complaint alleges induced infringement, stating that Imperva "actively encouraged or instructed" its customers on how to use the accused DDoS protection systems (Compl. ¶10). It also pleads contributory infringement, alleging there are "no substantial noninfringing uses" for the accused products and services (Compl. ¶11).
Willful Infringement
- Willfulness is alleged based on Defendant’s knowledge of the '497 patent "from at least the filing date of the lawsuit" (Compl. ¶10-11). Plaintiff explicitly reserves the right to amend this allegation if evidence of pre-suit knowledge is found during discovery (Compl. ¶10, fn. 1).
VII. Analyst’s Conclusion: Key Questions for the Case
The resolution of this dispute will likely depend on the court’s determination of the following key issues:
A central evidentiary issue will be one of technical operation: Does the accused Imperva system, which is described as using "reputation and rate-based heuristics," actually perform the specific method of determining a packet's route using "packet marks provided by routers," as required by the asserted claims, or does it operate on an entirely different technical principle?
The case will also turn on a question of definitional scope: Can the claim term "path comprising all routers in said network," which on its face suggests a complete multi-hop route, be construed to cover the source identification and traffic-filtering methods described in the defendant's marketing materials?
Finally, a significant procedural factor is the effect of the post-filing reexamination, which cancelled the originally asserted independent claim 1. The case will now focus on the surviving method claims, raising the question of whether prosecution history estoppel, arising from arguments made during reexamination, will further limit the scope of these remaining claims.