DCT

6:22-cv-00277

Invicta Networks Inc v. CrowdStrike Holdings Inc

Log In

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 6:22-cv-00277, W.D. Tex., 03/15/2022
  • Venue Allegations: Venue is alleged based on Defendant’s principal executive office being located in Austin, Texas, which is within the Western District of Texas.
  • Core Dispute: Plaintiff alleges that Defendant’s CrowdStrike Falcon Platform, a suite of cybersecurity products, infringes a patent related to systems and methods for detecting malicious code using a "dynamic decoy system," commonly known as a sandbox.
  • Technical Context: The technology involves creating an isolated, mirrored software environment to safely execute and analyze suspicious code for malicious behavior, a foundational technique in modern cybersecurity for defending against unknown or "zero-day" threats.
  • Key Procedural History: The complaint asserts that the patent-in-suit is "seminal" and has been cited by at least 85 subsequent patents and applications from major technology companies, suggesting its potential foundational role in the field. The complaint does not mention any prior litigation, licensing history, or post-grant proceedings involving the patent.

Case Timeline

Date Event
2001-02-14 '698 Patent Priority Date
2006-03-07 '698 Patent Issue Date
2011-XX-XX Defendant CrowdStrike Founded
2022-03-15 Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 7,010,698 - "Systems and Methods for Creating a Code Inspection System," issued March 7, 2006

The Invention Explained

  • Problem Addressed: The patent addresses the shortcomings of prior art malware detection, which relied on comparing suspicious code against a "library" of known malicious code signatures (’698 Patent, col. 1:59-67). This approach was ineffective against new, unknown malware. Furthermore, existing "test chambers" were described as static and impractical to maintain, as they could not efficiently account for the vast and constantly changing combinations of operating systems and applications targeted by malware (’698 Patent, col. 2:5-42).
  • The Patented Solution: The invention proposes a "code inspection system" featuring a "dynamic decoy machine" (DM) that is automatically created and updated to "substantially parallel" a live "protected system" (’698 Patent, Abstract; col. 4:45-53). Instead of just checking code signatures, this system executes suspicious code within the safe, mirrored environment of the DM. The system uses "actuator modules" to simulate normal user operations to trigger potential malware and "sensor modules" to monitor for malicious actions, such as unauthorized file access or deletions (’698 Patent, col. 3:9-39). This behavior-based analysis allows for the detection of previously unknown threats.
  • Technical Importance: The technology represents a shift from static, signature-based malware detection to dynamic, behavioral analysis within an emulated environment, which the complaint alleges was not a "well-understood, routine, or conventional" technique at the time of the invention (Compl. ¶15).

Key Claims at a Glance

  • The complaint asserts independent system claims 1, 7, 8, and 9; independent method claims 10, 14, 15, 16, and 18; and corresponding information storage media claims (Compl. ¶31, ¶55). Claims 1 and 10 are identified as representative (Compl. ¶17, ¶18).
  • Independent Claim 1 (System) includes:
    • A code inspection management module that monitors and communicates with a protected system
    • A dynamic decoy system that is updated to substantially parallel relevant portions of the protected system
    • An actuator module
    • One or more sensor modules for analyzing actions and results of code execution
    • A final wherein clause requiring the system to allow code to be analyzed in the decoy system "as if" it were the protected system
  • Independent Claim 10 (Method) includes the steps of:
    • Creating a dynamic decoy system that substantially parallels a protected system
    • Updating the dynamic decoy system based on changes to the protected system
    • Receiving and introducing code into the dynamic decoy system
    • Simulating operating conditions and monitoring sensors for results
    • A final wherein clause functionally equivalent to that in claim 1
  • The complaint reserves the right to assert dependent claims 2-6, 11-13, 17, and 20-22, among others (Compl. ¶43).

III. The Accused Instrumentality

Product Identification

  • The accused instrumentality is the "CrowdStrike Falcon Platform," which encompasses a suite of cybersecurity software, products, and services, with specific focus on the "Falcon Sandbox" module (Compl. ¶20, ¶23, ¶29).

Functionality and Market Context

  • The complaint alleges the Falcon Platform provides endpoint security and threat intelligence, with the Falcon Sandbox component offering a "secure, isolated operating system environment" to analyze potential threats (Compl. ¶20). This sandbox is described as a "dynamic decoy system" that can "simulate or mirror a host system" (the protected system) to observe the behavior of malware (Compl. ¶20).
  • A diagram in the complaint shows the "FALCON SANDBOX" as a component of the overall "FALCON PLATFORM," situated within the "THREAT INTELLIGENCE" product group (Compl. p. 9). Another diagram illustrates that the "SANDBOX" is used for "MALWARE ANALYSIS," which feeds into the central "CROWDSTRIKE INTELLIGENCE" engine, highlighting its role in the platform's data analysis workflow (Compl. p. 10).
  • The complaint alleges the Falcon Platform has achieved significant commercial success, citing subscription revenue surpassing $1.5 billion in Annual Recurring Revenue as of late 2021 (Compl. ¶6).

IV. Analysis of Infringement Allegations

The complaint alleges that the CrowdStrike Falcon Platform, particularly its Falcon Sandbox feature, meets every element of the asserted claims. The infringement theory is based on mapping the components of the Falcon Platform to the elements recited in the patent's claims.

'698 Patent Infringement Allegations (Claim 1, System)

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
a code inspection management module that monitors and communicates with a protected system; The Falcon Platform allegedly uses a "lightweight agent" on the user's host machine (the protected system) to monitor it and communicate with the cloud-based platform. ¶20, ¶33 col. 3:9-11
a dynamic decoy system that, in cooperation with the code inspection management module, is updated to substantially parallel relevant portions of the protected system; The "Falcon Sandbox" is alleged to be the "dynamic decoy system," providing secure, isolated environments that "are updated to simulate or mirror a host system." ¶20, ¶33 col. 4:45-53
an actuator module; The Falcon Sandbox allegedly "interacts (e.g., actuator modules) with the malware" to trigger and analyze its behavior. ¶20, ¶33 col. 3:24-31
one or more sensor modules, wherein the dynamic decoy system is capable of analyzing at least one of actions and results of one or more portions of code in response to stimuli from the actuator module, The Falcon Sandbox allegedly "observes (e.g., sensor modules) every action and result" of the code executing within the isolated environment. ¶20, ¶33 col. 3:32-35
wherein the relevant portions of the protected system allow the one or more portions of code to be analyzed in the dynamic decoy system as if the dynamic decoy system were the protected system. The complaint alleges the sandbox "simulates portions of the hosts, such as the CPU, the operating system, system memory, and all devices" to achieve this purpose. ¶20, ¶33 col. 4:55-59
  • Identified Points of Contention:
    • Scope Questions: The patent was filed in 2001 and appears to describe a system where the "decoy machine" and "protected system" are more tightly integrated. A potential dispute is whether the claims can be construed to read on the accused product's distributed, client-server architecture, where a "lightweight agent" on an endpoint sends files to a separate, cloud-based "Sandbox" for analysis.
    • Technical Questions: A key question will be the required fidelity of the "dynamic decoy system." The complaint alleges the Falcon Sandbox is "updated to...mirror a host system," but it does not specify the degree to which the sandbox environment is customized to match a specific user's endpoint configuration versus using a generic, pre-configured virtual machine image. The interpretation of "substantially parallel" will be central to this inquiry.

V. Key Claim Terms for Construction

  • The Term: "dynamic decoy system"

    • Context and Importance: This term is the central component of the invention. Its construction will determine whether a modern, cloud-based sandbox service falls within the scope of the claims. Practitioners may focus on whether "dynamic" requires real-time creation and updating based on a specific protected system, or if a pre-existing, selectable virtual environment suffices.
    • Evidence for a Broader Interpretation: The specification allows that the decoy machine can be a "virtual, stand alone, or dedicated dynamic decoy machine," which could support an argument that it covers a separate, cloud-hosted service (’698 Patent, col. 5:52-54).
    • Evidence for a Narrower Interpretation: The specification repeatedly describes the decoy as an "accurate software copy" or "substantial duplicate" of the protected system, created and updated to "closely parallel" its configuration (’698 Patent, col. 4:51-53, col. 4:61-62). This could support a narrower construction requiring a high-fidelity, one-to-one mirror of a specific endpoint.

  • The Term: "updated to substantially parallel relevant portions of the protected system"

    • Context and Importance: This limitation is critical for establishing the "dynamic" nature of the claimed system. The dispute will likely focus on whether the accused Falcon Sandbox is "updated" based on ongoing changes to a specific user's system, or if it simply uses standardized environments that are periodically updated by the defendant.
    • Evidence for a Broader Interpretation: The term "relevant portions" could be argued to mean only high-level characteristics like the operating system version, which a cloud sandbox could easily provide without direct, continuous monitoring of a specific endpoint.
    • Evidence for a Narrower Interpretation: Claim 9 links updating to specific events like "installed software, installed hardware, operating system upgrades, software upgrades, hardware upgrades, software deletions, hardware deletions and input/output devices," suggesting a tight, responsive coupling between the protected system and the decoy system (’698 Patent, col. 11:28-34).

VI. Other Allegations

  • Indirect Infringement: The complaint alleges inducement of infringement based on Defendant’s promotion and support of the Falcon Platform. Specific alleged acts include advertising, providing data sheets, video demonstrations, educational courses, free trials, and partner integration programs that allegedly instruct and encourage users to use the platform in an infringing manner (Compl. ¶51-52).
  • Willful Infringement: The complaint does not use the term "willful." However, it alleges that Defendant has knowledge of the ’698 patent "by the filing of this Complaint" and continues to infringe, which may form the basis for a claim of post-filing willful infringement (Compl. ¶30, ¶52). No allegations of pre-suit knowledge are made.

VII. Analyst’s Conclusion: Key Questions for the Case

  • A core issue will be one of definitional scope: Can the claim term "dynamic decoy system", which the patent describes as being an "accurate software copy" of a "protected system," be construed to cover a modern, cloud-based sandbox service that may use generalized virtual environments rather than a high-fidelity, one-to-one duplicate of a specific user's machine?
  • A second central question will concern technical operation and proof: What evidence will show that the accused Falcon Sandbox is "updated to substantially parallel" a specific protected system? The case may turn on factual discovery into how Defendant's cloud architecture uses data from an endpoint to configure the analysis environment and whether this process meets the "updating" requirements of the claims.
  • Finally, for method claims, a key legal and factual hurdle will be liability for joint infringement: Given the distributed nature of the accused system, where the end-user possesses the "protected system" and Defendant operates the "dynamic decoy system," the court will have to determine if Defendant "directs or controls" its users' actions with sufficient specificity to be held liable for performing all steps of the claimed method.