DCT

6:22-cv-01039

CTD Networks LLC v. Cisco Systems Inc

Log In

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 6:22-cv-01039, W.D. Tex., 04/21/2023
  • Venue Allegations: Plaintiff alleges venue is proper because Defendant has committed acts of infringement in the district and maintains a regular and established place of business in San Antonio, Texas.
  • Core Dispute: Plaintiff alleges that Defendant’s Cisco Secure Workload, a workload protection platform, infringes four patents related to distributed, agent-based network security and threat detection systems.
  • Technical Context: The technology at issue involves systems that use distributed software agents to monitor computer networks, pool data for analysis, identify threats based on behavioral patterns, and coordinate defensive responses.
  • Key Procedural History: The complaint is a First Amended Complaint. Plaintiff alleges that Defendant has had knowledge of its infringement of at least three of the patents-in-suit since February 9, 2021, which forms the basis for the willfulness allegations.

Case Timeline

Date Event
2002-10-23 Priority Date for U.S. Patent No. 9,438,614
2002-12-24 Priority Date for U.S. Patent Nos. 8,327,442, 9,503,470, & 11,171,974
2012-12-04 U.S. Patent No. 8,327,442 Issues
2016-09-06 U.S. Patent No. 9,438,614 Issues
2016-11-22 U.S. Patent No. 9,503,470 Issues
2021-02-09 Alleged Date of Defendant's Knowledge of Infringement
2021-11-09 U.S. Patent No. 11,171,974 Issues
2023-04-21 First Amended Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 8,327,442

  • Patent Identification: U.S. Patent No. 8,327,442, "System and method for a distributed application and network security system (SDI-SCAM)," issued December 4, 2012. (Compl. ¶12).

The Invention Explained

  • Problem Addressed: The patent describes the vulnerability of computer networks to unauthorized intrusions, noting that security systems focused on individual machines are often too slow to counter coordinated, network-level attacks, allowing threats like viruses to propagate widely before a response can be formulated and deployed. (’442 Patent, col. 2:20-43).
  • The Patented Solution: The invention is a distributed security architecture called SDI-SCAM (System for a Distributed application and network security system). In this system, software agents installed on each computer in a network not only protect the local machine but also pool and analyze information from across the network to rapidly detect patterns consistent with a coordinated attack. (’442 Patent, Abstract). When a new threat is identified, the system distributes warnings and countermeasures to all machines in real-time, functioning as a collective, self-updating security system. (’442 Patent, col. 2:44-54).
  • Technical Importance: This architecture represented a conceptual shift from reactive, siloed security to a proactive, network-wide "immune system" designed to operate in real-time. (’442 Patent, col. 2:44-54).

Key Claims at a Glance

  • The complaint asserts infringement of at least independent claim 1. (Compl. ¶20).
  • The essential elements of independent claim 1 include:
    • A distributed security system protecting individual computers in a network, comprising agents on each computer.
    • Each agent performs steps including: creating statistical models of usage; gathering and analyzing usage information; determining a pattern of usage consistent with an intrusion or attack; and determining a probability of the likelihood of an intrusion.
    • The system distributes real-time warnings and countermeasures when the determined probability exceeds a statistical threshold.
    • Agents update their statistical models to reflect current usage and threat likelihood.
    • Agents schedule anti-viral software updates based on different probability levels of an intrusion.
    • Agents suspend the schedule to provide an immediate anti-viral software update when an attack is detected or when the probability of infection is high. (’442 Patent, col. 15:58-16:30).

U.S. Patent No. 9,438,614

  • Patent Identification: U.S. Patent No. 9,438,614, "Sdi-scam," issued September 6, 2016. (Compl. ¶13).

The Invention Explained

  • Problem Addressed: The patent addresses the challenge of not only detecting but also characterizing threats within a complex computer environment, which is necessary to deploy effective, customized defensive actions rather than generic ones. (’614 Patent, col. 5:3-12).
  • The Patented Solution: The invention is a distributed multi-agent system that employs analytical models to rapidly identify and characterize conditions (behaviors, events, functions) that are abnormal or suspicious. (’614 Patent, Abstract). The system provides analytical interfaces to administrators, estimates the nature of a potential threat, and can recommend or autonomously implement optimal countermeasures and recovery strategies. (’614 Patent, col. 6:3-10).
  • Technical Importance: The technology provides a framework for an intelligence-driven security posture that moves beyond simple threat detection to encompass probabilistic analysis, classification, and optimized, dynamic response. (’614 Patent, col. 6:11-20).

Key Claims at a Glance

  • The complaint asserts infringement of at least independent claim 10. (Compl. ¶29).
  • The essential elements of independent claim 10 include:
    • A system that detects the state of a computer network.
    • A plurality of distributed agents designed for adaptive learning and probabilistic analysis.
    • The agents passively collect, monitor, aggregate, and pattern-analyze data to identify similar patterns of suspicious activities indicative of an attack or threat to different portions of the network.
    • The system determines from the pattern analysis whether a probability threshold of suspicious activity has been exceeded.
    • When the threshold is exceeded, the system alerts other agents, a central server, and/or a human operator. (’614 Patent, col. 19:35-49).

Multi-Patent Capsule: U.S. Patent No. 9,503,470

  • Patent Identification: U.S. Patent No. 9,503,470, "Distributed agent based model for security and response," issued November 22, 2016. (Compl. ¶14).
  • Technology Synopsis: This patent describes a distributed, agent-based model for network security where numerous agents monitor a system for anomalies against established baselines. (’470 Patent, col. 4:39-44). The system uses Bayesian analysis to estimate the probability that a particular pattern of activity is hostile and, if so, can initiate a "cascade of defensive and prophylactic measures," functioning as a software "immune system." (’470 Patent, col. 4:7-12).
  • Asserted Claims: Independent claim 1 is asserted. (Compl. ¶38).
  • Accused Features: The complaint alleges that Cisco Secure Workload infringes the ’470 Patent. (Compl. ¶¶18, 38).

Multi-Patent Capsule: U.S. Patent No. 11,171,974

  • Patent Identification: U.S. Patent No. 11,171,974, "Distributed agent based model for security monitoring and response," issued November 9, 2021. (Compl. ¶15).
  • Technology Synopsis: This patent discloses a security system using a plurality of distributed agents that passively collect, monitor, and aggregate data representative of activities at network nodes. (’974 Patent, col. 5:57-64). The system features a "distributed adaptive machine learning model" that analyzes this aggregated data to predict threats and generates counteroffensive measures based on "relevance feedback," which includes trial-and-error results from responses to previous attacks. (’974 Patent, col. 27:8-28:28).
  • Asserted Claims: Independent claim 1 is asserted. (Compl. ¶47).
  • Accused Features: The complaint alleges that Cisco Secure Workload infringes the ’974 Patent. (Compl. ¶¶18, 47).

III. The Accused Instrumentality

Product Identification

The accused product is Cisco’s workload protection platform known as Cisco Secure Workload, which was formerly known as Tetration. (Compl. ¶18).

Functionality and Market Context

The complaint identifies the accused product as a "workload protection platform" but provides no specific technical details regarding its operation, instead referencing a product marketing URL. (Compl. ¶18). The complaint alleges that the product is made, used, sold, and offered for sale throughout the United States and the Western District of Texas. (Compl. ¶¶3, 7, 25). The specific details of how the accused product allegedly infringes are contained in Exhibits E, F, G, and H, which are referenced but not included with the complaint. (Compl. ¶¶27, 36, 45, 52).

IV. Analysis of Infringement Allegations

The complaint references claim chart exhibits for each asserted patent (Exhibits E, F, G, and H), but these exhibits were not provided with the filed complaint document. (Compl. ¶¶27, 36, 45, 52). No probative visual evidence provided in complaint. The infringement theory is therefore summarized in prose based on the narrative allegations.

For the ’442 Patent, the complaint alleges that Defendant’s making, using, and selling of the Cisco Secure Workload products constitutes direct infringement of at least claim 1. (Compl. ¶20). The narrative theory is that the Accused Product is a distributed security system that performs the claimed steps of creating statistical models, analyzing usage, and distributing countermeasures like software updates. (Compl. ¶20; ’442 Patent, cl. 1).

For the ’614 Patent, the complaint alleges that the Cisco Secure Workload product directly infringes at least claim 10. (Compl. ¶29). The narrative theory is that the Accused Product embodies the claimed system, which uses distributed agents, adaptive learning, and probabilistic analysis to detect threats and alert operators when a probability threshold is exceeded. (Compl. ¶29; ’614 Patent, cl. 10).

Identified Points of Contention

  • Scope Questions: A potential point of contention for the ’442 Patent is whether the accused product's security policy enforcement mechanisms qualify as "anti-viral software updates" as specifically recited in claim 1. The definition of this term may be disputed if the accused functionality is broader than traditional antivirus software.
  • Technical Questions: For the ’614 Patent, a central question will be whether the Cisco Secure Workload platform actually employs "probabilistic analysis" and a "probability threshold" to trigger alerts, as required by claim 10. The infringement analysis may turn on evidence demonstrating a direct technical correspondence versus the use of alternative, non-probabilistic logic (e.g., deterministic rule-based engines).

V. Key Claim Terms for Construction

For U.S. Patent No. 8,327,442

  • The Term: "anti-viral software" (from claim 1)
  • Context and Importance: This term appears in the final two limitations of claim 1, which require scheduling and delivering "anti-viral software updates." The infringement analysis may depend on whether the security updates or policies managed by Cisco Secure Workload fall within the scope of this term. Practitioners may focus on this term because modern workload protection often involves application segmentation and policy enforcement, which may differ from the common understanding of "anti-viral software."
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The specification discusses distributing "warnings and potential countermeasures" generally, which a party could argue supports a construction that is not limited to traditional virus scanners. (’442 Patent, col. 1:52-54).
    • Evidence for a Narrower Interpretation: The claim language itself is specific. The specification also uses the term in a conventional sense, discussing the detection of a "new virus" and the deployment of "new anti-viral software." (’442 Patent, col. 5:36-38; col. 7:30-32). This suggests the term was intended to have its ordinary meaning in the art at the time of invention.

For U.S. Patent No. 9,438,614

  • The Term: "probability threshold" (from claim 10)
  • Context and Importance: Claim 10 requires the system to determine if a "probability threshold of suspicious activity" has been exceeded. This limitation is critical because it may require a specific type of mathematical or statistical operation. Infringement will question whether the accused system's decision-making logic meets this requirement.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The patent's abstract refers more generally to implementing "statistical flagging functions" and estimating "likely conditions," which could be argued to encompass any statistical trigger, not just a formal probability calculation. (’614 Patent, Abstract).
    • Evidence for a Narrower Interpretation: The claim explicitly uses the word "probability," and the specification repeatedly refers to "probabilistic" models, "probability distribution," and ascribing an "overall probability level." (’614 Patent, col. 5:8-12). This repeated and specific usage may support a narrower construction requiring a formal probabilistic computation and comparison to a defined threshold.

VI. Other Allegations

Indirect Infringement

The complaint does not contain specific counts for indirect infringement (inducement or contributory infringement), focusing its allegations on direct infringement under 35 U.S.C. §271(a). (Compl. ¶¶20, 29, 38, 47).

Willful Infringement

The complaint alleges that Defendant's infringement of the ’442, ’614, and ’470 patents has been willful. (Compl. ¶¶21, 30, 39). The basis for this allegation is Defendant’s purported knowledge of the patents and its infringement "since at least February 9, 2021." (Compl. ¶¶22, 31, 40). The complaint further alleges that Defendant "has made no attempt to design around the claims" of the patents-in-suit. (Compl. ¶¶23, 32, 41, 48).

VII. Analyst’s Conclusion: Key Questions for the Case

  • A core issue will be one of claim construction and scope: can terms rooted in an earlier era of cybersecurity, such as "anti-viral software" (’442 Patent), be construed broadly enough to read on the functionalities of a modern workload protection platform that may operate using different paradigms like micro-segmentation and behavioral policy enforcement?
  • A key evidentiary question will be one of technical equivalence: without detailed infringement contentions in the complaint itself, the case will likely turn on discovery into the precise operation of the Cisco Secure Workload platform. The central factual dispute will be whether its security analytics engine performs the specific "probabilistic analysis" and uses a "probability threshold" as claimed in the ’614 patent, or if it achieves a similar outcome through a technically distinct, non-infringing method.