DCT

6:22-cv-01042

CTD Networks LLC v. Google LLC

Log In

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 6:22-cv-01042, W.D. Tex., 10/06/2022
  • Venue Allegations: Plaintiff alleges venue is proper because Defendant has regular and established places of business in the district, including a specific office in Austin, Texas.
  • Core Dispute: Plaintiff alleges that Defendant’s cloud and cybersecurity services infringe four patents related to distributed, agent-based network security systems.
  • Technical Context: The technology concerns distributed network security, where software agents on multiple computers in a network collaboratively monitor, analyze, and respond to cyber threats, in contrast to security systems that operate in isolation on single machines.
  • Key Procedural History: The four patents-in-suit belong to a single, interconnected patent family. The complaint alleges that Defendant has had knowledge of its infringement of the '442, '614, and '470 patents since at least February 9, 2021. No other significant procedural events are mentioned.

Case Timeline

Date Event
2002-10-23 '614 Patent Priority Date
2002-12-24 '442, '470, & '974 Patents Priority Date
2012-12-04 '442 Patent Issue Date
2016-09-06 '614 Patent Issue Date
2016-11-22 '470 Patent Issue Date
2021-02-09 Alleged Pre-Suit Knowledge Date ('442, '614, '470 Patents)
2021-11-09 '974 Patent Issue Date
2022-10-06 Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 8,327,442 - System and method for a distributed application and network security system (SDI-SCAM)

  • The Invention Explained:
    • Problem Addressed: The patent describes conventional computer network security as being focused on individual machines, which is insufficient for detecting and counteracting coordinated threats that spread across a network. This approach results in significant delays between the start of an attack and the development of a countermeasure ('442 Patent, col. 1:26-44).
    • The Patented Solution: The invention proposes a distributed security system where software "agents" are installed on various computers ("nodes") within a network. These agents constantly pool and analyze data from across the network to collectively detect patterns indicative of an intrusion or attack. When a threat is detected, the system can distribute warnings and countermeasures to all machines in real-time ('442 Patent, Abstract; col. 2:18-29).
    • Technical Importance: The technology represents a conceptual shift from endpoint-centric security to a collective, network-aware defense model designed to provide a more rapid and uniform response to sophisticated, widespread cyber threats ('442 Patent, col. 2:1-5).
  • Key Claims at a Glance:
    • The complaint asserts at least independent claim 1 ('Compl. ¶20).
    • Essential elements of claim 1 (a system claim) include:
      • Individual computers with associated agents.
      • The agents create statistical models of the computer's usage.
      • The agents gather and analyze information on current usage.
      • The agents determine a pattern of usage consistent with an intrusion or attack.
      • The agents determine a probability of the likelihood of an intrusion or attack based on the usage pattern.
      • The agents distribute warnings and potential countermeasures in real-time when the probability exceeds a threshold.
    • The complaint reserves the right to assert other claims ('Compl. ¶20).

U.S. Patent No. 9,438,614 - Sdi-scam

  • The Invention Explained:
    • Problem Addressed: The patent addresses the need for a system that can rapidly identify and characterize conditions within a computing environment as either normal or suspicious, and then implement optimal countermeasures to neutralize any threats ('614 Patent, Abstract).
    • The Patented Solution: The invention is a distributed multi-agent system that collects, monitors, and models system and network operations. Analytical models are constructed and dynamically updated from various data sources to characterize system states and potential threats. Based on this analysis, the system can recommend or implement remedial actions and countermeasures ('614 Patent, Abstract; col. 2:42-53). The system is designed to be architecturally flexible, capable of being built on top of existing security platforms ('614 Patent, col. 2:54-67).
    • Technical Importance: This technology details the analytical and modeling aspects of a distributed security system, focusing on the dynamic updating of threat models and the generation of responses, which are core concepts in modern Security Orchestration, Automation, and Response (SOAR) platforms.
  • Key Claims at a Glance:
    • The complaint asserts at least independent claim 10 ('Compl. ¶29).
    • Essential elements of claim 10 (a system claim) include:
      • A plurality of distributed agents designed for adaptive learning and probabilistic analysis.
      • The agents passively collect, monitor, aggregate, and pattern-analyze data to identify similar patterns of suspicious activity across different portions of the computer network.
      • The system determines if a probability threshold for suspicious activity has been exceeded by these similar patterns.
      • If the threshold is exceeded, the system alerts other agents, a central server, and/or a human operator.
    • The complaint reserves the right to assert other claims ('Compl. ¶29).

U.S. Patent No. 9,503,470 - Distributed agent based model for security and response

  • Technology Synopsis: The patent discloses a distributed, agent-based security model intended to provide adaptive, autonomous, and automatic responses to cyber threats. It proposes using a Bayesian model to estimate the likelihood of various threat vectors and to reason about appropriate defensive or prophylactic measures, including for novel attacks not previously seen ('470 Patent, col. 4:1-18, 22-35).
  • Asserted Claims: At least independent claim 1 ('Compl. ¶38).
  • Accused Features: The complaint accuses Google's cloud and cybersecurity services, including Chronicle, Siemplify SOAR, Google Web Risk, and Google Cloud Armor ('Compl. ¶18).

U.S. Patent No. 11,171,974 - Distributed agent based model for security monitoring and response

  • Technology Synopsis: As a continuation of the '470 patent, this patent describes a similar architecture for a distributed security system (SDI-SCAM) that protects individual client computers by pooling and analyzing information gathered from machines across a network. The system is designed to detect patterns consistent with an attack and distribute warnings and potential countermeasures, which may include a probability distribution of the likelihood of the intrusion ('974 Patent, Abstract).
  • Asserted Claims: At least independent claim 1 ('Compl. ¶47).
  • Accused Features: The complaint accuses Google's cloud and cybersecurity services, including Chronicle, Siemplify SOAR, Google Web Risk, and Google Cloud Armor ('Compl. ¶18).

III. The Accused Instrumentality

Product Identification

The accused instrumentalities are "Google's cloud service Google Cloud and cybersecurity services Chronicle, Siemplify SOAR, Google Web Risk, and Google Cloud Armor" ('Compl. ¶18).

Functionality and Market Context

The complaint broadly categorizes the accused products as cloud and cybersecurity services but does not provide specific technical details about their architecture or operation ('Compl. ¶18). The named products generally provide services for security analytics, threat detection, and automated incident response within enterprise and cloud environments. The complaint alleges these products are available to businesses and individuals throughout the United States ('Compl. ¶25).

IV. Analysis of Infringement Allegations

The complaint alleges direct infringement of each of the four patents-in-suit by the Accused Products ('Compl. ¶¶ 20, 29, 38, 47). For each patent, the complaint states that an attached exhibit provides a claim chart detailing the infringement of an exemplary independent claim ('Compl. ¶¶ 27, 36, 45, 52). However, these exhibits were not filed with the complaint. Therefore, the complaint itself provides no specific mapping of claim elements to the functionality of the accused products. The infringement analysis is based solely on the general allegation that the Accused Products practice the claimed methods and embody the claimed systems.

No probative visual evidence provided in complaint.

  • Identified Points of Contention:
    • Technical Questions: The patents describe an architecture of agents residing on "nodes" of a network, concepts rooted in a 2002-era client-server or peer-to-peer context ('442 Patent, col. 2:18-23). A central question will be what evidence Plaintiff can present to demonstrate that the components of Google's modern, highly virtualized, multi-tenant cloud services (which may involve microservices, containers, and serverless functions) correspond to the "agents" and "nodes" required by the claims.
    • Scope Questions: The infringement case may turn on whether the term "distributed agent", as used in the patents, can be construed to read on the software architecture of the Accused Products. Does the term require discrete software programs installed on distinct machines as described in the specification, or can it be interpreted more broadly to cover logical components of a distributed cloud service?

V. Key Claim Terms for Construction

For U.S. Patent No. 8,327,442

  • The Term: "agent" (from claim 1)
  • Context and Importance: The claim requires "individual computers having agents associated therewith." The definition of "agent" is fundamental to determining infringement, as Plaintiff must show that Google's cloud services utilize structures that meet this limitation. Practitioners may focus on this term because its interpretation will determine whether the patent's architecture maps onto the accused cloud infrastructure.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The patent states that an agent is an "entity that can be loaded onto any node(s) of a network" and "can be implemented through software, through hardware, through human interaction, or some combination thereof," suggesting a potentially flexible definition ('442 Patent, col. 2:61-65).
    • Evidence for a Narrower Interpretation: The detailed description explains that in a "preferred embodiment," "every machine linked into the system is loaded with an SDI-SCAM agent" and that agents observe local system activities like packet routing and file transmissions, which may support a narrower construction tied to a specific software component on a discrete machine ('442 Patent, col. 3:1-5).

For U.S. Patent No. 9,438,614

  • The Term: "passively collecting, monitoring, aggregating and pattern analyzing data" (from claim 10)
  • Context and Importance: This limitation describes the core data-handling function of the claimed agents. The method of collection—whether "passive"—will be a key point of dispute, as modern security platforms often use active querying and data ingestion techniques. The viability of the infringement allegation depends on whether the accused systems' operations can be characterized as "passive."
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The '614 patent itself does not provide an explicit definition of "passive," which may allow for an argument that the term should be given its plain and ordinary meaning, potentially encompassing any non-intrusive background data collection.
    • Evidence for a Narrower Interpretation: The parent patents, incorporated by reference, describe agents that "observe[] the packets being routed through its local system" and "observe[] every file transmission," actions that suggest a non-interventional, observational role consistent with a narrower definition of "passive" ('442 Patent, col. 3:1-3).

VI. Other Allegations

  • Indirect Infringement: The complaint's infringement counts exclusively allege direct infringement under 35 U.S.C. § 271(a) ('Compl. ¶¶ 20, 29, 38, 47). A passing reference to "induced acts of infringement" is made in the venue section but is not supported by specific factual allegations ('Compl. ¶11).
  • Willful Infringement: The complaint alleges that Defendant's infringement has been willful for all four patents ('Compl. ¶¶ 21, 30, 39, 47). The basis for this allegation is pre-suit knowledge of the '442, '614, and '470 patents since "at least February 9, 2021" ('Compl. ¶¶ 22, 31, 40). No specific date for pre-suit knowledge is alleged for the '974 patent.

VII. Analyst’s Conclusion: Key Questions for the Case

  • A key evidentiary question will be one of technical mapping: In the absence of the referenced claim-chart exhibits, a central issue is whether Plaintiff can produce sufficient technical evidence to map the architectural elements of the patents, such as "distributed agents" and "nodes", to the complex, virtualized, and service-oriented components of Google's modern cloud platforms.
  • A core issue will be one of definitional scope: The case will likely turn on whether foundational claim terms like "agent", which are described in the context of 2002-era network security, can be construed broadly enough to encompass the microservices, containers, and other logical constructs that constitute a modern cloud computing environment.
  • The allegation of pre-suit knowledge raises a question of willfulness: A significant dispute will likely concern the nature and sufficiency of the notice allegedly provided to Google on February 9, 2021, and whether its conduct following that date rises to the level of objective recklessness required to support a finding of willful infringement.