DCT

6:22-cv-01042

CTD Networks LLC v. Google LLC

Log In

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: [CTD Networks LLC](https://ai-lab.exparte.com/party/ctd-networks-llc) v. [Google LLC](https://ai-lab.exparte.com/party/google-llc), 6:22-cv-01042, W.D. Tex., 04/21/2023
  • Venue Allegations: Plaintiff alleges venue is proper because Defendant has a regular and established place of business within the Western District of Texas, specifically an office in Austin.
  • Core Dispute: Plaintiff alleges that Defendant’s Chronicle Security Operations suite infringes four patents related to distributed, agent-based network security and threat detection systems.
  • Technical Context: The technology concerns systems that use distributed software agents to monitor computer network activity, aggregate data, and use analytical models to identify and respond to cyber threats in a coordinated, real-time manner.
  • Key Procedural History: The complaint, a Second Amended Complaint, alleges that Defendant had pre-suit knowledge of at least the lead patent since February 9, 2021, following a communication to its patent counsel that included a presentation on the patent portfolio. U.S. Patent Nos. 11,171,974 and 9,438,614 are subject to terminal disclaimers, which may limit their enforceable term to that of an earlier patent in the family.

Case Timeline

Date Event
2002-10-23 Priority Date for '614 Patent
2002-12-24 Priority Date for '442, '470, and '974 Patents
2012-12-04 '442 Patent Issued
2016-09-06 '614 Patent Issued
2016-11-22 '470 Patent Issued
2021-02-09 Alleged Pre-Suit Notice to Defendant
2021-11-09 '974 Patent Issued
2023-04-21 Second Amended Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 8,327,442 - "System and method for a distributed application and network security system (SDI-SCAM)"

  • Patent Identification: U.S. Patent No. 8,327,442, "System and method for a distributed application and network security system (SDI-SCAM)," issued December 4, 2012. (Compl. ¶12)

The Invention Explained

  • Problem Addressed: The patent’s background describes the vulnerability of computer networks to unauthorized intrusions, noting that security systems focused on individual machines are ill-equipped to handle coordinated, network-level attacks and are too slow to react to novel threats. (’442 Patent, col. 1:24-43)
  • The Patented Solution: The invention proposes a distributed security system where software "agents" on individual computers constantly pool and analyze information from across the entire network. (’442 Patent, Abstract). This collective intelligence allows the system to rapidly detect patterns indicative of a singular or coordinated attack. Upon detection, the system distributes warnings and potential countermeasures to all machines, creating a real-time, adaptive security network. (’442 Patent, col. 4:18-32)
  • Technical Importance: The technology represented a shift from static, siloed security to a dynamic, collective "immune system" model for computer networks, aiming to improve response times and effectiveness against widespread attacks. (’442 Patent, col. 8:3-15)

Key Claims at a Glance

  • The complaint asserts at least independent claim 1. (Compl. ¶20)
  • The essential elements of independent claim 1 include:
    • A distributed security system protecting individual computers in a network.
    • The system comprises individual computers with associated agents that control them.
    • Each agent performs steps including: creating statistical models of usage; gathering and analyzing information on current usage; determining a pattern of usage consistent with an intrusion or attack; determining a probability of the likelihood of an intrusion or attack; distributing warnings and countermeasures in real-time when a probability threshold is exceeded; and updating the statistical models.
  • The complaint does not explicitly reserve the right to assert dependent claims.

U.S. Patent No. 9,438,614 - "Sdi-scam"

  • Patent Identification: U.S. Patent No. 9,438,614, "Sdi-scam," issued September 6, 2016. (Compl. ¶13)

The Invention Explained

  • Problem Addressed: The patent addresses the "strongly asymmetric" nature of cyber warfare, where attackers with limited resources can inflict significant damage on large entities, and where conventional defensive responses are often too slow to be effective. (’470 Patent, col. 1:50-67, which shares a specification with the '614 patent)
  • The Patented Solution: The invention is a distributed multi-agent system designed for real-time collection, monitoring, and analysis of network operations. (’614 Patent, Abstract). It employs analytical models to construct and update an understanding of normal and abnormal network states, identify threats, and recommend or implement countermeasures automatically, aiming for a system that is adaptive and autonomous. (’470 Patent, col. 2:1-5, col. 4:21-38)
  • Technical Importance: This approach sought to create an "immune system for software" capable of countering even novel threats in milliseconds, thereby shifting the strategic advantage from the attacker back to the defender. (’470 Patent, col. 2:10-18)

Key Claims at a Glance

  • The complaint asserts at least independent claim 10. (Compl. ¶29)
  • The essential elements of independent claim 10 include:
    • A system for detecting the state of a computer network with multiple nodes.
    • The system comprises a plurality of distributed agents designed for adaptive learning and probabilistic analysis.
    • The agents passively collect, monitor, aggregate, and pattern analyze data to identify similar patterns of suspicious activity indicative of an attack.
    • The system determines if a probability threshold for suspicious activity has been exceeded.
    • If the threshold is exceeded, the system alerts other agents, a central server, and/or a human operator.
  • The complaint does not explicitly reserve the right to assert dependent claims.

U.S. Patent No. 9,503,470 - "Distributed agent based model for security and response"

  • Patent Identification: U.S. Patent No. 9,503,470, "Distributed agent based model for security and response," issued November 22, 2016. (Compl. ¶14)
  • Technology Synopsis: This patent describes a distributed agent-based model for security that protects computers by pooling and analyzing information from across a network. (’470 Patent, Abstract). The system is designed to detect patterns consistent with intrusions, distribute warnings, and share methods for repairing damage, thereby allowing every machine on the network to benefit from the security experience gained at any other point. (’470 Patent, col. 5:30-55)
  • Asserted Claims: At least independent claim 1. (Compl. ¶38)
  • Accused Features: Google's Chronicle Security Operations suite. (Compl. ¶¶18, 38)

U.S. Patent No. 11,171,974 - "Distributed agent based model for security monitoring and response"

  • Patent Identification: U.S. Patent No. 11,171,974, "Distributed agent based model for security monitoring and response," issued November 9, 2021. (Compl. ¶15)
  • Technology Synopsis: This patent discloses a system using a plurality of distributed agents with sensors to analyze network traffic data. (’974 Patent, col. 27:5-15). The core of the invention is a "distributed adaptive machine learning model" that analyzes aggregated data to predict threats and generate counteroffensive measures based on "relevance feedback," which includes learning from the success or failure of responses to previous attacks. (’974 Patent, col. 27:16-34)
  • Asserted Claims: At least independent claim 1. (Compl. ¶47)
  • Accused Features: Google's Chronicle Security Operations suite. (Compl. ¶¶18, 47)

III. The Accused Instrumentality

  • Product Identification: The accused instrumentality is Google's Chronicle Security Operations. (Compl. ¶18)
  • Functionality and Market Context: The complaint identifies the accused product as a unified suite comprising "Chronical SIEM, Chronical SOAR and Threat Intelligence." (Compl. ¶18). It is described as a "modern, cloud-native suite that enables security teams to detect, investigate, and respond to cyber threats." (Compl. ¶18). The complaint provides a screenshot from Google's marketing webpage for the accused product, which describes it as a cloud-native suite for detecting, investigating, and responding to cyber threats. (Compl. p. 6). Plaintiff alleges this suite is available to businesses and individuals throughout the United States. (Compl. ¶25)

IV. Analysis of Infringement Allegations

The complaint references claim chart exhibits (Exhibits E, F, G, and H) that purport to detail the infringement of the patents-in-suit; however, these exhibits were not attached to the filed complaint document. (Compl. ¶¶27, 36, 45, 52). The analysis is therefore based on the narrative allegations.

Plaintiff’s infringement theory alleges that Google’s Chronicle Security Operations performs the methods and embodies the systems claimed in the patents-in-suit. The core allegation is that the Chronicle suite, by collecting security telemetry from various network endpoints (acting as "distributed agents"), aggregating and analyzing that data in the cloud using SIEM and threat intelligence functions (performing "pattern analysis" and creating "statistical models"), and enabling automated or operator-driven responses via its SOAR capabilities, directly infringes the asserted claims. (Compl. ¶¶18, 20, 29, 38, 47).

  • Identified Points of Contention:
    • Scope Questions: A central dispute may arise over whether the architecture of a modern, cloud-native security platform like Google Chronicle aligns with the "distributed agent" systems described in the patents. For instance, a question for the court is whether a cloud-based analytics engine receiving data from endpoints can be considered an "agent" that "controls" an "individual computer" as required by claim 1 of the ’442 Patent.
    • Technical Questions: The infringement analysis will likely focus on whether the specific analytical techniques used by Chronicle's SIEM and Threat Intelligence components perform the functions required by the claims. A key question is what evidence the complaint provides that Chronicle's system performs the specific step of determining a "probability of the likelihood of an intrusion" (’442 Patent) or meets the definition of "adaptive learning and probabilistic analysis" (’614 Patent).

V. Key Claim Terms for Construction

For the ’442 Patent:

  • The Term: "agents associated therewith that control the associated individual computer" (from claim 1)
  • Context and Importance: This term is critical because the infringement case depends on mapping Google's Chronicle architecture to this claimed structure. Practitioners may focus on this term because its construction will determine whether a modern, cloud-centric security model, where analysis occurs off-device, falls within the scope of a claim that may be interpreted as requiring on-device agency and control.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The specification suggests flexibility, stating an agent "can be implemented through software, through hardware, through human interaction, or some combination thereof." (’442 Patent, col. 4:60-64).
    • Evidence for a Narrower Interpretation: The patent’s detailed description states that "each node of a computer network is loaded with an agent," and the accompanying figure depicts "SDI-SCAM" software residing directly on "Client X" and "Client Y," which could support a narrower, on-device interpretation. (’442 Patent, col. 4:19-21, FIG. 1).

For the ’614 Patent:

  • The Term: "plurality of distributed agents designed for adaptive learning and probabilistic analysis" (from claim 10)
  • Context and Importance: This term defines the core character of the claimed system. The dispute will likely hinge on whether the functionality of the Chronicle suite meets this technical definition. Practitioners may focus on this term because the definitions of "adaptive learning" and "probabilistic analysis" will be central to determining if a technical mismatch exists between the accused product's operation and the claim requirements.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The shared specification describes a system that models threats and behaviors using a wide variety of analytical tools and dynamically updates its models, suggesting "adaptive learning" is a broad concept. (’470 Patent, col. 9:34-50).
    • Evidence for a Narrower Interpretation: The specification gives examples of analysis, such as comparing attack patterns against a "shared database that contains the signature patterns of previously observed" attacks, which a defendant might argue points to a narrower, more specific type of analysis than the general-purpose machine learning that may be used in a modern system. (’470 Patent, col. 10:52-56).

VI. Other Allegations

  • Willful Infringement: The complaint alleges willful infringement for all four patents-in-suit. (Compl. ¶¶21, 30, 39). The primary basis is alleged pre-suit knowledge stemming from a communication on February 9, 2021, where Plaintiff allegedly sent an email and presentation regarding the '442 Patent to Google's patent counsel. (Compl. ¶22). The complaint alleges this communication, which discussed "risks and costs that may result if Google did not acquire the patents-in-suit," was sufficient to put Google on notice of infringement for the entire asserted portfolio, not just the '442 Patent. (Compl. ¶¶31, 40).

VII. Analyst’s Conclusion: Key Questions for the Case

  1. A core issue will be one of architectural equivalence: Can the patents' descriptions of "distributed agents" residing on and controlling individual computers, which reflect an early-2000s client-server paradigm, be construed to cover the architecture of a modern, cloud-native security suite where data is aggregated from endpoints and analyzed centrally?

  2. A key evidentiary question will be one of functional operation: Do the specific data analysis methods employed by Google's Chronicle SIEM and Threat Intelligence components perform the particular functions required by the claims, such as creating "statistical models of usage" or conducting "probabilistic analysis," or is there a fundamental mismatch in the technical operations?

  3. A significant legal question for willfulness will be the scope of notice: Did the alleged pre-suit communication regarding the '442 Patent and a potential portfolio acquisition provide Google with legally sufficient notice of infringement for all four asserted patents, thereby supporting a finding of willful infringement across the entire case?