DCT

6:22-cv-01049

CTD Networks LLC v. Microsoft Corp

Log In
Key Events
Amended Complaint

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 6:22-cv-01049, W.D. Tex., 04/21/2023
  • Venue Allegations: Plaintiff alleges venue is proper because Microsoft has regular and established places of business in the district, including an office in Austin, and has committed acts of infringement in the district.
  • Core Dispute: Plaintiff alleges that Defendant’s integrated security software suite infringes four patents related to distributed, agent-based network security monitoring and response systems.
  • Technical Context: The technology concerns advanced cybersecurity systems that use distributed software agents to collectively monitor network activity, identify threats through aggregated data analysis, and coordinate defensive responses.
  • Key Procedural History: The complaint does not mention any prior litigation, licensing history, or administrative proceedings (e.g., IPRs) concerning the patents-in-suit. The patents-in-suit form a family with a long prosecution history, including multiple continuation and continuation-in-part applications.

Case Timeline

Date Event
2002-10-23 Earliest Priority Date ('614 Patent)
2002-12-24 Earliest Priority Date ('442, '470, '974 Patents)
2012-12-04 '442 Patent Issued
2016-09-06 '614 Patent Issued
2016-11-22 '470 Patent Issued
2021-11-09 '974 Patent Issued
2023-04-21 Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 8,327,442 - “System and method for a distributed application and network security system (SDI-SCAM),” issued December 4, 2012

The Invention Explained

  • Problem Addressed: The patent describes a landscape where computer networks are vulnerable to coordinated attacks that are difficult to detect with traditional, machine-specific security systems (Compl. Ex. A, '442 Patent, col. 4:21-41). These isolated systems may fail to recognize that localized disturbances are part of a larger, network-level attack, delaying an effective response (Compl. Ex. A, '442 Patent, col. 4:30-41).
  • The Patented Solution: The invention proposes a distributed security system (SDI-SCAM) where software "agents" are installed on individual computers ("nodes") across a network (Compl. Ex. A, '442 Patent, col. 4:16-24). These agents collect data on local activity, communicate with each other, and pool information at a central server or in a peer-to-peer fashion (Compl. Ex. A, '442 Patent, col. 4:56-61). By analyzing this aggregated data, the system can detect patterns consistent with a widespread attack and distribute warnings or countermeasures to all nodes, creating a collective, real-time "immune system" for the network (Compl. Ex. A, '442 Patent, col. 2:1-4, col. 5:1-12).
  • Technical Importance: This approach aimed to move beyond reactive, single-machine virus scanning to a proactive, network-wide behavioral analysis capable of identifying novel and coordinated threats more quickly than was possible with conventional methods (Compl. Ex. A, '442 Patent, col. 4:42-55).

Key Claims at a Glance

  • Independent claim 1 is asserted (Compl. ¶20).
  • Essential elements of claim 1 include:
    • A distributed security system that protects individual computers in a network.
    • Agents associated with each computer that create statistical models of usage.
    • The agents gather and analyze information relating to current usage.
    • The system determines a "pattern of usage" consistent with an intrusion or attack.
    • The system determines a "probability of the likelihood" of an attack based on that pattern.
    • It distributes warnings and countermeasures when this probability exceeds a threshold.
    • It updates the statistical models based on current usage and attack likelihood.
    • It schedules anti-viral software updates based on the probability of an intrusion.

U.S. Patent No. 9,438,614 - “Sdi-scam,” issued September 6, 2016

The Invention Explained

  • Problem Addressed: The patent addresses the need for a flexible and comprehensive security architecture that can not only detect threats but also classify them, predict their behavior, and deploy customized defensive schemes (Compl. Ex. B, '614 Patent, col. 5:1-10). The system must be able to respond to threats in an autonomous or semi-autonomous fashion.
  • The Patented Solution: The '614 Patent details a distributed multi-agent system that employs analytical models to identify and characterize system conditions as either "normal" or "abnormal or potentially suspicious" (Compl. Ex. B, '614 Patent, Abstract). The system uses a "Bayesian Belief Network" for detection and classification, and can model behavior based on "sequentially occurring behavior patterns" to predict a virus or worm's actions (Compl. Ex. B, '614 Patent, col. 6:45-53). This allows the system to recommend or implement "optimal remedial repair and recovery strategies" and countermeasures (Compl. Ex. B, '614 Patent, Abstract).
  • Technical Importance: The invention provides a formal framework for not just detecting but also classifying and strategically responding to threats using probabilistic models, moving security from a simple alert-based system to a more intelligent and adaptive defense platform (Compl. Ex. B, '614 Patent, col. 6:4-9).

Key Claims at a Glance

  • Independent claim 10 is asserted (Compl. ¶29).
  • Essential elements of claim 10 include:
    • A system that detects the state of a computer network with a plurality of distributed agents.
    • The agents are designed for "adaptive learning and probabilistic analysis."
    • The agents passively collect, monitor, aggregate, and pattern analyze data to identify similar patterns of suspicious activities.
    • The system determines if a probability threshold for suspicious activity has been exceeded.
    • If the threshold is exceeded, the system alerts other agents, a central server, and/or a human operator.

U.S. Patent No. 9,503,470 - “Distributed agent based model for security and response,” issued November 22, 2016

  • Technology Synopsis: This patent describes a security model that uses distributed agents to perform behavioral and code analysis on a network. The system uses these agents to identify suspicious activities, generate counter-offensive measures (including "honey pot" traps), and provide a security and validity score for software based on its security, user experience, and programmer reputation (Compl. Ex. C, '470 Patent, Abstract; col. 12:50-51, col. 19:20-22).
  • Asserted Claims: Independent claim 1 is asserted (Compl. ¶36).
  • Accused Features: Microsoft's integrated security suite is accused of infringing by providing a distributed system that detects threats, generates countermeasures, and analyzes network behavior (Compl. ¶41).

U.S. Patent No. 11,171,974 - “Distributed agent based model for security monitoring and response,” issued November 9, 2021

  • Technology Synopsis: This patent discloses a system using distributed agents and an adaptive machine learning model to protect a computer network. The agents collect and aggregate data, which the model analyzes to develop "activity models" for normal and abnormal states (Compl. Ex. D, '974 Patent, col. 27:14-23). The system predicts threats based on pattern analysis and relevance feedback, and generates counteroffensive measures in response (Compl. Ex. D, '974 Patent, col. 27:29-37).
  • Asserted Claims: Independent claim 1 is asserted (Compl. ¶43).
  • Accused Features: Microsoft's SIEM and XDR solution is accused of infringing by using a plurality of agents to collect and analyze data, model network activity, predict threats, and generate countermeasures (Compl. ¶48).

III. The Accused Instrumentality

Product Identification

The accused products are Microsoft's integrated SIEM (Security Information and Event Management) and XDR (Extended Detection and Response) solution suite, which comprises Microsoft Sentinel, Microsoft 365 Defender, and Microsoft Defender for Cloud (Compl. ¶18).

Functionality and Market Context

  • The complaint alleges that these products are combined into an "integrated suite that provides an integrated approach" to cybersecurity (Compl. ¶18). This suite is designed to give security operations teams visibility across an entire organization, including identities, endpoints, applications, cloud infrastructure, and networks (Compl. p. 7). A marketing diagram included in the complaint shows that Microsoft 365 Defender and Microsoft Defender for Cloud collect data from various sources (e.g., email, endpoints, servers, IoT devices) and provide XDR capabilities, while Microsoft Sentinel acts as a SIEM, providing visibility across the organization (Compl. p. 7).
  • The complaint alleges this integrated solution is aimed at providing security professionals with tools to prevent breaches across an entire organization, including on-premises, multicloud, and hybrid environments (Compl. p. 7).

IV. Analysis of Infringement Allegations

The complaint references claim chart exhibits (Exhibits E, F, G, H) that are not provided in the filed document. The infringement theory is therefore summarized in prose based on the complaint's narrative.

For each of the four asserted patents, the complaint alleges that Microsoft's integrated SIEM and XDR solution suite infringes by performing the claimed methods (Compl. ¶¶ 20, 29, 36, 43). The core of the infringement theory is that the individual Microsoft products (Sentinel, 365 Defender, Defender for Cloud) and their underlying components function as the claimed "agents" distributed across a customer's network. These agents allegedly collect and aggregate security data (e.g., from endpoints, servers, cloud apps) and transmit it for central analysis. The Microsoft Sentinel platform is alleged to perform the claimed analysis of this aggregated data, using "adaptive machine learning," "probabilistic analysis," or "statistical models" to identify patterns of suspicious activity that indicate a security threat, as required by the asserted claims. The system then allegedly generates alerts and countermeasures, fulfilling the final steps of the claims.

Identified Points of Contention:

  • Scope Questions: The infringement case may turn on whether the components of Microsoft's security suite (e.g., software clients on endpoints, virtual machine monitors) meet the definition of an "agent" as described and claimed in the patents. A central question will be whether the patented "agents," which are described as forming a cooperative, distributed system (SDI-SCAM), can be read to cover the distinct but integrated product offerings of Microsoft.
  • Technical Questions: A key question for the court will be whether Microsoft's system performs the specific type of analysis recited in the claims. For example, does the "AI" or "machine learning" functionality in Microsoft Sentinel perform the "probabilistic analysis" of the '614 Patent or create the "statistical models of usage" required by the '442 Patent? The complaint alleges this functionality exists but does not provide technical evidence detailing how Microsoft's proprietary algorithms operate, which will likely be a focus of discovery.

V. Key Claim Terms for Construction

Term 1: "agent" ('442 Patent)

  • Context and Importance: This term is the fundamental building block of the claimed invention. The definition of "agent" will determine whether the various software components of Microsoft's multi-part security suite can be mapped onto the claim. Practitioners may focus on this term because its scope is critical to proving infringement of the distributed system.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The specification states that an "agent is an entity that can be loaded onto any node(s) of a network" and "can be implemented through software, through hardware, through human interaction, or some combination thereof" (Compl. Ex. A, '442 Patent, col. 4:60-65). This broad language may support an argument that various software components, even if part of different products, can collectively be considered "agents."
    • Evidence for a Narrower Interpretation: The patent consistently refers to the system as "SDI-SCAM" and describes how "SDI-SCAM agents" communicate with each other, suggesting a more specific, unified software architecture rather than a collection of disparate commercial products (Compl. Ex. A, '442 Patent, col. 4:16-24, Fig. 1). The detailed descriptions often refer to an "SDI-SCAM agent" being loaded onto a machine, which might support a narrower construction limited to a single, identifiable software program.

Term 2: "adaptive learning" ('614 Patent)

  • Context and Importance: This term appears in asserted claim 10 and describes the analytical capability of the claimed agents. The dispute will likely center on whether the functionality of Microsoft's accused products constitutes "adaptive learning" as contemplated by the patent, or if it is merely a generic marketing term for standard data analysis.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The patent does not appear to provide an explicit definition of the term, which may support an argument that it should be given its plain and ordinary meaning in the context of computer science, potentially encompassing a wide range of machine learning techniques.
    • Evidence for a Narrower Interpretation: The specification describes the system in the context of specific analytical models, such as a "Bayesian Belief Network" and techniques for modeling "sequentially occurring behavior patterns" (Compl. Ex. B, '614 Patent, col. 6:45-53). A defendant may argue that "adaptive learning" is not a generic term but is implicitly defined by these specific examples, thus narrowing the claim scope to systems that employ such specific probabilistic or sequential modeling.

VI. Other Allegations

  • Indirect Infringement: The complaint alleges both induced and contributory infringement. Inducement is based on allegations that Microsoft "actively encouraged or instructed" its customers on how to use the accused products in an infringing manner (Compl. ¶24). Contributory infringement is based on the allegation that there are "no substantial noninfringing uses" for the accused products (Compl. ¶25).
  • Willful Infringement: The complaint alleges Microsoft has known of the patents and its infringement "from at least the filing date of the lawsuit" (Compl. ¶¶ 24-25). This forms a basis for post-suit willfulness. The plaintiff explicitly reserves the right to amend the complaint to allege pre-suit knowledge if it is discovered (Compl. ¶¶ 24-25, fns. 3-4).

VII. Analyst’s Conclusion: Key Questions for the Case

  1. A central issue will be one of definitional scope: Can the term "agent," as used in the patents to describe components of a unitary "SDI-SCAM" system, be construed broadly enough to read on the collection of distinct commercial products that constitute Microsoft’s integrated SIEM and XDR suite?
  2. A key evidentiary question will be one of technical operation: What evidence will discovery yield to show that the artificial intelligence and analytics in Microsoft's platform perform the specific functions recited in the claims, such as creating "statistical models of usage" ('442 Patent) or employing "probabilistic analysis" and "adaptive learning" ('614 Patent) in the manner envisioned by the patents?
  3. A third question pertains to damages and remedy: Given the long priority dates of the patents (dating to 2002) and the modern, cloud-based nature of the accused products, the case raises the question of how the patented technology, conceived in an earlier era of network security, maps onto the value proposition and architecture of current integrated security platforms for the purpose of calculating a reasonable royalty.