Taasera Licensing LLC v. CrowdStrike Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Taasera Licensing LLC (Texas)
  • Defendant: CrowdStrike, Inc. and CrowdStrike Holdings, Inc. (Delaware)
  • Plaintiff’s Counsel: The Mort Law Firm, PLLC; Fabricant LLP
• Case Identification: 6:22-cv-01094, W.D. Tex., 10/21/2022
• Venue Allegations: Plaintiff alleges venue is proper in the Western District of Texas because Defendants have headquarters and a principal place of business in the district, employ hundreds of individuals there, and conduct regular and systematic business, including making, using, and selling the accused products.
• Core Dispute: Plaintiff alleges that Defendant’s endpoint detection and response products infringe eight patents related to network and computer security, including methods for controlling processes, attesting to application security, and detecting runtime risks.
• Technical Context: The technology relates to endpoint security, a critical area of cybersecurity focused on protecting computer systems from malicious software and unauthorized access at the device level.
• Key Procedural History: The complaint notes that four of the asserted patents were developed by TaaSera, Inc., and four were invented by International Business Machines (“IBM”). No other significant procedural history, such as prior litigation or administrative challenges involving these parties and patents, is mentioned.

Case Timeline

Date	Event
2002-01-04	Priority Date for U.S. Patent No. 7,673,137
2005-12-21	Priority Date for U.S. Patent Nos. 8,955,038, 9,608,997, 9,923,918
2010-03-02	U.S. Patent No. 7,673,137 Issued
2011-02-17	Priority Date for U.S. Patent No. 8,327,441
2012-05-01	Priority Date for U.S. Patent Nos. 8,850,517, 8,990,948, 9,092,616
2012-12-04	U.S. Patent No. 8,327,441 Issued
2014-09-30	U.S. Patent No. 8,850,517 Issued
2015-02-10	U.S. Patent No. 8,955,038 Issued
2015-03-24	U.S. Patent No. 8,990,948 Issued
2015-07-28	U.S. Patent No. 9,092,616 Issued
2017-03-28	U.S. Patent No. 9,608,997 Issued
2018-03-20	U.S. Patent No. 9,923,918 Issued
2022-10-21	Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 7,673,137: “System and Method for the Managed Security Control of Processes on a Computer System” (Issued Mar. 2, 2010)

The Invention Explained

• Problem Addressed: The patent’s background section describes the limitations of conventional security approaches. It notes that "virtual execution" techniques for pre-screening code are often inaccurate, leading to many false positives, while "real-time" monitoring solutions based on data packets may fail to detect malicious activity until after harm has already occurred (’137 Patent, col. 2:9-68).
• The Patented Solution: The invention proposes a two-phased, kernel-level approach to security. In the first phase, a "pre-execution process" interrupts a new program as it is loading to perform a rapid validation check against a list of approved programs (’137 Patent, col. 3:25-34, Fig. 4A-4B). If the program is validated, it can run with minimal monitoring. If not, the system enters a second phase where execution security modules monitor the program’s activities at the operating system kernel level, allowing for the detection of suspicious actions before they can cause damage (’137 Patent, col. 4:10-18, Fig. 6).
• Technical Importance: This approach sought to balance security with performance by applying intensive monitoring only to unvalidated or untrusted programs, thereby reducing security interruptions for known, safe applications (’137 Patent, col. 3:25-30).

Key Claims at a Glance

• The complaint asserts independent claim 6 (’137 Patent, Compl. ¶38).
• Claim 6 is a method claim comprising the essential elements of:
  • interrupting the loading of a new program for operation with the computing device;
  • validating the new program;
  • if the new program is validated, permitting the new program to continue loading and to execute;
  • if the new program is not validated, monitoring the new program while it loads and executes;
  • wherein the step of monitoring the new program while it executes is performed at the operating system kernel of the computing device.
• The complaint reserves the right to assert other claims, including dependent claims (Compl. ¶38).

U.S. Patent No. 8,327,441: “System and Method for Application Attestation” (Issued Dec. 4, 2012)

The Invention Explained

• Problem Addressed: The patent’s background addresses the trend toward cloud computing, where enterprise software is no longer owned by the customer but is provided as a service by a third party. This shift creates a need for methods to attest to the security and integrity of applications at runtime (’441 Patent, col. 1:19-28).
• The Patented Solution: The invention provides a method where a remote "attestation server" receives information from a computing platform where an application is running. This information includes a "runtime execution context" (e.g., executable file binaries, loaded components) and a "security context" (e.g., an analysis of those components) (’441 Patent, col. 14:26-29, Fig. 8). The server then generates and sends a report, or "attestation result," that indicates the security risks associated with the application based on the received data (’441 Patent, col. 14:26-29).
• Technical Importance: This technology provides a mechanism for third parties to verify the security posture of an application executing in a remote environment, such as a cloud data center, which is a foundational concept for "Zero Trust" security models (’441 Patent, col. 1:44-51).

Key Claims at a Glance

• The complaint asserts independent claim 1 (’441 Patent, Compl. ¶51).
• Claim 1 is a method claim comprising the essential elements of:
  • receiving, by an attestation server remote from a computing platform:
    • a runtime execution context indicating attributes of an application at runtime, including executable file binaries and loaded components; and
    • a security context providing security information about the application, including an execution analysis of the binaries and components;
  • generating, by the attestation server, a report indicating security risks based on the received contexts, as an attestation result; and
  • sending, by the attestation server, the attestation result associated with the application.
• The complaint reserves the right to assert other claims, including dependent claims (Compl. ¶51).

Multi-Patent Capsule: U.S. Patent No. 8,850,517

“Runtime Risk Detection Based on User, Application, and System Action Sequence Correlation,” Issued Sep. 30, 2014.

• Technology Synopsis: The technology addresses the need to detect advanced persistent threats that may remain undetected by traditional security programs. The solution involves monitoring a sequence of actions—including user, application, and system actions—and identifying a "runtime risk" and a "behavior score" based on the correlation of these actions in a sequence (Compl. ¶27; ’517 Patent, Abstract).
• Asserted Claims: At least independent claim 13 (Compl. ¶145).
• Accused Features: The complaint alleges that CrowdStrike’s Indicators of Attack (IOA) and CrowdScore features, which assess runtime risk based on action sequences, infringe the ’517 Patent (Compl. ¶¶ 145-149).

Multi-Patent Capsule: U.S. Patent No. 8,955,038

“Methods and Systems for Controlling Access to Computing Resources Based on Known Security Vulnerabilities,” Issued Feb. 10, 2015.

• Technology Synopsis: The invention describes a system for controlling endpoint operations by using software agents to monitor operating conditions and report status information to a remote computing system. This remote system determines the endpoint's compliance state based on a set of policies and can initiate an action on the endpoint, such as deploying a patch (Compl. ¶¶ 28, 64; ’038 Patent, Abstract).
• Asserted Claims: At least independent claim 1 (Compl. ¶64).
• Accused Features: The complaint accuses CrowdStrike’s Falcon Insight EDR with Falcon Spotlight, which allows for remote policy configuration, monitoring of endpoint operating conditions, and initiation of actions like patching based on compliance state (Compl. ¶¶ 65-70).

Multi-Patent Capsule: U.S. Patent No. 8,990,948

“Systems and Methods for Orchestrating Runtime Operational Integrity,” Issued Mar. 24, 2015.

• Technology Synopsis: The technology provides for real-time operational integrity monitoring of an application by using sensory inputs to monitor network dialogs, system operations, and resource utilization. The system generates behavior-based events, correlates them to classify threats, and displays real-time status indications on administrative dashboards (Compl. ¶¶ 29, 80; ’948 Patent, Abstract).
• Asserted Claims: At least independent claim 1 (Compl. ¶80).
• Accused Features: The complaint alleges that CrowdStrike’s Falcon Insight EDR, which provides Extended Detection and Response features for monitoring endpoint activity, generating behavior-based events, and displaying status dashboards, infringes the ’948 Patent (Compl. ¶¶ 81-85).

Multi-Patent Capsule: U.S. Patent No. 9,092,616

“Systems and Methods for Threat Identification and Remediation,” Issued Jul. 28, 2015.

• Technology Synopsis: This invention describes a system for providing runtime operational integrity using an endpoint trust agent, a network trust agent, and a trust orchestration server. The system sends dynamic context from a monitored device to the server, which analyzes endpoint events, correlates them with third-party assessments, and generates an integrity profile for the system (Compl. ¶¶ 30, 95; ’616 Patent, Abstract).
• Asserted Claims: At least independent claim 1 (Compl. ¶95).
• Accused Features: The complaint alleges that CrowdStrike’s platform, which uses endpoint agents (an "endpoint trust agent") and cloud components (a "trust orchestration server") to analyze endpoint events and generate integrity profiles, infringes the ’616 Patent (Compl. ¶¶ 96-103).

Multi-Patent Capsule: U.S. Patent No. 9,608,997

“Methods and Systems for Controlling Access to Computing Resources Based on Known Security Vulnerabilities,” Issued Mar. 28, 2017.

• Technology Synopsis: The patent describes a system for controlling an endpoint from a remote computing system. The remote system provides a user interface for configuring policies stored in a data store, receives status information from software services on the endpoint, determines a compliance state, and remotely initiates an action on the endpoint to ensure compliance (Compl. ¶¶ 31, 113; ’997 Patent, Abstract).
• Asserted Claims: At least independent claim 21 (Compl. ¶113).
• Accused Features: The complaint alleges that CrowdStrike Falcon Insight EDR with Falcon Spotlight infringes by providing a remote user interface for policy configuration, using endpoint sensors to gather status information, determining a compliance state, and initiating remote actions like patching (Compl. ¶¶ 114-119).

Multi-Patent Capsule: U.S. Patent No. 9,923,918

“Methods and Systems for Controlling Access to Computing Resources Based on Known Security Vulnerabilities,” Issued Mar. 20, 2018.

• Technology Synopsis: The invention relates to a system that controls endpoint operation by determining a compliance state based on both status information from the endpoint and user information. Based on this compliance state, the remote computing system determines whether to authorize the endpoint's access to a network resource (Compl. ¶¶ 32, 129; ’918 Patent, Abstract).
• Asserted Claims: At least independent claim 1 (Compl. ¶129).
• Accused Features: The complaint accuses CrowdStrike’s Falcon platform and its Zero Trust Assessment feature, which determines endpoint compliance based on device health and authorizes access to network resources in response to that state, of infringement (Compl. ¶¶ 130-135).

III. The Accused Instrumentality

• Product Identification: The complaint identifies the accused products as at least "CrowdStrike Falcon Insight EDR (with Falcon Agent)" and "CrowdStrike Falcon Insight EDR (with Falcon Agent) and with Falcon Agent and Falcon Spotlight" (Compl. ¶33). These are collectively referred to as the "Accused Products" (Compl. ¶11).
• Functionality and Market Context: The complaint alleges that the Accused Products are endpoint security software and services (Compl. ¶11). The "Falcon Agent" or "Falcon sensor" is installed on endpoint computers to monitor activity such as file I/O operations and privilege escalation (Compl. ¶¶ 45, 67). This information is sent to a remote, cloud-based platform that analyzes the data, identifies threats, and provides an administrative console for users to configure policies and respond to alerts (Compl. ¶¶ 66, 68). The complaint includes a screenshot from CrowdStrike's user interface showing a process tree that visualizes attacker behavior, indicating the product analyzes sequences of runtime events to identify threats (Compl. p. 14).

IV. Analysis of Infringement Allegations

U.S. Patent No. 7,673,137 Infringement Allegations

Claim Element (from Independent Claim 6)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
interrupting the loading of a new program for operation with the computing device;	The accused product performs "custom application blocking" to prevent certain applications from running.	¶39	col. 8:46-51
validating the new program;	The accused product validates programs by checking their hashes against user-provided blacklists or whitelists.	¶39	col. 8:52-60
if the new program is validated, permitting the new program to continue loading and to execute in connection with the computing device;	The accused product permits a new program to run if it is not blocked by the "Custom Application Blocking feature."	¶40	col. 8:61-64
if the new program is not validated, monitoring the new program while it loads and executes in connection with the computing device,	If a program is not blocked (i.e., not validated as malicious), it is monitored by the "CrowdStrike Kernel Exploit Prevention" feature for suspicious behavior.	¶41	col. 9:1-5
wherein the step of monitoring the new program while it executes is performed at the operating system kernel of the computing device.	The accused product's monitoring is performed by "CrowdStrike Kernel Exploit Prevention," which allegedly operates at the kernel level to block suspicious kernel drivers from loading. The complaint includes a screenshot of the user interface for "Enabling Kernel Exploit Prevention" (Compl. p. 11).	¶38, ¶41	col. 9:6-9

• Identified Points of Contention:
  • Scope Questions: Claim 6 recites a binary validation step ("if the new program is validated... if the new program is not validated"). The complaint alleges that programs not blocked by a blacklist are then monitored. A question may arise as to whether "not blocked" is equivalent to being "not validated" as contemplated by the patent, or if it constitutes a form of implicit validation.
  • Technical Questions: What evidence does the complaint provide that the "Custom Application Blocking" feature performs the specific step of "validating the new program" beyond simple hash matching? Does the patent’s description of validation imply a more substantive process than checking against a pre-defined list?

U.S. Patent No. 8,327,441 Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
receiving, by the attestation server remote from the computing platform: a runtime execution context indicating attributes of the application at runtime, wherein the attributes comprise one or more executable file binaries of the application and loaded components of the application;	The accused product's server component receives process attributes, context information, and process behavior information from the Falcon Agent on the endpoint. A screenshot in the complaint shows the product analyzing a process tree, including loaded DLLs (Compl. p. 14).	¶53	col. 14:26-34
and a security context providing security information about the application, wherein the security information comprises an execution analysis of the one or more executable file binaries and the loaded components;	The received information allegedly includes an analysis of the application's components to identify attacker behavior, such as detecting a "reflectively loaded a DLL associated with the materpreter [sic] exploit kit" (Compl. p. 14).	¶53	col. 14:35-39
generating, by the attestation server, a report indicating security risks associated with the application based on the received runtime execution context and the received security context, as an attestation result;	The accused product allegedly "generates alerts and reports prioritized detected threats" based on the received information. The complaint provides a screenshot of a "Detections" report that lists threats by severity, tactic, and technique (Compl. p. 15).	¶54	col. 14:40-44
and sending, by the attestation server, the attestation result associated with the application.	The generation and display of alerts and reports in the remote administrative console implies that the attestation result is sent from the server for user review, though the act of "sending" is not explicitly detailed as a separate step in the complaint's narrative.	¶51, ¶54	col. 14:45-47

• Identified Points of Contention:
  • Scope Questions: Does the accused product’s collection of "process attributes, context information, and processes behavior information" constitute the distinct "runtime execution context" and "security context" required by the claim, or are these concepts merged in the accused system in a way that falls outside the claim scope?
  • Technical Questions: What evidence demonstrates that the remote CrowdStrike platform functions as the claimed "attestation server"? The complaint alleges the functionality matches, but the defense may argue that the term "attestation" carries a specific technical meaning (e.g., cryptographic verification of integrity) that is not met by the accused product's threat detection and reporting.

V. Key Claim Terms for Construction

For the ’137 Patent

• The Term: "validating the new program"
• Context and Importance: The claim requires a distinct validation step that determines whether subsequent monitoring is necessary. The definition of "validating" is critical, as it forms the branch point of the claimed method. Practitioners may focus on whether this requires more than just checking a hash against a blacklist, which the complaint alleges is the infringing functionality (Compl. ¶39).
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The patent does not explicitly limit the term "validating" to a single technique. The specification discusses using a "checksum" as one example of validation, which could support an argument that simple hash matching falls within the term's ordinary meaning (’137 Patent, col. 9:11-16).
  • Evidence for a Narrower Interpretation: The detailed description of the validation module refers to comparing a program to a "predetermined list of approved programs" and ensuring it has not been "corrupted" or "tampered with" (’137 Patent, col. 8:52-58, col. 3:52-54). This language could support an argument that "validating" requires confirming a program is affirmatively known-good, not merely absent from a known-bad list.

For the ’441 Patent

• The Term: "attestation server"
• Context and Importance: The entire claim is oriented around actions performed by a remote "attestation server." The case may turn on whether CrowdStrike’s cloud platform, which performs threat analysis and reporting, meets the definition of this term.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The patent abstract describes the invention broadly as an "attestation service" that generates an "application artifact" and provides "contextual trustworthiness." The claims do not appear to require a specific cryptographic protocol for attestation. This may support an argument that any remote server providing a report on an application's security posture functions as an "attestation server." (’441 Patent, Abstract).
  • Evidence for a Narrower Interpretation: The term "attestation" in the security field often implies a formal, cryptographically-backed verification of a system's state. While the patent does not explicitly require this, the use of terms like "attestation result" and "application artifact" could be argued to imply a more formal process than the general threat reporting alleged in the complaint (’441 Patent, col. 14:43-44).

VI. Other Allegations

• Indirect Infringement: For all asserted patents, the complaint alleges induced infringement. The allegations are based on Defendants providing the Accused Products to end-users with instruction and installation manuals, offering customer service, and providing directions that allegedly encourage customers to install and use the products in an infringing manner (e.g., Compl. ¶¶ 42-45, 55-58).
• Willful Infringement: The complaint does not contain a separate count for willful infringement, nor does it allege pre-suit knowledge of the patents. However, for each patent, it alleges that Defendants have knowledge of their infringement "at least as of the date of this Complaint" and continue to infringe, which may form the basis for a post-filing willfulness claim (e.g., Compl. ¶¶ 43, 56).

VII. Analyst’s Conclusion: Key Questions for the Case

• A central issue will be one of technical implementation: for the '137 Patent, does CrowdStrike's use of blacklists/whitelists followed by general behavioral monitoring map onto the patent's more structured, two-phase method of "validating" a program and then selecting a distinct monitoring path based on the outcome?
• A key question will be one of definitional scope: for the '441 Patent and related patents, can the term "attestation," which often implies a formal integrity check, be construed to cover the accused products' functionality of remote threat analysis and risk reporting?
• A broader evidentiary question will be one of functional operation: across multiple patents, the case will likely require a detailed examination of whether CrowdStrike's integrated endpoint agent and cloud platform perform the specific, discrete steps recited in the method claims, or if the accused system operates in a technically distinct manner that falls outside the claimed inventions.