DCT

6:22-cv-01303

CTD Networks LLC v. Musarubra US LLC

Log In
Key Events
Complaint
complaint

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 6:22-cv-01303, W.D. Tex., 12/27/2022
  • Venue Allegations: Plaintiff alleges venue is proper in the Western District of Texas because Defendant maintains regular and established places of business in the district, including hiring for numerous positions in Austin, and has committed the alleged acts of infringement in the district.
  • Core Dispute: Plaintiff alleges that Defendant’s Trellix Platform infringes four patents related to distributed, agent-based network security systems that monitor, analyze, and respond to cyber threats.
  • Technical Context: The technology concerns distributed intrusion detection systems where software agents on multiple computers collaboratively monitor network traffic to identify and counter coordinated cyberattacks.
  • Key Procedural History: The complaint alleges that Defendant had pre-suit knowledge of its infringement of three of the four asserted patents since at least February 2, 2021, based on knowledge from its predecessor, McAfee. No prior litigation or administrative proceedings are mentioned in the complaint.

Case Timeline

Date Event
2002-10-23 ’614 Patent Priority Date
2002-12-24 ’442, ’470, and ’974 Patents Priority Date
2012-12-04 ’442 Patent Issued
2016-09-06 ’614 Patent Issued
2016-11-22 ’470 Patent Issued
2021-02-02 Alleged Pre-Suit Knowledge Date (’442, ’614, ’470 Patents)
2021-11-09 ’974 Patent Issued
2022-12-27 Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 8,327,442 - "System and method for a distributed application and network security system (SDI-SCAM)"

  • Issued: Dec. 4, 2012
  • The Invention Explained:
    • Problem Addressed: The patent’s background section describes that conventional network security systems are often focused at the level of an individual machine, which makes it difficult and slow to detect and counteract coordinated, network-level attacks such as viruses that spread across multiple systems ('442 Patent, col. 1:28-42).
    • The Patented Solution: The invention proposes a distributed security system where software "agents" on individual computers constantly pool and analyze information from across the entire network. This collective analysis allows the system to rapidly detect patterns consistent with a coordinated attack and then distribute warnings and countermeasures to all machines on the network, creating a real-time, network-wide protective shield ('442 Patent, Abstract; col. 1:47-67).
    • Technical Importance: The described approach represented a shift from single-machine protection to a collective, "immune system" model designed to be more effective against the growing threat of sophisticated, rapidly propagating network attacks ('442 Patent, col. 1:42-46).
  • Key Claims at a Glance:
    • The complaint asserts at least independent claim 1 (Compl. ¶20).
    • Essential elements of claim 1 include:
      • A distributed security system with agents on individual computers.
      • Each agent performs steps including:
        • creating statistical models of usage of the computer.
        • gathering and analyzing information on current usage.
        • determining a pattern of usage consistent with an intrusion or attack.
        • determining a probability of the likelihood of an intrusion or attack from that pattern.
        • distributing warnings and countermeasures when the probability exceeds a statistical threshold.
        • updating the statistical models.
    • The complaint reserves the right to assert additional claims (Compl. ¶27).

U.S. Patent No. 9,438,614 - "Sdi-scam"

  • Issued: Sep. 6, 2016
  • The Invention Explained:
    • Problem Addressed: The patent describes the need for a flexible and distributed security architecture where agents can be implemented at various levels (user, ISP, private network) and have different functions, which creates a challenge for effective, system-wide communication and threat response ('614 Patent, col. 1:19-28).
    • The Patented Solution: The invention provides a distributed multi-agent system where agents collect data and a server performs pattern analysis to identify suspicious activities. A key element is the comparison of data between different agents to identify similar patterns of suspicious activity occurring in different portions of the network, which is indicative of a coordinated attack. When a probability threshold is breached, the system alerts other agents or a central operator ('614 Patent, Claim 1).
    • Technical Importance: This technology refines the distributed security model by focusing on hierarchical and peer-to-peer data analysis, allowing the system to more effectively identify coordinated threats by specifically looking for similar anomalous behaviors across otherwise disconnected parts of a network ('614 Patent, col. 2:8-34).
  • Key Claims at a Glance:
    • The complaint asserts at least independent claim 10 (Compl. ¶29).
    • Essential elements of claim 10 include:
      • A system with a plurality of distributed agents that passively collect, monitor, aggregate, and pattern analyze data.
      • The analysis serves to identify similar patterns of suspicious activities indicative of an attack to different portions of the computer network.
      • The system determines if a probability threshold for suspicious activity has been exceeded by said similar patterns.
      • If the threshold is exceeded, the system alerts other agents, a central server, and/or a human operator.
    • The complaint reserves the right to assert additional claims (Compl. ¶36).

U.S. Patent No. 9,503,470 - "Distributed agent based model for security and response"

  • Issued: Nov. 22, 2016
  • Technology Synopsis: This patent describes a distributed, agent-based security model intended to function as an adaptive and autonomous "immune system" for computer networks (’470 Patent, col. 2:8-17). The system uses Bayesian analysis to estimate threat probabilities and can tune its response to new threats, with agents potentially operating in the cloud to reduce the processing load on defended systems (’470 Patent, col. 2:38-50).
  • Asserted Claims: At least independent claim 1 (Compl. ¶38).
  • Accused Features: The complaint alleges the Trellix Platform infringes by employing a distributed, agent-based architecture for security monitoring and response (Compl. ¶¶18, 38).

U.S. Patent No. 11,171,974 - "Distributed agent based model for security monitoring and response"

  • Issued: Nov. 9, 2021
  • Technology Synopsis: This patent details a security system using a "distributed adaptive machine learning model" where agents collect and analyze network data to identify suspicious patterns (’974 Patent, Claim 1). The system is designed to generate countermeasures, including creating "bogus targets" (honey pots) to lure and detect attackers, and it updates its predictive models based on feedback from previous threat responses (’974 Patent, Abstract; Claim 1).
  • Asserted Claims: At least independent claim 1 (Compl. ¶47).
  • Accused Features: The Trellix Platform is accused of infringement, which suggests it utilizes a distributed, learning-based security model that analyzes network traffic and generates responses to identified threats (Compl. ¶¶18, 47).

III. The Accused Instrumentality

Product Identification

  • The Accused Instrumentality is the "Trellix Platform" (Compl. ¶18).

Functionality and Market Context

  • The complaint identifies the Trellix Platform as a suite of security products and services (Compl. ¶18). Based on the infringement allegations, the relevant functionality is its use of a distributed architecture to provide network security. This architecture allegedly involves collecting data from various points on a network, analyzing that data to model network behavior, identifying patterns indicative of threats, and deploying countermeasures (Compl. ¶¶27, 36, 45, 52).
  • The complaint alleges the Accused Products are available to businesses and individuals throughout the United States (Compl. ¶25).

IV. Analysis of Infringement Allegations

No probative visual evidence provided in complaint. The complaint references claim chart exhibits E, F, G, and H, but these exhibits were not provided with the filed complaint document (Compl. ¶¶27, 36, 45, 52). As such, a detailed claim chart summary cannot be constructed. The infringement theory for each patent is that the Trellix Platform is a distributed security system that performs the steps recited in the asserted claims.

’442 Patent Infringement Allegations

  • The complaint alleges that the Trellix Platform infringes at least claim 1 of the '442 Patent (Compl. ¶20). The narrative infringement theory is that the Platform functions as a distributed security system using agents to create statistical models, analyze usage patterns to determine a probability of attack, and distribute countermeasures when a threshold is met (Compl. ¶27).
  • Identified Points of Contention:
    • Scope Questions: A central question will be whether the Trellix Platform's analytical methods constitute the "creating [of] statistical models of usage" and "determining a probability of the likelihood of an intrusion" as those terms are understood in the context of the patent.
    • Technical Questions: The analysis may focus on how, and if, the Trellix Platform uses a "statistical threshold" to trigger the distribution of "warnings and potential countermeasures" in a manner that maps to the claim language.

’614 Patent Infringement Allegations

  • The complaint alleges that the Trellix Platform infringes at least claim 10 of the '614 Patent (Compl. ¶29). The infringement theory is that the Platform's agents collect and analyze data from across a network to "identify similar patterns of suspicious activities" in "different portions of the computer network," and then alert other system components when a probability threshold is exceeded (Compl. ¶36).
  • Identified Points of Contention:
    • Scope Questions: A likely point of dispute is the meaning of "identify similar patterns... to different portions of the computer network." The infringement analysis will turn on whether this requires a specific type of comparative, cross-node analysis.
    • Technical Questions: An evidentiary question will be what proof exists that the Trellix Platform's agents perform the specific function of comparing activity patterns between different network locations to identify a threat, as opposed to merely aggregating all data at a central point for analysis.

V. Key Claim Terms for Construction

Term: "statistical models of usage" (’442 Patent, Claim 1)

  • Context and Importance: This term is fundamental to the invention of the ’442 Patent. The viability of the infringement claim depends on whether the analytical methods used by the Trellix Platform fall within the scope of this term. Practitioners may focus on this term because its construction will define the breadth of the core inventive concept.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The specification refers generally to "a variety of statistical analytics" and the system's ability to "determine a probability of the likelihood of an intrusion," which could support a construction that is not limited to a specific type of statistical model ('442 Patent, col. 1:59-65).
    • Evidence for a Narrower Interpretation: The detailed description provides specific examples, such as "a Belief network" and "a Bayesian network," which could be used to argue for a narrower construction limited to these or similar probabilistic graphical models ('442 Patent, col. 4:40, col. 9:26).

Term: "identify similar patterns of suspicious activities indicative of an attack or threat to different portions of the computer network" (’614 Patent, Claim 10)

  • Context and Importance: This limitation distinguishes the invention from systems that only analyze data at a single point or merely aggregate it. Infringement requires proof of a comparative analysis across the network. Practitioners may focus on this term because it requires a specific technical function—cross-node pattern matching—that may be a key point of non-infringement for the Defendant.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The claim language itself, which requires identifying similar patterns in "different portions" of the network, supports a reading that encompasses any form of analysis that compares behaviors between distinct network locations to detect a coordinated threat ('614 Patent, Claim 10).
    • Evidence for a Narrower Interpretation: A defendant may argue that "identify" implies that the distributed agents themselves perform this comparison, rather than a central server, or that "similar patterns" requires a specific degree of technical correspondence that the accused system does not measure.

VI. Other Allegations

Indirect Infringement

  • The complaint makes conclusory allegations of indirect infringement for all asserted patents (Compl. ¶¶20, 29, 38, 47). However, the complaint does not provide specific facts to support the elements of either induced or contributory infringement, such as allegations related to user manuals or instructions that encourage infringing use.

Willful Infringement

  • Willfulness is alleged for all four patents-in-suit. For the ’442, ’614, and ’470 patents, the complaint alleges pre-suit knowledge since at least February 2, 2021, based on knowledge from Defendant's predecessor, McAfee (Compl. ¶¶22, 31, 40). For the ’974 Patent, the complaint does not allege a specific date of pre-suit knowledge, so the willfulness claim would be based on knowledge gained from the filing of the lawsuit itself.

VII. Analyst’s Conclusion: Key Questions for the Case

  1. A core issue will be one of claim scope and construction: Can terms like "statistical models of usage" be construed broadly enough to read on the specific analytical methods of the Trellix Platform, or will they be narrowed by the specification's examples to specific technologies like Bayesian networks? The outcome of claim construction for such foundational terms will be critical.
  2. A key evidentiary question will be one of functional operation: Does the Trellix Platform actually perform the specific cross-node comparative analysis required by claims like claim 10 of the ’614 Patent? The case may turn on factual evidence demonstrating whether the accused system's architecture and methods match the patented methods of detecting coordinated attacks by identifying similar patterns across different parts of a network.
  3. A third question will relate to damages and willfulness: Given the allegation that knowledge of three of the four patents was obtained from a predecessor company (McAfee), the court will need to examine the facts surrounding that alleged knowledge to determine whether any infringement was willful, which could significantly impact potential damages.