DCT

6:22-cv-01306

CTD Networks LLC v. Verizon Communications Inc

Log In
Key Events
Amended Complaint

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 6:22-cv-01306, W.D. Tex., 04/21/2023
  • Venue Allegations: Plaintiff alleges venue is proper because Defendant has regular and established places of business in the Western District of Texas, including an office in Austin.
  • Core Dispute: Plaintiff alleges that Defendant’s Managed Detection and Response Services infringe four patents related to distributed, agent-based network security systems.
  • Technical Context: The technology concerns network security systems that use distributed software agents to monitor network activity, pool data, and use analytical models to detect and respond to cyber threats in a coordinated fashion.
  • Key Procedural History: The asserted patents form a family, with the '974 Patent being a continuation of the application that led to the '470 Patent, which is a continuation-in-part of the application that led to the '442 Patent. The complaint alleges Defendant had knowledge of the '442, '614, and '470 patents since at least February 2, 2021, a date which precedes the issuance of the '974 Patent.

Case Timeline

Date Event
2002-10-23 U.S. Patent No. 9,438,614 Priority Date
2002-12-24 U.S. Patent Nos. 8,327,442, 9,503,470, & 11,171,974 Priority Date
2012-12-04 U.S. Patent No. 8,327,442 Issues
2016-09-06 U.S. Patent No. 9,438,614 Issues
2016-11-22 U.S. Patent No. 9,503,470 Issues
2021-02-02 Alleged date of knowledge for '442, '614, & '470 patents
2021-11-09 U.S. Patent No. 11,171,974 Issues
2023-04-21 First Amended Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 8,327,442 - "System and method for a distributed application and network security system (SDI-SCAM)"

  • Patent Identification: U.S. Patent No. 8,327,442, "System and method for a distributed application and network security system (SDI-SCAM)," issued December 4, 2012. (Compl. ¶12).

The Invention Explained

  • Problem Addressed: The patent addresses the vulnerability of computer networks where coordinated attacks can spread across many individual machines for days before a countermeasure is developed, because traditional security systems are often focused at the level of a single machine. ('442 Patent, col. 1:21-44).
  • The Patented Solution: The invention proposes a distributed security system where software "agents" on individual computers constantly pool and analyze information gathered from across the entire network. ('442 Patent, Abstract). This architecture allows the system to quickly detect patterns consistent with a widespread attack, determine the probability of a threat, and then distribute warnings and countermeasures to all machines in real-time. ('442 Patent, col. 2:50-col. 3:2).
  • Technical Importance: This approach sought to counter the asymmetric nature of cyber warfare by creating a coordinated, network-wide "immune system" that could react more quickly than human-dependent responses. ('974 Patent, col. 2:8-18).

Key Claims at a Glance

  • The complaint asserts at least independent claim 1. (Compl. ¶20).
  • The essential elements of independent claim 1 include:
    • A distributed security system protecting individual computers, comprising agents on those computers.
    • Each agent performs steps including: creating statistical models of usage, gathering and analyzing usage information, determining a pattern of usage consistent with an attack, and determining a probability of the likelihood of an attack.
    • The system distributes real-time warnings and countermeasures when the determined probability exceeds a threshold.
    • Agents schedule different anti-viral software updates based on different levels of probability of an attack.
    • Agents suspend the schedule and provide an immediate update when an attack is detected anywhere on the network.
  • The complaint reserves the right to assert additional claims. (Compl. ¶27).

U.S. Patent No. 9,438,614 - "Sdi-scam"

  • Patent Identification: U.S. Patent No. 9,438,614, "Sdi-scam," issued September 6, 2016. (Compl. ¶13).

The Invention Explained

  • Problem Addressed: The patent family addresses the need for security systems to be adaptive, autonomous, and automatic to combat high-frequency and unceasing cyber threats, which human response times are too slow to counter effectively. ('974 Patent, col. 2:1-8).
  • The Patented Solution: The invention is a distributed multi-agent system that uses agents for real-time collection, monitoring, and modeling of network operations to identify suspicious states. ('614 Patent, Abstract). The system employs analytical models to characterize threats and can recommend or implement countermeasures, with a design that allows it to be built on top of existing security platforms for greater flexibility. ('614 Patent, col. 2:52-62).
  • Technical Importance: The technology’s architectural flexibility allows it to be integrated with pre-existing security infrastructure, potentially lowering the barrier to adoption for organizations seeking to implement a more advanced, coordinated defense. ('614 Patent, col. 2:52-62).

Key Claims at a Glance

  • The complaint asserts at least independent claim 10. (Compl. ¶29).
  • The essential elements of independent claim 10 include:
    • A system that detects the state of a computer network.
    • The system comprises a plurality of distributed agents designed for adaptive learning and probabilistic analysis.
    • The agents passively collect, monitor, aggregate, and pattern-analyze data to identify similar patterns of suspicious activities.
    • The system determines if a probability threshold for an attack has been exceeded by these patterns.
    • When the threshold is exceeded, the system alerts other agents, a central server, and/or a human operator.
  • The complaint reserves the right to assert additional claims. (Compl. ¶36).

U.S. Patent No. 9,503,470 - "Distributed agent based model for security and response"

  • Patent Identification: U.S. Patent No. 9,503,470, "Distributed agent based model for security and response," issued November 22, 2016. (Compl. ¶14).
  • Technology Synopsis: This patent describes a security system that uses distributed software agents to monitor a computer network for anomalies and uses Bayesian analysis to estimate the probability that a pattern of activity is hostile. ('470 Patent, col. 2:37-43). The system aims to function as an adaptive and autonomous "immune system for software" that can trigger a cascade of defensive measures, even against novel threats. ('470 Patent, col. 2:8-13).
  • Asserted Claims: The complaint asserts at least independent claim 1. (Compl. ¶38).
  • Accused Features: The Verizon Managed Detection and Response Services are accused of infringing this patent. (Compl. ¶¶18, 38).

U.S. Patent No. 11,171,974 - "Distributed agent based model for security monitoring and response"

  • Patent Identification: U.S. Patent No. 11,171,974, "Distributed agent based model for security monitoring and response," issued November 9, 2021. (Compl. ¶15).
  • Technology Synopsis: This patent describes a distributed security system (SDI-SCAM) that pools and analyzes information gathered from machines across a network to detect patterns consistent with an intrusion or attack. ('974 Patent, Abstract). The system distributes warnings, potential countermeasures, and probabilistic likelihoods of attack, and uses adaptive learning to generate counter-offensive measures based on historical feedback. ('974 Patent, col. 4:11-22).
  • Asserted Claims: The complaint asserts at least independent claim 1. (Compl. ¶47).
  • Accused Features: The Verizon Managed Detection and Response Services are accused of infringing this patent. (Compl. ¶¶18, 47).

III. The Accused Instrumentality

Product Identification

  • The accused instrumentalities are "Verizon's security system for protecting networks, known as Verizon Managed Detection and Response Services," which include Managed Security Services, Managed Detection and Response, and Network Detection and Response. (Compl. ¶18).

Functionality and Market Context

  • The complaint alleges that these are services for protecting computer networks and makes them available to businesses and individuals throughout the United States. (Compl. ¶¶18, 25). The complaint does not provide specific details on the technical operation of the accused services, instead referencing external marketing webpages and forthcoming claim charts. (Compl. ¶18). No probative visual evidence provided in complaint.

IV. Analysis of Infringement Allegations

The complaint references but does not attach claim chart exhibits (Exhibits E, F, G, H) that purportedly describe the infringement of each patent-in-suit. (Compl. ¶¶27, 36, 45, 52). The following is a summary of the infringement theories based on the narrative allegations in the complaint.

'442 Patent Infringement Allegations

The complaint alleges that Defendant's Accused Products directly infringe at least claim 1 of the '442 Patent by making, using, testing, and selling them in the United States. (Compl. ¶20). The implicit theory, pending receipt of Exhibit E, is that the accused services constitute a "distributed security system" that employs agents performing the claimed steps of creating statistical models, analyzing network usage, determining probabilities of attack, and distributing countermeasures and software updates based on those probabilities.

'614 Patent Infringement Allegations

The complaint alleges that the Accused Products directly infringe at least claim 10 of the '614 Patent. (Compl. ¶29). The narrative infringement theory, absent Exhibit F, is that the accused services are a system using a plurality of "distributed agents" that perform "adaptive learning and probabilistic analysis" on collected network data to identify suspicious patterns and alert operators when a threat threshold is breached.

Identified Points of Contention

  • Scope Questions: A foundational question for the court may be whether Defendant's provision of "Managed Detection and Response Services" constitutes the making, using, or selling of the claimed "system." The analysis will involve determining how a service-based offering maps onto the tangible and functional elements of the asserted system claims.
  • Technical Questions: A key technical question for the '442 Patent will be whether the accused services perform the specific function of "schedul[ing]... different anti-viral software updates based on different levels of probability," a highly specific limitation. For the '614 Patent, a central question will be what evidence demonstrates that the accused services employ agents that are both "distributed" and perform "adaptive learning" and "probabilistic analysis" as required by the claim.

V. Key Claim Terms for Construction

  • Term: "statistical models of usage" ('442 Patent, Claim 1)

    • Context and Importance: This term is central to the claimed invention's method of threat detection. The outcome of the infringement analysis may depend on whether the accused services' analytical methods fall within the court's construction of this term. Practitioners may focus on this term because its potential breadth or narrowness could be dispositive.
    • Intrinsic Evidence for Interpretation:
      • Evidence for a Broader Interpretation: The specification references a "Belief network" and "probabilistic estimate determination," suggesting that the invention is not limited to one specific type of statistical model. ('442 Patent, col. 4:41-43, col. 7:22-24).
      • Evidence for a Narrower Interpretation: A party could argue the term should be limited by the types of inputs described, such as monitoring "packets being routed," "file transmission," and "user action." ('442 Patent, col. 5:1-5).

  • Term: "plurality of distributed agents" ('614 Patent, Claim 10)

    • Context and Importance: This term defines the fundamental architecture of the claimed system. The dispute may turn on whether the architecture of the accused services, which may be cloud-based or centrally managed, meets the definition of a system comprising "distributed agents."
    • Intrinsic Evidence for Interpretation:
      • Evidence for a Broader Interpretation: The related '974 patent specification describes that the system's implementation can "vary widely, running the spectrum from fully centralized... to fully distributed," which may support a broad construction of "distributed." ('974 Patent, col. 5:52-59).
      • Evidence for a Narrower Interpretation: The figures in the patent family consistently depict distinct "Client" machines, each with an agent, communicating with a central server or each other. (e.g., '614 Patent, Fig. 1). This could support an interpretation requiring agents to reside on separate end-user machines rather than within a centralized service infrastructure.

VI. Other Allegations

  • Indirect Infringement: The complaint makes a general allegation that Defendant "directly and/or indirectly" infringes, but it does not plead specific facts to support claims of induced or contributory infringement, such as instructing others on how to infringe or providing a component with no substantial non-infringing use. (Compl. ¶3).
  • Willful Infringement: Willfulness is alleged for all four patents-in-suit. (Compl. ¶¶21, 30, 39, 47). For the '442, '614, and '470 patents, the allegations are based on Defendant’s alleged knowledge of the patents "since at least February 2, 2021." (Compl. ¶¶22, 31, 40). The complaint also makes boilerplate allegations that Defendant made no attempt to design around the patents and lacked a reasonable basis to believe the patents were invalid. (e.g., Compl. ¶¶23-24). The willfulness claim for the '974 patent, which issued in November 2021, does not allege a specific date of knowledge.

VII. Analyst’s Conclusion: Key Questions for the Case

  1. A central issue will be one of definitional scope: does Defendant’s sale and operation of a "Managed Detection and Response Service" for its customers constitute the "making, using, [or] selling" of the claimed "system" under 35 U.S.C. § 271, or is there a legally significant distinction between providing a service and providing a system?

  2. A key evidentiary question will be one of functional proof: what evidence can Plaintiff produce to demonstrate that the accused services perform the specific analytical functions required by the claims, such as creating "statistical models of usage" ('442 Patent) and performing "adaptive learning and probabilistic analysis" ('614 Patent), as opposed to using other heuristic or rule-based security methods?

  3. An underlying procedural issue is the plaintiff’s reliance on unattached exhibits to plead its infringement theory. The complaint’s infringement allegations for each patent are articulated almost entirely by reference to claim charts that were not filed with the complaint, leaving the specific factual basis for the infringement claims unstated in the pleading itself.