DCT

6:23-cv-00014

SecurityProfiling LLC v. Forcepoint LLC

Log In

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 6:23-cv-00014, W.D. Tex., 06/20/2023
  • Venue Allegations: Plaintiff alleges venue is proper because Defendant Forcepoint is headquartered and maintains regular and established places of business within the Western District of Texas.
  • Core Dispute: Plaintiff alleges that Defendant’s network security products, including its Next-Gen Firewall, infringe five patents related to real-time network vulnerability monitoring and remediation.
  • Technical Context: The technology concerns network security systems that move beyond simple threat detection by correlating potential threats with the specific, real-time configuration of networked devices to determine if a device is actually vulnerable before taking action.
  • Key Procedural History: The complaint discloses that a predecessor patent (U.S. Patent No. 8,984,644), from which all five patents-in-suit claim priority, was the subject of an inter partes review (IPR2017-02192). In that proceeding, the Patent Trial and Appeal Board (PTAB) found several claims of the '644 patent unpatentable, a decision summarily affirmed by the Federal Circuit. Plaintiff proactively argues that the asserted claims of the patents-in-suit are "materially different" from the invalidated claims because they do not contain the "user option" limitation that was central to the PTAB's invalidity finding.

Case Timeline

Date Event
2003-07-01 Earliest Priority Date for all five Patents-in-Suit (U.S. Prov. App. 60/484,085)
2015-08-04 U.S. Patent No. 9,100,431 Issues
2015-08-25 U.S. Patent No. 9,118,711 Issues
2018-09-11 U.S. Patent No. 10,075,466 Issues
2018-12-11 U.S. Patent No. 10,154,055 Issues
2019-04-08 PTAB Final Written Decision in IPR involving predecessor '644 Patent
2020-01-28 U.S. Patent No. 10,547,631 Issues
2023-06-20 First Amended Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 10,154,055 - Real-Time Vulnerability Monitoring

The Invention Explained

  • Problem Addressed: The patent addresses the problem of managing network security in complex computing environments where new vulnerabilities are constantly discovered. Traditional methods often generate a high volume of alerts (false positives) because they cannot distinguish between a potential threat and a device's actual susceptibility to that threat. (’055 Patent, col. 1:40-59).
  • The Patented Solution: The invention describes a system comprising a central "platform," an intrusion prevention system (IPS), a firewall, and data storage. The platform collects real-time configuration data from networked devices (e.g., OS, patches, software installed). When a potential threat occurs, the platform determines if the target device is actually vulnerable by cross-referencing the threat with the device's specific configuration. (Compl. ¶6; ’055 Patent, col. 2:6-20). It can then cause a report of only those occurrences that are capable of exploiting an actual vulnerability, thereby improving accuracy and reducing false alarms. (’055 Patent, Abstract).
  • Technical Importance: This approach represents a shift from indiscriminate, signature-based threat blocking to context-aware security intelligence, allowing for more precise threat mitigation and reducing the risk of "self-inflicted denial of service attacks" caused by blocking legitimate traffic. (’055 Patent, col. 10:39-45).

Key Claims at a Glance

  • The complaint asserts independent claim 7 and dependent claims 10, 12, and 20. (Compl. ¶15).
  • Independent Claim 7 includes the essential elements of an apparatus with a platform configured to:
    • receive a result of an operation based on first information identifying potential vulnerabilities;
    • the operation configured for identifying a configuration of a networked device;
    • and determining that the networked device is actually vulnerable to an actual vulnerability based on its configuration and the first information;
    • such that second information relating to the actual vulnerability is stored in a second data storage;
    • cause identification of a first occurrence (with a packet) and a second occurrence (with a packet);
    • determine that the first occurrence packet is capable of taking advantage of the actual vulnerability, and the second is not;
    • and cause a reporting of the first occurrence based on this determination. (’055 Patent, col. 29:60-30:52).

U.S. Patent No. 10,547,631 - Real-Time Vulnerability Monitoring

The Invention Explained

  • Problem Addressed: Similar to the '055 patent, this patent addresses the complexity and inefficiency of managing security patches and configurations across a network, where remediation steps themselves can introduce new problems or disable critical services. (’631 Patent, col. 1:49-59).
  • The Patented Solution: The invention provides a system with a platform that analyzes networked devices to determine their actual vulnerabilities based on specific configuration data. The platform then presents a user with a plurality of mitigation techniques (e.g., one utilizing an IPS, another utilizing a firewall) and, based on user selection, automatically applies the chosen technique to mitigate the threat. (’631 Patent, Abstract; col. 2:21-34).
  • Technical Importance: The technology provides network administrators with flexible, multi-path remediation options, allowing them to choose a response (e.g., a policy change versus a software patch) that best fits their operational needs, potentially minimizing disruption to business systems. (’631 Patent, col. 7:27-35).

Key Claims at a Glance

  • The complaint asserts independent claim 6 and dependent claims 9 and 11. (Compl. ¶25).
  • Independent Claim 6 includes the essential elements of an apparatus with a platform node configured to:
    • receive a result of an operation that determines a networked device is actually vulnerable to an actual vulnerability based on its configuration;
    • cause display of a plurality of techniques for occurrence mitigation, including a first technique using an intrusion prevention node and a second technique using a firewall node;
    • allow receipt of user input selecting either the first or second technique;
    • and based on the user input, automatically apply the selected technique for occurrence mitigation. (’631 Patent, col. 31:6-42).

U.S. Patent No. 10,075,466 - Real-Time Vulnerability Monitoring

  • Technology Synopsis: The patent describes a security apparatus that determines if a networked device is actually vulnerable to a threat based on its configuration. Upon identifying an incoming "occurrence packet" capable of exploiting such a vulnerability, the system is configured to cause a report of the occurrence, thereby focusing administrator attention on genuine threats. (’466 Patent, Abstract).
  • Asserted Claims: Independent claim 6 and dependent claims 9, 11, and 13. (Compl. ¶35).
  • Accused Features: The complaint alleges that Forcepoint’s Next-Gen Firewall infringes by making, using, and marketing the product. (Compl. ¶35).

U.S. Patent No. 9,118,711 - Anti-Vulnerability System, Method, and Computer Program Product

  • Technology Synopsis: This patent discloses a system for displaying different techniques for mitigating a network threat. It includes a first technique for setting or modifying a policy and a second technique for dropping packets. Based on user input selecting one of the techniques, the system automatically applies it to counter the threat. (’711 Patent, Abstract).
  • Asserted Claims: Independent claims 1, 7, 10, 17 and dependent claims 2-3, 8-9. (Compl. ¶45).
  • Accused Features: The complaint alleges that Forcepoint’s Next-Gen Firewall infringes by making, using, and marketing the product. (Compl. ¶45).

U.S. Patent No. 9,100,431 - Computer Program Product And Apparatus For Multi-Path Remediation

  • Technology Synopsis: The technology involves a database that associates device vulnerabilities with multiple different types of remediation techniques (e.g., patch, policy setting, configuration option). The system is designed to provide a user with alternative remediation paths for a given vulnerability. (’431 Patent, Abstract).
  • Asserted Claims: Independent claims 3, 13, 19, 20. (Compl. ¶55).
  • Accused Features: The complaint accuses a broader range of Forcepoint products of infringing the ’431 patent, including Forcepoint DLP Endpoint, Forcepoint Next-Gen Firewall, Forcepoint ONE, Forcepoint Risk-Adaptive Protection, and Forcepoint Secure SD-WAN. (Compl. ¶55).

III. The Accused Instrumentality

Product Identification

Forcepoint's Next-Gen Firewall is accused of infringing the ’055, ’631, ’466, and ’711 patents. (Compl. ¶¶15, 25, 35, 45). A wider suite of products, including the Next-Gen Firewall, Forcepoint DLP Endpoint, Forcepoint ONE, Forcepoint Risk-Adaptive Protection, and Forcepoint Secure SD-WAN, are accused of infringing the ’431 Patent. (Compl. ¶55).

Functionality and Market Context

  • The complaint identifies the accused products as enterprise security systems. (Compl. ¶6). It does not provide specific technical details about their operation, instead incorporating by reference a series of exhibits (Exhibits 6-14) that were not attached to the filed complaint. (Compl. ¶¶16, 26, 36, 46, 56).
  • The named products fall into categories of network firewalls, data loss prevention (DLP), and secure access service edge (SASE) platforms, which are central to modern corporate network security architectures.

IV. Analysis of Infringement Allegations

No probative visual evidence provided in complaint.

The complaint incorporates by reference claim chart Exhibits 6, 7, 8, 9, and 10-14, which purport to compare the asserted claims to the accused products. (Compl. ¶¶16, 26, 36, 46, 56). As these exhibits were not provided, this analysis summarizes the infringement theory in prose.

The central narrative theory of infringement is that Defendant's security products, particularly the Next-Gen Firewall, perform the core functions claimed in the patents-in-suit. This includes not only identifying and blocking threats but also correlating those threats with the specific configurations of networked devices to determine actual vulnerability and, in some cases, offering and applying various forms of remediation.

Identified Points of Contention

  • Technical Questions: A primary factual question for the court will be whether the accused Forcepoint products actually perform the specific steps of (1) collecting real-time configuration status from a target device and (2) using that status to determine if the device is "actually vulnerable" to a given threat, as required by multiple independent claims (e.g., ’055 Patent, cl. 7). This goes beyond standard signature-based intrusion prevention.
  • Scope Questions: A likely point of dispute will be whether an integrated, modern security appliance like a "Next-Gen Firewall" meets the structural limitations of the claims, which recite a "platform" communicatively coupled with distinct components like an "intrusion prevention system" and a "firewall." (e.g., ’055 Patent, Abstract). Defendant may argue its product is a single, indivisible system that does not map onto the claimed architecture.

V. Key Claim Terms for Construction

U.S. Patent No. 10,154,055 - Claim 7

  • The Term: "determining that the at least one networked device is actually vulnerable to at least one actual vulnerability, based on the identified at least one configuration"
  • Context and Importance: This phrase appears to be the primary point of novelty. Its construction will be critical to distinguishing the claimed invention from conventional intrusion detection systems that block threats without assessing the target's specific configuration. Practitioners may focus on this term because the infringement dispute may turn on whether simply identifying a target's operating system is sufficient to meet this limitation, or if a more granular check of patch levels is required.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The claim language itself does not specify the level of detail required for the "configuration," which could support an argument that any context beyond the threat signature itself (e.g., OS type) is sufficient.
    • Evidence for a Narrower Interpretation: The specification describes the "collection of information regarding the operating system, service pack (if applicable), software, and patches installed" as part of the configuration data used for the determination. (’055 Patent, col. 4:2-8). This language may support a narrower construction requiring a detailed, real-time status check of the target device.

U.S. Patent No. 10,547,631 - Claim 6

  • The Term: "at least one platform node"
  • Context and Importance: The claim recites a "platform node" that is communicatively coupled with an "intrusion prevention node" and a "firewall node." The construction of "platform node" will be central to determining whether a single, integrated security appliance can infringe, or if the claims require a distributed system with physically or logically separate components.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The term "node" is broad in computer science and can refer to a logical entity within a larger system, potentially supporting an argument that a software module on a single appliance constitutes a "platform node."
    • Evidence for a Narrower Interpretation: The patent's figures consistently depict the "Security Server" (platform), "Firewall," and other network components as distinct hardware boxes in a network diagram, which could support an interpretation requiring separate physical or virtual devices. (’631 Patent, FIG. 1).

VI. Other Allegations

Indirect Infringement

The complaint does not plead facts to support, nor does it contain counts for, indirect infringement.

Willful Infringement

The complaint alleges that Forcepoint had notice of the patents and their infringement "at least as early as the filing of the Complaint (Dkt. No. 1)." (Compl. ¶¶17, 27, 37, 47, 57). This allegation appears to lay the groundwork for a claim of post-suit willfulness. The prayer for relief also requests a judgment that the case is "exceptional," which is the standard for awarding attorney's fees, often in connection with a finding of willfulness. (Compl., Prayer for Relief, ¶c).

VII. Analyst’s Conclusion: Key Questions for the Case

  • A core issue will be one of technical operation: Does evidence show that the accused Forcepoint products perform the patented method of correlating threats with a target device's specific, real-time configuration data (e.g., OS version, installed patches, policy settings) to determine if it is "actually vulnerable" before reporting or mitigating, or do they operate as conventional security devices that lack this specific functionality?
  • A key legal issue will be one of claim validity in light of prosecution history: Can Plaintiff successfully argue that the asserted claims are patentably distinct from the claims of the predecessor '644 patent that were invalidated in an IPR, based on the removal of the "user option" limitation, or will Defendant persuade the court that the core invention remains the same and is thus invalid for similar reasons?
  • A central question of claim scope will be whether the claimed architecture—reciting a "platform" coupled with separate security "nodes"—can be construed to read on a modern, integrated Next-Generation Firewall, or if the claim language requires a distributed, multi-component system that does not map onto the accused products.