DCT
6:24-cv-00096
SecurityProfiling LLC v. Zoho Corp
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: SecurityProfiling, LLC (Texas)
- Defendant: Zoho Corporation (California)
- Plaintiff’s Counsel: BUSS & BENEFIELD, PLLC
- Case Identification: 6:24-cv-00096, W.D. Tex., 02/19/2024
- Venue Allegations: Plaintiff alleges venue is proper in the Western District of Texas because Defendant Zoho has committed acts of infringement in the district and maintains its U.S. headquarters and a regular and established place of business there.
- Core Dispute: Plaintiff alleges that Defendant’s ManageEngine enterprise management software infringes four patents related to real-time network vulnerability monitoring and multi-path remediation.
- Technical Context: The technology at issue involves systems for identifying network security vulnerabilities by cross-referencing a device's configuration with known threats and providing administrators with multiple, alternative remediation options.
- Key Procedural History: The complaint notes that a predecessor patent (U.S. Pat. No. 8,984,644) to the patents-in-suit was the subject of an inter partes review (IPR2017-02192), resulting in a PTAB decision finding certain claims unpatentable, which was affirmed by the Federal Circuit. Plaintiff asserts this is irrelevant because the asserted claims of the patents-in-suit are "materially different" and specifically do not include the "user option" limitation that was central to the PTAB's decision. The complaint also states that the USPTO considered and found the asserted claims patent-eligible under 35 U.S.C. §101 during prosecution.
Case Timeline
| Date | Event |
|---|---|
| 2003-07-01 | Earliest Patent Priority Date (provisional app. 60/484,085) |
| 2015-08-04 | U.S. Patent No. 9,100,431 Issued |
| 2015-08-25 | U.S. Patent No. 9,118,711 Issued |
| 2019-04-08 | PTAB Final Written Decision in IPR for predecessor '644 patent |
| 2020-03-31 | U.S. Patent No. 10,609,063 Issued |
| 2020-12-22 | U.S. Patent No. 10,873,595 Issued |
| 2024-02-19 | Complaint Filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 10,873,595 - "Real-Time Vulnerability Monitoring"
Issued December 22, 2020
The Invention Explained
- Problem Addressed: The patent addresses the complexity of managing network security, where remediating one vulnerability (e.g., by applying a patch) can inadvertently disable mission-critical services or open other vulnerabilities ('595 Patent, col. 1:43-62).
- The Patented Solution: The invention proposes a system where a central platform integrates with security tools like firewalls and intrusion prevention systems ('595 Patent, Abstract). It receives real-time data about a networked device's configuration, compares it against a database of known vulnerabilities, and determines if the device is susceptible to a specific threat ('595 Patent, col. 2:10-24). The platform then displays various mitigation techniques, allowing an administrator to select the most appropriate response based on the specific context, such as choosing a firewall rule change over a potentially disruptive software patch ('595 Patent, col. 2:25-44).
- Technical Importance: This approach provided a centralized and context-aware method for security management, moving beyond siloed tools to enable more intelligent and less disruptive vulnerability remediation (Compl. ¶7).
Key Claims at a Glance
- The complaint asserts independent method claim 1 (Compl. ¶16).
- Essential Elements of Claim 1:
- At a server, identifying first vulnerability information from a second vulnerability database, where the information corresponds with actual vulnerabilities.
- Communicating the first vulnerability information from the server to at least one device over a network.
- At the device, receiving the information and identifying different portions of it (data inspection-related, traffic inspection-related, firewall-related).
- Identifying various "events" in connection with the device.
- For each type of event and corresponding vulnerability information, "causing a determination" of whether the device is capable of being taken advantage of.
- Causing a report of an occurrence if the device is determined to be capable of being taken advantage of.
- The complaint does not explicitly reserve the right to assert dependent claims.
U.S. Patent No. 10,609,063 - "Computer Program Product And Apparatus For Multi-Path Remediation"
Issued March 31, 2020
The Invention Explained
- Problem Addressed: The patent addresses the need for flexible and effective management of security for networked computer systems ('063 Patent, col. 1:21-25).
- The Patented Solution: The invention describes a system and computer program product centered on a database that associates a plurality of device vulnerabilities with multiple, alternative "remediation techniques" ('063 Patent, Abstract). For a single identified vulnerability, the system can present different types of solutions, such as installing a software "patch," changing a "policy setting," or altering a "configuration option" ('063 Patent, col. 1:38-43). As illustrated in Figure 3, a network device like a firewall (131) can query a central security server (135) to determine if a connection request (211) exploits a vulnerability on a target computer (137) before allowing or rejecting the connection ('063 Patent, col. 4:10-38).
- Technical Importance: This "multi-path" approach allows administrators to select a remediation strategy that best fits their operational needs, such as choosing a less disruptive policy setting over a software patch that could risk business system stability ('063 Patent, col. 5:25-32).
Key Claims at a Glance
- The complaint asserts independent claim 10, a claim for a non-transitory computer-readable medium (Compl. ¶28).
- Essential Elements of Claim 10:
- Receiving first vulnerability information generated from a second vulnerability database.
- Displaying information based on the first vulnerability information.
- Causing utilization of "different occurrence mitigation actions of diverse occurrence mitigation types," including a firewall-based type and an intrusion system-based type, to prevent an attack.
- Receiving an indication that an "occurrence has been identified" by network monitors.
- The complaint does not explicitly reserve the right to assert dependent claims.
Multi-Patent Capsule: U.S. Patent No. 9,118,711 - "Anti-Vulnerability System, Method, and Computer Program Product"
Issued August 25, 2015
- Technology Synopsis: This patent, stemming from the same original application as the other patents-in-suit, describes an "Anti-Vulnerability" system and method. The system is designed to identify client vulnerabilities and exposures, and then mitigate or remediate them using a selection of best-possible options, such as patches or policy changes (Compl. ¶¶7-8, 33).
- Asserted Claims: At least claim 1 (Compl. ¶38).
- Accused Features: The complaint alleges that Defendant’s ManageEngine products infringe by implementing the claimed anti-vulnerability system and method (Compl. ¶38).
Multi-Patent Capsule: U.S. Patent No. 9,100,431 - "Computer Program Product And Apparatus For Multi-Path Remediation"
Issued August 4, 2015
- Technology Synopsis: With a title identical to the ’063 Patent, this patent also appears to cover a computer program product and apparatus for "multi-path remediation." The technology involves associating identified device vulnerabilities with multiple, alternative remediation techniques (e.g., patches, policy changes, configuration options) to provide flexible security management (Compl. ¶¶7-8, 43).
- Asserted Claims: At least claim 19 (Compl. ¶48).
- Accused Features: The complaint alleges that Defendant’s ManageEngine products infringe by implementing the claimed multi-path remediation technology (Compl. ¶48).
III. The Accused Instrumentality
Product Identification
- The accused instrumentality is Defendant Zoho’s ManageEngine line of IT management software (Compl. ¶16).
Functionality and Market Context
- The complaint alleges that Zoho's ManageEngine systems are used for enterprise IT management, which includes practicing methods of vulnerability monitoring and remediation (Compl. ¶¶16-17, 28-29, 38-39, 48-49). The infringement allegations center on the normal operation of ManageEngine, which the complaint asserts inherently practices the steps of the asserted claims for identifying network vulnerabilities and applying corrective actions (Compl. ¶17). No probative visual evidence provided in complaint.
IV. Analysis of Infringement Allegations
The complaint incorporates by reference claim chart exhibits that were not provided with the filed complaint. The following summaries are based on the narrative infringement theories presented.
'595 Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| [A method comprising:] at at least one server: identifying first vulnerability information... | The complaint alleges that Zoho's ManageEngine system, in its normal operation, identifies vulnerability information relevant to networked devices. | ¶16 | col. 32:2-4 |
| communicating, from the at least one server and to at least one of the plurality of devices over at least one network, the first vulnerability information... | The ManageEngine system is alleged to communicate this vulnerability data from a server component to monitored devices across a network. | ¶16 | col. 32:5-9 |
| at the at least one device:...identifying a first portion of the first vulnerability information that includes data inspection-related information... | The ManageEngine system is alleged to, at the device level, parse and identify specific types of vulnerability data, such as data inspection rules. | ¶16 | col. 32:11-14 |
| identifying a first event of a plurality of events in connection with the at least one device; | The ManageEngine system is alleged to monitor for and identify network events relevant to the security of the device. | ¶16 | col. 32:15-17 |
| causing a determination that the at least one of the actual vulnerabilities...is susceptible to being taken advantage of by the first event... | The ManageEngine system's logic is alleged to determine if a detected event exploits a known vulnerability on the monitored device. | ¶16 | col. 32:18-23 |
Identified Points of Contention
- Scope Questions: A central question may be whether the routine monitoring and alert functions of a general IT management tool like ManageEngine perform the specific, multi-part sequence of identifying different types of vulnerability data (data inspection, traffic inspection, firewall) and correlating each with distinct types of events as recited in the claim.
- Technical Questions: The claim requires distinct determinations of susceptibility for different categories of information. A point of contention could be what evidence demonstrates that ManageEngine performs these specific, segregated logical operations, as opposed to a more general threat assessment.
'063 Infringement Allegations
| Claim Element (from Independent Claim 10) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| [A non-transitory computer-readable media storing instructions that...cause...processors to:] receive first vulnerability information... | The complaint alleges that Zoho's ManageEngine software receives vulnerability data from external and internal sources to assess network device status. | ¶28 | col. 31:4-8 |
| display information that is based on the first vulnerability information; | The ManageEngine user interface is alleged to display information to administrators regarding identified network vulnerabilities. | ¶28 | col. 31:19-20 |
| cause utilization of different occurrence mitigation actions of diverse occurrence mitigation types, including a firewall-based occurrence mitigation type and an intrusion mitigation system-based occurrence mitigation type... | The ManageEngine system is alleged to provide and implement multiple types of remediation actions, such as firewall rule changes and intrusion prevention system updates, to address identified vulnerabilities. | ¶28 | col. 31:21-31 |
| receive an indication that an occurrence has been identified in connection with at least one of the plurality of devices utilizing one or more monitors; | The ManageEngine system is alleged to receive alerts and event data from network monitors indicating a potential security occurrence. | ¶28 | col. 31:32-35 |
Identified Points of Contention
- Scope Questions: A key question will be whether the term "occurrence mitigation actions of diverse...types" can be construed to read on the standard set of remediation tools in an IT management suite, or if it requires a more specific, patented architecture for providing and selecting those actions.
- Technical Questions: The claim requires causing the "utilization" of these different mitigation types. The analysis may focus on whether ManageEngine merely provides options for an administrator to manually deploy, versus actively "causing" their implementation in a manner that maps onto the claim.
V. Key Claim Terms for Construction
For the ’595 Patent
- The Term: "causing a determination"
- Context and Importance: This term appears repeatedly in claim 1 and is critical for establishing infringement of the method steps. Practitioners may focus on this term because its construction will determine whether infringement requires the accused system to directly perform the determination itself or merely to provide the necessary inputs for another component or a user to make the determination.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification describes a security server (135) that "collects data" and "obtains from [a] database" a list of vulnerabilities, which it uses to "determine whether" a connection request is a threat ('595 Patent, col. 4:18-24). This could suggest that providing the necessary inputs for a logical conclusion is sufficient.
- Evidence for a Narrower Interpretation: The claim language recites the steps as being performed "at the at least one device," which may suggest that the device itself, rather than a remote server, must be the component that "causes" the final determination.
For the ’063 Patent
- The Term: "occurrence mitigation actions of diverse occurrence mitigation types"
- Context and Importance: This term in claim 10 defines the core output of the claimed invention. The dispute will likely center on what constitutes a "diverse" set of mitigation "types" and whether the accused product's features meet that definition.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification lists several remediation techniques, including "closing of open ports," "installation of a patch," "changing the device's configuration," and "setting or modifying policies" ('063 Patent, col. 5:4-8). This list could support a broad reading of what constitutes "diverse types."
- Evidence for a Narrower Interpretation: The abstract and summary explicitly group remediation techniques into a specific "type group consisting of patch, policy setting, and configuration option" ('063 Patent, Abstract; col. 1:38-41). A defendant may argue that the term "types" should be limited to this enumerated list, potentially excluding other security actions performed by the accused product.
VI. Other Allegations
Indirect Infringement
- The complaint alleges active inducement of infringement of the ’595 Patent. It asserts that Zoho instructs its customers on how to use the ManageEngine systems in a way that practices the claimed methods (Compl. ¶18).
Willful Infringement
- The complaint does not contain a separate count for willful infringement. However, it alleges that Zoho has been on notice of each patent and its infringement "at least as early as the filing of this Complaint" (Compl. ¶¶19, 30, 40, 50). This allegation may form the basis for a claim of post-suit willful infringement and a request for enhanced damages under 35 U.S.C. § 284. The prayer for relief also requests a finding that this is an "exceptional case," which could support an award of attorney fees (Compl. p. 10, ¶c).
VII. Analyst’s Conclusion: Key Questions for the Case
- A central issue will be the relevance of prior adjudication: will the defendant be able to use the PTAB's invalidation of claims in a predecessor patent to challenge the validity of the asserted claims, or will the plaintiff succeed in demonstrating that the "materially different" claim language, which omits the "user option" limitation, renders the prior proceeding irrelevant?
- A key question of claim scope will be whether the specific, multi-step processes for categorizing vulnerability data and causing determinations (as in the '595 patent) or providing diverse mitigation action types (as in the '063 patent) can be read to cover the functionality of a general-purpose IT management platform like Zoho's ManageEngine.
- The case may also present a question of patent eligibility: although the plaintiff notes that the USPTO found the claims eligible under 35 U.S.C. §101 during prosecution, the defendant may challenge them as being directed to the abstract idea of collecting, analyzing, and presenting security data, a common defense in software patent litigation.