DCT

6:24-cv-00186

Datamonitor Systems LLC v. Cisco Systems Inc

Log In

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 6:24-cv-00186, W.D. Tex., 04/11/2024
  • Venue Allegations: Plaintiff alleges venue is proper in the Western District of Texas because Defendant maintains a regular place of business in Austin, Texas, and has committed acts of infringement in the district.
  • Core Dispute: Plaintiff alleges that Defendant’s Firewall Management Center infringes a patent related to monitoring network activity for intrusion detection.
  • Technical Context: The technology concerns high-speed network intrusion detection systems designed to identify and analyze potentially malicious data packets, including those involved in subtle or distributed attacks.
  • Key Procedural History: The complaint does not reference any prior litigation, inter partes review proceedings, or licensing history concerning the asserted patent.

Case Timeline

Date Event
2000-09-13 U.S. Patent No. 7,594,009 Priority Date
2009-09-22 U.S. Patent No. 7,594,009 Issued
2024-04-11 Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 7,594,009 - “Monitoring Network Activity,” Issued September 22, 2009

The Invention Explained

  • Problem Addressed: The patent’s background section identifies the challenge of monitoring high-bandwidth networks for malicious activity, noting that conventional Intrusion Detection Systems (IDS) struggle to handle the volume of traffic from major attacks (e.g., DDoS) and often fail to detect subtle, "slow scans" that occur over extended periods ('009 Patent, col. 1:11-39).
  • The Patented Solution: The invention describes a distributed system for analyzing network traffic. The system uses "sniffers" to copy packets from the network and a "packet factory" to create a modified packet for analysis, which includes the original packet data plus a unique identifier (e.g., a sniffer ID and a timestamp) ('009 Patent, Abstract; col. 2:9-14). Details of suspect packets are then forwarded to a central database, allowing for correlation and analysis over time to identify attack patterns that might otherwise be missed ('009 Patent, col. 1:50-59; Fig. 2).
  • Technical Importance: This architecture aimed to provide a scalable solution for high-speed networks that could detect sophisticated attacks by performing historical correlation, an improvement over monolithic systems limited by real-time analysis on a single machine ('009 Patent, col. 1:40-48).

Key Claims at a Glance

  • The complaint asserts infringement of one or more claims without specifying them (Compl. ¶14). Independent claim 1 is representative of the invention's core system and method.
  • Independent Claim 1:
    • Using a detecting means with a tap to receive and select network data packets.
    • Using a packet creating means to create a modified packet for analysis, consisting of the selected packet and a unique identifier distinguishing it from other packets.
    • The detecting means analyzes the modified packets to detect suspect packets meeting defined criteria.
    • Forwarding details of each detected suspect packet to a data processing means.
    • Storing the details of detected suspect packets for analysis in conjunction with details of other packets.
    • Using the data processing means to analyze the stored suspect packet data.

III. The Accused Instrumentality

Product Identification

  • Cisco Firewall Management Center (FMC), formerly known as the Firepower Management Center (Compl. ¶11).

Functionality and Market Context

  • The complaint describes the FMC as an "administrative nerve center for managing critical Cisco network security solutions" that provides "extensive intelligence" about network threats and vulnerabilities (Compl. ¶11; p. 4).
  • Technically, the FMC is alleged to be an intrusion detection and prevention system (IDS) that analyzes network traffic (Compl. ¶15). It examines packets for malicious activity and uses "pre-processors" to perform functions like "decoding and normalizing HTTP traffic" (Compl. p. 4; p. 5). The complaint alleges that when a pre-processor rule is triggered, the system generates an event with a Generator ID (GID) and a Snort ID (SID) (Compl. p. 5). These events are transmitted to the FMC, where they are aggregated and made available for analysis in "predefined workflows" (Compl. p. 6). The screenshot titled "Pre-processor Generator IDs" illustrates how a GID indicates which pre-processor was triggered by a packet, helping to categorize event types (Compl. p. 5).

IV. Analysis of Infringement Allegations

'009 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
using detecting means including a tap which receives and selects packets of data from network traffic and packet creating means which, for each packet selected by the tap, creates a modified selected packet for analysis which consists of the selected packet and a unique identifier for the selected packet The FMC allegedly uses a "detecting means" to receive and select packets and a "packet creating means" to create a modified packet for analysis that includes the original packet and a unique identifier. The complaint alleges this identifier is the combination of a Generator ID (GID) and Snort ID (SID) assigned to events. The screenshot titled "Pre-processor Events" describes the generation of an event with a GID and SID when a packet triggers a pre-processor option (Compl. p. 5). ¶17, p. 5 col. 2:9-14
...wherein the detecting means analyzes the modified selected packets to detect suspect modified data packets which meet criteria defined by one or more functions in the detecting means, the criteria being indicative of potentially damaging traffic on the network The FMC allegedly analyzes the modified packets to detect suspect packets that meet criteria defined by functions in the detecting means. The screenshot titled "Intrusion and Pre-processor Rules" states the system uses rules with specified keywords and arguments to analyze traffic and detect exploits (Compl. p. 6). ¶18, p. 6 col. 1:48-54
forwarding details of each detected suspect modified data packet to data processing means The FMC allegedly forwards details of detected suspect packets to a data processing means. The complaint includes a screenshot stating that "Managed devices transmit their events to the Firepower Management Center" when a possible intrusion is identified (Compl. p. 6). ¶19, p. 6 col. 1:54-56
storing details of each detected suspect modified data packet so as to be accessible for use in analysis by the data processing means in conjunction with the details of other detected modified suspect packets The FMC allegedly stores details of detected suspect packets for later analysis. The complaint provides a visual explaining that the Firepower System provides "predefined workflows, populated with event data, that you can use to view and analyze intrusion events" (Compl. p. 6). ¶20, p. 6 col. 1:56-59
using the data processing means to analyze the stored suspect modified data packets The FMC allegedly uses a data processing means to analyze the stored packets. A screenshot titled "Default Workflows" describes a workflow as "a series of pages displaying data that analysts use to evaluate events" (Compl. p. 7). ¶21, p. 7 col. 2:1-6

Identified Points of Contention

  • Scope Questions: Claim 1 uses "means-plus-function" language (e.g., "detecting means," "packet creating means"). Under 35 U.S.C. § 112(f), the scope of these terms is limited to the corresponding structures disclosed in the patent's specification and their equivalents. A central question will be whether the architecture of the accused FMC (e.g., its use of pre-processors, GIDs/SIDs, and event workflows) is structurally equivalent to the patent's disclosed "packet factory," "function tree," and layered "adapters" ('009 Patent, Fig. 3, col. 8:3-48).
  • Technical Questions: What is the nature and function of the "unique identifier" required by Claim 1? The complaint alleges the GID/SID pair serves this purpose (Compl. ¶17; p. 5), but the patent specification describes the identifier as a combination of a "unique number of the sniffer" and a unique "time stamp" ('009 Patent, col. 7:1-15). This raises the question of whether a GID/SID, which primarily categorizes the type of detected event, performs the same function as the patent's identifier, which appears designed to distinguish a specific instance of a packet.

V. Key Claim Terms for Construction

  • The Term: "detecting means"

    • Context and Importance: This is a means-plus-function term, and its construction will define the structural requirements for infringement. The dispute will likely center on whether the FMC's software architecture is equivalent to the specific structures disclosed in the '009 patent for performing the functions of selecting, modifying, and analyzing packets.
    • Intrinsic Evidence for Interpretation:
      • Evidence for a Broader Interpretation: A party might argue the corresponding structure should be viewed at a high level, encompassing the overall system shown in Figure 2, which includes "Sniffer," "Reactor," and "K2 Defender Database" components, allowing for more flexibility in finding equivalents.
      • Evidence for a Narrower Interpretation: A party will likely argue the corresponding structure is the more detailed implementation shown in Figure 3, which requires a specific combination of a "Tap," "Packet Factory," "Worker Thread," and "Function Tree" ('009 Patent, Fig. 3), and the layered "adapters" described in the specification ('009 Patent, col. 8:9-21; Fig. 4).

  • The Term: "unique identifier"

    • Context and Importance: The infringement allegation for this element relies on the FMC's GID/SID combination. The definition of "unique identifier" is therefore critical to determining if this limitation is met. Practitioners may focus on this term because of the apparent difference between the accused implementation and the patent's specific disclosure.
    • Intrinsic Evidence for Interpretation:
      • Evidence for a Broader Interpretation: The abstract broadly refers to "a unique identifier" without further qualification ('009 Patent, Abstract). A party could argue that "unique" should be interpreted in the context of the system's purpose—to enable correlation—and that any identifier that achieves this, such as a GID/SID, satisfies the claim.
      • Evidence for a Narrower Interpretation: The detailed description provides a very specific structure for the identifier: "a unique identifier consisting of 1. the unique number of the sniffer (2 bytes) and, 2. a time stamp (8 bytes)," with additional details on how to ensure the timestamp's uniqueness ('009 Patent, col. 7:1-15). A party will argue this specific disclosure defines the term and limits its scope to that structure or its direct equivalents.

VI. Other Allegations

The complaint does not contain explicit counts for indirect or willful infringement.

VII. Analyst’s Conclusion: Key Questions for the Case

  • A core issue will be one of claim construction under § 112(f): Will the court construe the "means-plus-function" terms narrowly, requiring structural correspondence to the patent's specific "packet factory" and "function tree" architecture, or more broadly, and does the Cisco FMC's architecture meet the determined structural requirements?
  • A key evidentiary question will be one of technical and functional equivalence: Does the accused product's use of a Generator ID (GID) and Snort ID (SID) to categorize event types constitute the "unique identifier" required by Claim 1, particularly when the patent specification explicitly describes a different structure (a sniffer ID and unique timestamp) for distinguishing individual packet instances?