DCT

2:22-cv-00002

Centripetal Networks Inc v. Keysight Tech Inc

I. Executive Summary and Procedural Information

Parties & Counsel:
- Plaintiff: Centripetal Networks, Inc. (Delaware)
- Defendant: Keysight Technologies, Inc. (Delaware)
- Plaintiff’s Counsel: Kramer Levin Naftalis & Frankel LLP
Case Identification: 2:22-cv-00002, E.D. Va., 01/01/2022
Venue Allegations: Plaintiff alleges venue is proper because Defendant maintains a regular and established place of business in the district and has transacted business and committed acts of alleged infringement there.
Core Dispute: Plaintiff alleges that Defendant’s network security and visibility product suites infringe eleven patents related to rule-based threat detection, packet filtering, and threat intelligence enforcement.
Technical Context: The technology concerns cybersecurity systems that automate the use of threat intelligence—data feeds identifying malicious network actors—to filter and manage network traffic at scale and high speed.
Key Procedural History: The complaint alleges that the parties were previously involved in litigation commencing in July 2017, which resulted in a limited-term license agreement for Plaintiff’s patent portfolio. This license allegedly expired on December 31, 2021, the day before the current complaint was filed. The complaint also references Plaintiff's prior litigation against competitors Cisco Systems and Palo Alto Networks involving patents from the same families as those asserted here. These allegations may be central to Plaintiff's claims of willful infringement.

Case Timeline

Date	Event
2013-01-11	Priority Date for ’572 and ’009 Patents
2013-03-12	Priority Date for ’343 Patent
2014-05-01	Priority Date for ’474 and ’266 Patents
2015-02-10	Priority Date for ’370 and ’573 Patents
2015-04-17	Priority Date for ’917 and ’062 Patents
2016-02-16	’370 Patent Issued
2017-04-18	Keysight acquires Ixia
2017-07-20	Previous patent litigation between parties commenced
2017-07-24	Priority Date for ’526 Patent
2019-01-29	’917 Patent Issued
2019-05-07	’526 Patent Issued
2019-12-17	’572 Patent Issued
2020-02-18	’343 Patent Issued
2020-03-31	’062 Patent Issued
2020-05-19	’573 Patent Issued
2020-06-09	’009 Patent Issued
2020-07-14	Priority Date for ’456 Patent
2020-09-22	’266 Patent Issued
2021-02-16	’456 Patent Issued
2021-05-18	’474 Patent Issued
2021-12-31	Centripetal Term License to Keysight expired
2022-01-01	Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 9,264,370 - “Correlating Packets in Communication Networks”

The Invention Explained

Problem Addressed: Network devices such as firewalls or proxies can alter data packets as they traverse a network, which can obfuscate the packet flow and make it difficult to determine if a packet originated from a malicious source (Compl. ¶ 30; ’370 Patent, col. 1:41-49).
The Patented Solution: The invention proposes placing devices ("taps") on both sides of a network device to log incoming and outgoing packets. By correlating the log entries from both taps, the system can link packets before and after modification, thereby identifying the true source of the traffic despite obfuscation and enabling the generation of new filtering rules based on this correlation (’370 Patent, Abstract; col. 9:52-67).
Technical Importance: This approach provided a method for maintaining accurate threat analysis in complex networks where packet modification by intermediary devices is common (Compl. ¶ 30).

Key Claims at a Glance

The complaint alleges infringement of at least one claim, with allegations mapping to the system described in independent claim 1 (Compl. ¶¶ 66, 71).
Essential elements of independent claim 1 include:
- Provisioning a first device (tap) to identify packets received by a network device from a first network.
- Provisioning a second device (tap) to identify packets transmitted by the network device to a second network.
- Configuring the devices to generate and communicate pluralities of log entries for the received and transmitted packets.
- Correlating the log entries from the first device with the log entries from the second device.
- Responsive to the correlation, generating and communicating data that identifies the host in the first network.
The complaint does not explicitly reserve the right to assert dependent claims for this patent.

U.S. Patent No. 10,193,917 - “Rule-Based Network-Threat Detection”

The Invention Explained

Problem Addressed: Conventional network security often involves reviewing logs for data corresponding to known threat indicators, a process described as "tedious and time consuming" in the face of constantly evolving threats (’917 Patent, col. 1:28-33).
The Patented Solution: The invention describes a packet-filtering device that applies rules based on threat indicators to either allow or block packets. It generates a "packet log entry" for each packet, which is then used to update a "packet flow entry" that consolidates multiple log entries corresponding to a "common threat identifier." This analysis data, including the threat identifier and packet time data, is then communicated for display on an interface (’917 Patent, Abstract; ’917 Patent, col. 8:1-32).
Technical Importance: The system provides for real-time monitoring and logging based on dynamic threat intelligence, allowing a user to observe traffic patterns and customize security policies in response to observations (Compl. ¶ 31).

Key Claims at a Glance

The complaint alleges infringement of at least one claim, with allegations mapping to the packet filtering device described in independent claim 11 (Compl. ¶¶ 96, 100).
Essential elements of independent claim 11 include:
- A packet filtering device that receives packets and applies packet-filtering rules.
- Generating a packet log entry that includes a threat indicator and data on whether the packet was blocked or allowed.
- Updating a "packet flow entry" based on the packet log entry, where the flow entry consolidates log entries corresponding to a "common threat identifier."
- Communicating the "packet flow analysis data" to a computing device.
- Causing the display of at least a portion of the packet flow analysis data, including a threat identifier and packet time data.
The complaint does not explicitly reserve the right to assert dependent claims for this patent.

U.S. Patent No. 10,284,526 - “Efficient SSL/TLS Proxy”

Technology Synopsis: The patent addresses the inefficiency of typical SSL/TLS proxies that decrypt all traffic passing through them (’526 Patent, col. 1:35-40). The invention provides a method for selectively decrypting encrypted communications based on a list of identification data, such as data derived from threat intelligence information (Compl. ¶ 32).
Asserted Claims: Independent claims 1 and 11.
Accused Features: The complaint accuses Keysight's Network Visibility and Testing products that incorporate "SecureStack and Threat Insights technologies," alleging they selectively decrypt encrypted traffic based on threat intelligence (Compl. ¶¶ 42, 128, 131-133).

U.S. Patent No. 10,511,572 - “Rule Swapping in a Packet Network”

Technology Synopsis: The patent addresses the downtime and performance degradation that can occur when a network protection device switches between complex rule sets (’572 Patent, col. 1:38-50). The invention provides a technique for swapping large rule sets without taking the device offline and without packet loss by ceasing packet processing, caching incoming packets, reconfiguring the processor, and then processing the cached packets with the new rule set (Compl. ¶ 33).
Asserted Claims: Independent claim 1.
Accused Features: The complaint accuses Keysight's products with the "hitless change feature," such as the Network Visibility products, which allegedly swap rule sets without dropping packets (Compl. ¶¶ 40, 157, 162).

U.S. Patent No. 10,567,343 - “Filtering Network Data Transfers”

Technology Synopsis: The patent describes addressing advanced cyber-attacks like data exfiltration by providing more granular filtering (’343 Patent, col. 1:28-51). The invention determines whether a packet complies with a filtering rule based on its packet header, and then makes a further determination based on its application header, allowing for a packet transformation function to prevent exfiltration (Compl. ¶ 34).
Asserted Claims: Independent claim 1.
Accused Features: The complaint alleges that products with AppStack technology, which allows filtering based on layers L2 through L7, infringe by inspecting packets based on both packet header and application header field values (Compl. ¶¶ 43, 186, 191).

U.S. Patent No. 10,609,062 - “Rule-Based Network Threat Detection”

Technology Synopsis: This patent, in the same family as the ’917 Patent, describes a system that receives filtering rules associated with network-threat indicators from intelligence providers. It applies the rules and communicates threat information for display in an interface, which then allows a user to modify the filtering rules (e.g., changing an "allow" rule to a "prevent" rule) based on the displayed information (Compl. ¶¶ 31, 215).
Asserted Claims: Independent claim 1.
Accused Features: The complaint accuses products using ATI technology of infringing by receiving threat intelligence feeds, displaying threat information on a dashboard, and allowing a user to modify filtering rules (e.g., blocking countries or IP addresses) based on the displayed analytics (Compl. ¶¶ 217-221).

U.S. Patent No. 10,659,573 - “Correlating Packets in Communications Networks”

Technology Synopsis: This patent, in the same family as the ’370 Patent, describes a system for correlating encrypted packets transmitted by a network device with packets received by that device. Based on the correlation of log entries for both sets of packets, the system generates rules to identify and filter packets received from a malicious host (Compl. ¶¶ 30, 246).
Asserted Claims: Independent claim 1.
Accused Features: The complaint accuses products that log packets (e.g., using Ixia's IxFlow), perform correlations on those logs to identify malicious hosts or IP addresses, and then generate and provision threat intelligence-based rules based on those correlations (Compl. ¶¶ 248-253).

U.S. Patent No. 10,681,009 - “Rule Swapping in a Packet Network”

Technology Synopsis: This patent, in the same family as the ’572 Patent, describes a method for improving rule swapping by preprocessing rule sets to optimize performance. The preprocessing can include merging, separating, or reordering rules before they are implemented on the network device (Compl. ¶¶ 33, 279).
Asserted Claims: Independent claim 1.
Accused Features: The complaint accuses products that utilize Keysight's ATI technology of infringing by preprocessing threat intelligence-based rule sets before configuring the network device with them. The Ixia Fabric Controller is also accused of preprocessing and configuring rule sets (Compl. ¶ 279).

U.S. Patent No. 10,924,456 - “Methods and Systems for Efficient Encrypted SNI Filtering for Cybersecurity Applications”

Technology Synopsis: The patent provides techniques for detecting threats in encrypted traffic by filtering packets containing encrypted Server Name Indication (eSNI) values (’456 Patent, col. 1:8-15). The method involves determining if a plaintext hostname can be resolved from the eSNI ciphertext and, if so, matching that hostname against threat indicators to apply a filtering operation (Compl. ¶ 35).
Asserted Claims: Independent claim 1.
Accused Features: The complaint accuses Keysight's Testing products of infringing by actively testing capabilities for filtering malicious traffic based on eSNI. It also accuses Network Visibility products that use SecureStack and receive threat intelligence from ATI (Compl. ¶¶ 307-309).

U.S. Patent No. 11,012,474 - “Methods and Systems for Protecting a Secured Network”

Technology Synopsis: The patent describes a proactive network security system where a packet security gateway receives dynamic security policies from an external management server. These policies are created or modified by the server based on correlating malicious traffic information from various host tracker services (’474 Patent, col. 1:34-46; Compl. ¶ 36).
Asserted Claims: Independent claim 1.
Accused Features: The complaint accuses products that function as packet security gateways and use ATI technology, which provides dynamic updates of threat intelligence from external servers based on information from multiple sources (Compl. ¶¶ 337-339).

U.S. Patent No. 10,785,266 - “Methods and Systems for Protecting a Secured Network”

Technology Synopsis: This patent, related to the ’474 Patent, describes a system where packet security gateways receive dynamic security policies from an external server. The rules are automatically created or altered based on aggregated malicious traffic information from at least one third-party malicious host tracker service (’266 Patent, col. 1:36-48; Compl. ¶ 36).
Asserted Claims: Independent claim 1.
Accused Features: The complaint accuses products that function as packet security gateways and receive continuously updated security policies from external ATI servers, where the updates are based on information from third-party sources (Compl. ¶¶ 366-368).

III. The Accused Instrumentality

Product Identification

The complaint names several categories of accused products, including: Network Visibility products (Vision X, Vision One, Vision 7300 series, Vision Edge series, Vision 7816, TradeVision, and CloudLens), Network Tap products, Bypass Switch products, the ThreatArmor Suite (ThreatArmor and Threat Simulator), Testing products (BreakingPoint), and the Ixia Fabric Controller (Compl. ¶¶ 38, 47, 48, 49, 50, 52).

Functionality and Market Context

The complaint alleges these products provide network security by detecting network threats and filtering network traffic using threat intelligence (Compl. ¶ 38). The functionality is allegedly enabled by underlying technologies marketed as NetStack, PacketStack, SecureStack, and AppStack, which provide features such as multi-stage filtering, SSL/TLS decryption, and application-layer filtering (Compl. ¶¶ 39-43). A core accused feature is the "Application and Threat Intelligence" ("ATI technology"), which allegedly provides dynamically updated data feeds (marketed as Threat Insights or Rap Sheets) from servers containing information on network attacks, malicious IP addresses, and other threats (Compl. ¶ 46). The complaint provides a diagram illustrating how Keysight's ATI technology is leveraged across its portfolio, showing how real-time cloud threat intelligence enables filtering of malicious sites and botnets (Compl. p. 17, Ex. 39).

IV. Analysis of Infringement Allegations

’370 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
provision a device in a communication link interfacing a network device and a first network...; provision a device in a communication link interfacing the network device and a second network...	The accused products, such as Vision One or ThreatArmor, are placed in a communication link and inspect inbound and outbound packets traversing a network device.	¶73	col. 2:27-38
...to log packets...	Accused products generate packet log entries, such as IxFlow (a modified NetFlow format) or logs from Network Tap and Bypass Switch products.	¶74	col. 4:1-12
generate a plurality of log entries corresponding to the plurality of packets received by the network device;...generate a plurality of log entries corresponding to the plurality of packets transmitted by the network device	Accused products like Vision One, ThreatArmor, and Testing products generate log entries for packets that are received and transmitted.	¶74	col. 4:1-12
correlate, based on the plurality of log entries...the plurality of packets transmitted by the network device with the plurality of packets received by the network device	The ATI technology retrieves NetFlow data and correlates it to identify compromised IP addresses; Network Visibility products also correlate log entries, for example, using GTP/SIP session correlation.	¶75	col. 9:52-54
responsive to correlating...generate data identifying the host located in the first network; and communicate...the data identifying the host...	The accused products generate "Rap Sheets" or "Threat Insight" that identify a compromised host and communicate this data to a device to enable blocking of traffic from that host. The complaint provides a "Rap Sheet" as a visual example of such data identifying a malicious host (Compl. p. 26).	¶76	col. 12:54-60

’917 Patent Infringement Allegations

Claim Element (from Independent Claim 11)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
a packet filtering device...receive a plurality of packets...apply...one or more packet-filtering rules...	The Network Visibility products and ThreatArmor are packet-filtering devices that filter inbound and outbound packets using threat-intelligence based rules.	¶101	col. 1:53-59
generate a packet log entry comprising at least one threat indicator...and data indicating whether the packet-filtering device prevented the first packet from continuing...or allowed the packet to continue...	The accused products generate a packet log entry that includes a threat indicator and indicates whether the packet was allowed or dropped.	¶103	col. 1:63-67
update, based on the packet log entry, a packet flow entry...wherein each packet flow entry consolidates a plurality of packet log entries corresponding to a common threat identifier	Threat information associated with a packet flow is allegedly updated when it is aggregated and communicated for display on a dashboard or SIEM system.	¶104	col. 8:1-32
communicate, to a computing device, the packet flow analysis data; and cause...display of at least a portion of the packet flow analysis data, wherein the packet flow analysis data comprises at least one threat identifier...packet time data...and data indicating whether the packet-filtering device prevented packets...or allowed packets...	The accused products display packet flow analysis on a dashboard, including malicious IP addresses (threat identifier), the time a threat was last seen (packet time data), and whether packets were blocked or allowed. The complaint includes a screenshot of an accused product dashboard showing "TOP BLOCKED COUNTRIES" and "LAST BLOCKED IP ADDRESSES" (Compl. p. 36, Ex. 78).	¶104	col. 1:44-2:10

Identified Points of Contention

Scope Questions: For the ’370 Patent, a central question may be whether the accused products' method of "correlation," which is alleged to use aggregated NetFlow/IxFlow data (Compl. ¶ 75), meets the claim requirement of correlating log entries from two distinct logical points (pre- and post-network device). The defense may argue that NetFlow correlation is a fundamentally different process than the two-tap system described in the patent's specification.
Technical Questions: For the ’917 Patent, a potential dispute is whether the accused products create and update a "packet flow entry" as required by claim 11. The complaint alleges that threat information is updated when it is "aggregated, communicated, and/or displayed" (Compl. ¶ 104). The defense may argue that this describes a transient aggregation for a user interface rather than the creation and updating of a specific, persistent data structure that "consolidates" log entries, as may be required by the claim.

V. Key Claim Terms for Construction

For the ’370 Patent

The Term: "correlate... the plurality of packets transmitted by the network device with the plurality of packets received by the network device"
Context and Importance: This term defines the core inventive concept of linking pre- and post-modification packets. Its construction will be critical to determining if the accused use of NetFlow data analysis (Compl. ¶ 75) infringes. Practitioners may focus on whether this term requires a direct, packet-for-packet comparison from two distinct physical or logical taps, or if it can be construed more broadly to cover statistical or flow-based correlation.
Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The claim language itself does not specify the mechanism of correlation, only that it is "based on the plurality of log entries." The specification notes that the purpose is to "determine that the plurality of packets received by the network device correspond to the plurality of packets transmitted by the network device" (’370 Patent, col. 9:52-56), which may support a focus on the result rather than the specific method.
- Evidence for a Narrower Interpretation: The detailed description and figures consistently depict a system with two taps physically or logically bracketing a single network device (’370 Patent, Fig. 2). Language describing the taps as being in communication links "interfacing a network device" with first and second networks may support an interpretation limited to this specific architecture (’370 Patent, col. 1:26-34).

For the ’917 Patent

The Term: "packet flow entry"
Context and Importance: The infringement theory hinges on whether the accused products create and "update" this claimed data structure. The dispute may turn on whether a "packet flow entry" must be a persistent, stateful data object that is modified over time, or if it can encompass the dynamic aggregation of individual log events for display on a dashboard.
Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent's abstract describes generating a "log entry" and that "information from the packet-filtering rule" is included, without rigidly defining the structure of the resulting "packet flow entry." This may allow for a more flexible interpretation of the data structure.
- Evidence for a Narrower Interpretation: Claim 11 requires "updat[ing], based on the packet log entry, a packet flow entry." The figures and associated description show a "Packet Log" of individual events being used to create and update a consolidated "Flow Log" over time (’917 Patent, Figs. 5A-5G, col. 8:1-32). This suggests the "packet flow entry" is a distinct, consolidated data object that is modified, not merely a transient query result.

VI. Other Allegations

Indirect Infringement: The complaint alleges inducement by asserting that Keysight instructs customers on how to use the accused products in an infringing manner through technical documentation, user guides, support websites, and by requiring activation of subscriptions (like the ATI service) to enable the infringing functionality (Compl. ¶¶ 87-89; 115-118). Contributory infringement is alleged on the basis that the accused products are "highly developed and specialized security products, and, as such, are not staple articles or commodities of commerce" and are particularly suited for infringement (Compl. ¶¶ 90, 119).
Willful Infringement: Willfulness is alleged based on extensive pre-suit knowledge. The complaint asserts Keysight knew of the patents due to (1) a previous litigation between the parties that began in 2017; (2) a subsequent limited-term license to Centripetal's entire patent portfolio that expired on December 31, 2021; (3) Keysight's awareness of Centripetal's litigations against competitors; and (4) alleged direct investigation of Centripetal's products and patents since 2014 (Compl. ¶¶ 56-57, 60-64).

VII. Analyst’s Conclusion: Key Questions for the Case

A central issue will be one of technical implementation: does Keysight's system, which allegedly relies on analyzing aggregated flow data like NetFlow and displaying analytics on a dashboard, practice the specific methods claimed in the asserted patents? This will likely involve a detailed comparison of how the accused products' ATI technology functions versus the claimed methods of two-tap correlation (’370 patent family) and the updating of discrete "packet flow entries" (’917 patent family).
A key legal and factual question will be willfulness: given the allegations of a prior lawsuit and an expired license agreement covering the asserted patent families, the dispute will likely focus on whether Keysight's continued alleged infringement after the license's expiration constitutes objectively reckless disregard of Centripetal's patent rights.
The case also raises a question of claim scope: can the term "correlate", as used in the ’370 patent in the context of two taps, be construed to cover the analysis of aggregated flow data from various network collectors? Similarly, can the term "packet flow entry" in the ’917 patent be interpreted to cover dynamic dashboard visualizations, or is it limited to a specific underlying data structure?