CrowdStrike Inc v. Open Text Inc

1. Case Identification

• Case #: IPR2023-00124
• Patent #: 9,578,045
• Filed: November 30, 2022
• Petitioner(s): CrowdStrike, Inc.
• Patent Owner(s): Webroot Inc.
• Challenged Claims: 1-4, 7-10, 12, 15-18

2. Patent Overview

• Title: Systems and Methods for Providing Forensic Visibility
• Brief Description: The ’045 patent discloses methods for creating security "audit trails" by capturing threat events on a computing device, generating contextual information for those events (e.g., originating processes), and obtaining a global perspective from network-wide data to assess the event and determine if an object is malicious.

3. Grounds for Unpatentability

Ground 1: Obviousness over Morris +/- Van Oorschot - Claims 1-4, 8-10, 12, and 16 are obvious over Morris, or alternatively, Morris in view of Van Oorschot.

• Prior Art Relied Upon: Morris (Application # 2007/0016953) and Van Oorschot (Patent 8,087,087).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Morris, a publication related to the Patent Owner, discloses the core elements of the challenged claims. Morris describes a community-based malware detection system that gathers event data (comprising an actor, event type, and victim/target) from multiple remote computers and sends it to a central base computer for analysis. It further teaches generating contextual information through a "Genesisactor," described as the ultimate parent of an event, which parallels the claimed "originating object." Finally, Morris obtains a global perspective by comparing data across the community of remote computers to determine an object’s popularity (based on "time and volumes") and to classify it as malware, thus mapping to the key limitations of independent claims 1 and 8.
  • Motivation to Combine (for §103 grounds): For claims requiring an "event priority," Petitioner contended that while Morris does not explicitly teach this, Van Oorschot does. Van Oorschot discloses a security system that assigns a "severity level" to system events based on contextual data. A POSITA would combine Van Oorschot’s severity ranking with Morris’s malware analysis system to predictably improve threat response by prioritizing the most significant events, which is a well-known and common objective in the field of cybersecurity.
  • Expectation of Success: Petitioner asserted that combining Van Oorschot's known event prioritization techniques with the system in Morris would have been a routine modification with a high expectation of success.

Ground 2: Obviousness over Capalik +/- Van Oorschot - Claims 1-4, 7-10, 12, 15-18 are obvious over Capalik, or alternatively, Capalik in view of Van Oorschot.

• Prior Art Relied Upon: Capalik (Application # 2011/0321166) and Van Oorschot (Patent 8,087,087).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Capalik’s method for analyzing malicious activities using a decoy network teaches the claimed invention. Capalik's system gathers event data, including an "activity source" (first object), "activity target" (target), and an "action." It generates a contextual state by identifying and tracking a "chain of unauthorized activity" back to an originating object. Petitioner asserted that Capalik obtains a global perspective by determining if associations between objects are malicious and is capable of following these activity chains "across multiple virtualized operating systems," thereby satisfying the "across a network" limitation. Dependent claims related to displaying information were also argued to be taught by Capalik's disclosure of generating visual "activity diagrams."
  • Motivation to Combine (for §103 grounds): As with the Morris combination, Petitioner argued that Capalik’s concept of a "monitoring priority" could be enhanced by Van Oorschot’s more explicit teaching of assigning a "severity level" based on event context. A POSITA would combine these teachings to create a more robust event prioritization system, which would predictably improve the efficiency of threat analysis and response by focusing resources on the most critical alerts.
  • Expectation of Success: Petitioner contended a POSITA would have had a reasonable expectation of success in integrating Van Oorschot's established method for assigning severity levels into Capalik's forensic analysis framework.

4. Key Claim Construction Positions

• For the purpose of the IPR proceeding, Petitioner adopted the Patent Owner's interpretation of the key claim term "wherein the global perspective for one or more related events to the at least one event across a network."
• This interpretation, stemming from parallel district court litigation and the patent’s prosecution history, requires the "global perspective" to include information about related events occurring on "other devices" across a network. Petitioner argued its asserted prior art combinations meet this heightened standard, which was the dispositive limitation added to overcome a rejection during prosecution.

5. Arguments Regarding Discretionary Denial

• Petitioner presented extensive arguments that discretionary denial under Fintiv would be inappropriate.
• Petitioner contended that although parallel district court litigation exists, the complexity of that case—involving numerous patents and defendants—makes the scheduled trial date unreliable. It argued that the actual trial is highly likely to be delayed until well after the statutory deadline for a Final Written Decision (FWD) in the IPR.
• Furthermore, Petitioner stipulated that if the IPR is instituted, it will not pursue in the district court any invalidity ground for the ’045 patent that relies on Morris, Van Oorschot, or Capalik. Petitioner asserted this comprehensive stipulation eliminates any significant overlap between the proceedings and promotes judicial efficiency.

6. Relief Requested

• Petitioner requests institution of inter partes review and cancellation of claims 1-4, 7-10, 12, 15-18 of Patent 9,578,045 as unpatentable.