CrowdStrike Inc v. GoSecure Inc

1. Case Identification

• Case #: IPR2025-00067
• Patent #: 9,106,697
• Filed: October 31, 2024
• Petitioner(s): CrowdStrike, Inc.
• Patent Owner(s): GoSecure, Inc.
• Challenged Claims: 1-23

2. Patent Overview

• Title: Identifying Unauthorized Activities on a Computer System
• Brief Description: The ’697 patent describes methods for analyzing malicious activities on a computer system. It discloses using a virtual machine (VM) as a decoy system to monitor unauthorized activities, generate a "fingerprint" indicative of those activities, and use the fingerprint to protect the broader computer network from similar future attacks.

3. Grounds for Unpatentability

Ground 1: Obviousness over Capalik and King - Claims 1-13, 15-17, and 19-23 are obvious over Capalik in view of King.

• Prior Art Relied Upon: Capalik (Application # 2008/0016570) and King (a 2006 PhD dissertation titled "Analyzing Intrusions Using Operating System Level Information Flow").
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Capalik taught the core framework of the challenged claims, including using a decoy VM with a virtual machine monitor (VMM) to monitor network activity, generate a signature (fingerprint) of an attack from stored forensic data, and transmit that signature to an Intrusion Detection/Prevention System (IDS/IPS). However, Petitioner contended that Capalik did not explicitly teach classifying individual activities within an attack as benign or malignant. King allegedly supplied this missing element. King taught a system that logs OS-level events, identifying "source objects" and "sink objects" (mapping to the claims' "activity source" and "activity target"), and generates information-flow graphs. Crucially, King's "GraphGen" tool could filter these graphs to prune benign activities and display only the malignant ones, thereby classifying the "association" between a source and target.
  • Motivation to Combine: A POSITA would combine King's granular, graph-based analysis and classification of malicious activities with Capalik's decoy VM system to create a more effective and precise IDS. Petitioner asserted that incorporating King’s teachings would improve the quality of the signatures generated by Capalik’s system, allowing for better identification of threats. This followed the known principle that more detailed threat information improves threat analysis.
  • Expectation of Success: A POSITA would have had a reasonable expectation of success because both systems were designed to operate in a virtualized environment. King’s system was implemented within a VMM, similar to Capalik’s architecture, and the required modifications would have been straightforward programming tasks for a person of ordinary skill.

Ground 2: Obviousness over Capalik, King, and Pike - Claim 14 is obvious over Capalik in view of King and Pike.

• Prior Art Relied Upon: Capalik (Application # 2008/0016570), King (2006 PhD dissertation), and Pike (Patent 8,819,822).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground built upon the combination of Capalik and King to address claim 14, which added the limitation of identifying activity sources that "request to access a portion of memory that is set as non-executable." Petitioner argued that while the primary combination identified unauthorized activities generally, it was silent on this specific detection method. Pike allegedly taught this technique, disclosing the use of a "no-execute" (NX) bit as a Data Execution Prevention (DEP) mechanism. In Pike, attempting to execute code from a memory region marked as non-executable would trigger an exception, thereby identifying the malicious activity source.
  • Motivation to Combine: A POSITA would have been motivated to add Pike's well-known DEP technique to the Capalik-King system to enhance its ability to detect a common class of malware, such as buffer overflow attacks. This would have been a logical addition to improve the robustness of the combined system's malware detection capabilities.

Ground 3: Obviousness over Capalik, King, and Farley - Claim 18 is obvious over Capalik in view of King and Farley.

• Prior Art Relied Upon: Capalik (Application # 2008/0016570), King (2006 PhD dissertation), and Farley (Patent 7,089,428).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground addressed claim 18, which added the limitation of "determining an activity level representing a frequency of unauthorized activities...during a predefined time interval." Petitioner asserted that the Capalik-King combination did not teach tracking the frequency of attacks. Farley allegedly disclosed this feature by teaching a security system that calculates a "historical event frequency value" (e.g., events per day) to help assess the risk associated with raw event data.
  • Motivation to Combine: A POSITA would incorporate Farley’s technique of tracking event frequency into the Capalik-King system to improve its IDS forensic analysis. Tracking the frequency of unauthorized activities is a known technique that provides an additional data point for risk assessment and would have been a predictable improvement to the base system.

4. Key Claim Construction Positions

• "association": Petitioner argued this term was central to the claims and was emphasized during prosecution. Petitioner advanced two possible interpretations. This petition was filed to address the narrower interpretation, where "association" requires characterizing whether an individual action between an activity source and target is authorized or unauthorized (i.e., benign or malignant). Petitioner noted it concurrently filed a separate IPR petition (IPR2025-00069) to address a broader interpretation where "association" simply means the action, event, or operation between the source and target. The arguments in this petition relied on King to teach the classification required by the narrower construction.

5. Arguments Regarding Discretionary Denial

• §325(d) Discretion: Petitioner argued against discretionary denial under §325(d), asserting that although the primary reference Capalik was incorporated by reference into the ’697 patent, it was never applied or substantively discussed by the Examiner during prosecution. The secondary references (King, Pike, and Farley) were not before the Office at all.
• Fintiv Factors: Petitioner argued against discretionary denial under Fintiv, stating that the jury trial date in the parallel district court litigation was set for November 16, 2026. This date was sufficiently far in the future that the Board's final written decision would issue more than six months prior. Petitioner also stated its intent to file a motion to stay the district court case pending the outcome of the IPR.

6. Relief Requested

• Petitioner requested institution of an inter partes review and cancellation of claims 1-23 of Patent 9,106,697 as unpatentable.