CrowdStrike, Inc. et al. v. GoSecure, Inc.

Petition

Petition summary

Invalidity analysis

Prosecution analysis

Examiner search

## 1. Case Identification
- Case Number: [IPR2025-00068](https://ai-lab.exparte.com/case/ptab/IPR2025-00068)
- Patent #: [9,954,872](https://ai-lab.exparte.com/patent/9954872)
- Filed: October 31, 2024 (inferred from document)
- Petitioner(s): [Crowdstrike, Inc.](https://ai-lab.exparte.com/party/crowdstrike-inc)
- Patent Owner(s): [GoSecure, Inc.](https://ai-lab.exparte.com/party/gosecure-inc)
- Challenged Claims: 1-21

## 2. Patent Overview
- Title: Methods for Analyzing Malicious Activities
- Brief Description: The [’872 Patent](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1001) describes methods for analyzing malicious activities on a computer system to protect against future attacks. The invention uses a decoy system, such as a virtual machine (VM), to monitor unauthorized activities, generate a "fingerprint" of the attack pattern, and use that fingerprint to protect other network devices.

## 3. Grounds for Unpatentability

#### Ground 1: Obviousness over Capalik and King - Claims 1-12, 14-16, and 18-21 are obvious over Capalik in view of King.
- **Prior Art Relied Upon:** Application # 2008/0016570 (“[Capalik](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1004)”) and a dissertation by Samuel T. [King](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1006) (“[King](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1006)”).
- **Core Argument for this Ground:**
    - **Prior Art Mapping:** Petitioner argued that [Capalik](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1004), which shares an inventor with the [’872 patent](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1001), teaches the core of the invention: using a decoy VM to monitor attacker activity, capture forensic data, and generate a signature to protect a network. However, Petitioner contended that [Capalik](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1004) does not explicitly teach classifying individual activities within an attack as benign or malignant. [King](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1006) was argued to supply this missing element, as it discloses a system for analyzing intrusions using information-flow graphs that explicitly distinguish between malicious (malignant) and non-malicious (benign) activities to create a more precise, filtered signature of an attack. The combination of [Capalik’s](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1004) decoy system and [King’s](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1006) granular activity classification allegedly renders the independent claims obvious.
    - **Motivation to Combine:** Petitioner asserted a POSITA would combine [King's](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1006) method of classifying individual activities with [Capalik's](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1004) decoy system to create an improved and more effective intrusion detection system (IDS). This combination follows the well-known security principle that gathering more detailed threat information leads to better threat analysis and more precise signatures, reducing false positives.
    - **Expectation of Success:** A POSITA would have had a reasonable expectation of success because both [Capalik](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1004) and [King](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1006) describe similar decoy/VM-based security architectures. Implementing [King's](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1006) teachings would involve straightforward software modifications to [Capalik's](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1004) existing VMM and data analysis components, well within the skillset of a POSITA.

#### Ground 2: Obviousness over Capalik, King, and Pike - Claim 13 is obvious over Capalik in view of King, and in further view of Pike.
- **Prior Art Relied Upon:** [Capalik](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1004), [King](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1006), and Patent 8,819,822 (“[Pike](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1007)”).
- **Core Argument for this Ground:**
    - **Prior Art Mapping:** This ground builds upon the [Capalik](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1004)/[King](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1006) combination. Petitioner argued that claim 13 adds the limitation of identifying activity sources that request access to a portion of memory set as non-executable. The base combination of [Capalik](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1004) and [King](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1006) teaches identifying unauthorized activities but does not explicitly describe this specific mechanism. [Pike](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1007) was argued to teach this exact technique, disclosing the use of a no-execute (NX) bit, a common Data Execution Prevention (DEP) mechanism, to trigger a fault and identify malware attempting to execute code from a protected memory region.
    - **Motivation to Combine:** A POSITA would be motivated to add [Pike's](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1007) well-known DEP technique to the [Capalik](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1004)/[King](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1006) system to identify a broader and more robust set of unauthorized activities, particularly buffer overflow attacks that were a common threat. This represents the application of a known technique to improve a known system.
    - **Expectation of Success:** Success was expected because DEP was a well-known technology, and [Pike](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1007) teaches its implementation in both traditional and virtualized computer systems, making it directly compatible with the VM-based system of [Capalik](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1004)/[King](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1006).

#### Ground 3: Obviousness over Capalik, King, and Farley - Claim 17 is obvious over Capalik in view of King, and in further view of Farley.
- **Prior Art Relied Upon:** [Capalik](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1004), [King](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1006), and Patent 7,089,428 (“[Farley](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1008)”).
- **Core Argument for this Ground:**
    - **Prior Art Mapping:** This ground also builds on the [Capalik](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1004)/[King](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1006) combination. Petitioner argued that claim 17 adds the limitation of determining an "activity level" based on the frequency of unauthorized activities over a predefined time interval. [Farley](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1008) was argued to teach this element by disclosing a security management system that calculates a "historical frequency value" (e.g., events per day) to adjust the priority and risk assessment of suspicious events.
    - **Motivation to Combine:** A POSITA would be motivated to incorporate [Farley's](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1008) frequency analysis into the [Capalik](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1004)/[King](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1006) system to provide a more efficient and accurate risk assessment of suspicious activity. Adding this environmental context would improve the overall effectiveness of the IDS.
    - **Expectation of Success:** A POSITA would have expected success in this combination because it involves applying a known data analysis technique (frequency analysis) to the security event data already being collected by the [Capalik](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1004)/[King](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1006) system. This would be a straightforward modification to the system's processing module.

## 4. Key Claim Construction Positions
- **"Association":** This term was identified as central to the petition. Petitioner presented two possible interpretations based on the intrinsic record.
    - A narrow interpretation, which this petition ([IPR2025-00068](https://ai-lab.exparte.com/case/ptab/IPR2025-00068)) is based on, requires that an "association" includes a characterization of whether the activity is authorized or unauthorized (i.e., benign or malignant).
    - A broader interpretation, argued in a concurrent petition (IPR2025-00070), construes "association" to simply mean the action, event, or operation between a source and a target, without requiring classification.
- Petitioner argued that under the narrow construction, [Capalik](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1004) alone is insufficient, necessitating the combination with [King](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1006), which explicitly teaches classifying activities as malignant or benign.

## 5. Arguments Regarding Discretionary Denial
- **§325(d) - Same Art or Arguments:** Petitioner argued against discretionary denial under §325(d). Although [Capalik](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1004) was incorporated by reference in the [’872 patent](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1001), it was never substantively discussed or applied by the Examiner during prosecution. Petitioner contended that a reference merely cited in an IDS but never used in a rejection does not warrant denial. Further, the combinations with [King](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1006), [Pike](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1007), and [Farley](https://ai-lab.exparte.com/case/ptab/IPR2025-00068/doc/1008) present new art and arguments not previously before the Office.
- **§314(a) - Fintiv Factors:** Petitioner argued against discretionary denial under *Fintiv*. It noted that the parallel district court litigation has a scheduled jury trial date of November 16, 2026, which is more than six months after the statutory deadline for a Final Written Decision (FWD) in this IPR. Petitioner also stated its intent to move to stay the litigation, further weighing against denial.

## 6. Relief Requested
- Petitioner requested institution of an inter partes review and cancellation of claims 1-21 of Patent [9,954,872](https://ai-lab.exparte.com/patent/9954872) as unpatentable.

Crowdstrike targets malicious activity analysis patent, arguing all 21 claims are obvious over Capalik & King's decoy VM and activity classification.

IPR2025-00068

CrowdStrike, Inc. v. GoSecure, Inc.