CrowdStrike Inc v. GoSecure Inc

1. Case Identification

• Case #: IPR2025-00068
• Patent #: 9,954,872
• Filed: October 31, 2024
• Petitioner(s): CrowdStrike, Inc.
• Patent Owner(s): GoSecure, Inc.
• Challenged Claims: 1-21

2. Patent Overview

• Title: Methods for Analyzing Malicious Activities on a Computer System
• Brief Description: The ’872 patent describes methods for protecting a computer system by using a decoy, such as a virtual machine, to monitor malicious activities. The system generates a "fingerprint" of unauthorized activities, which can then be used to protect other computer systems on the network from similar future attacks.

3. Grounds for Unpatentability

Ground 1: Claims 1-12, 14-16, and 18-21 are obvious over Capalik in view of King.

• Prior Art Relied Upon: Capalik (Application # 2008/0016570) and King (a 2006 University of Michigan dissertation).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued Capalik taught the foundational system of the ’872 patent, including monitoring a decoy computer system (a virtual machine), identifying a plurality of activities, storing detailed forensic data about attacks in a database, generating a signature from that data, and transmitting the signature to other systems for protection. However, Petitioner asserted that Capalik did not explicitly teach classifying individual activities within an attack as benign or malignant. King was argued to supply this missing element by teaching a system that logs information-flow events, builds dependency graphs showing activity sources and targets, and then filters these graphs to distinguish between malignant and benign "associations," thereby classifying individual activities.
  • Motivation to Combine: A POSITA would combine King's granular classification method with Capalik's robust decoy and signature generation system to create an improved and more precise intrusion detection system. Petitioner contended this follows the well-known computer security principle of gathering more detailed threat information to improve threat analysis.
  • Expectation of Success: Petitioner argued a POSITA would have had a high expectation of success because both Capalik and King describe similar decoy system architectures using virtual machine monitors (VMMs). Implementing King's logic would require only straightforward software modifications to Capalik's existing VMM and database infrastructure.

Ground 2: Claim 13 is obvious over Capalik in view of King, and in further view of Pike.

• Prior Art Relied Upon: Capalik, King, and Pike (Patent 8,819,822).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground builds upon the Capalik-King combination, which taught identifying activity sources affected by unauthorized activities. Petitioner argued that Pike supplied the additional limitation of claim 13: identifying activity sources that "request to access a portion of memory that is set as non-executable." Pike was shown to teach computational security techniques using Data Execution Prevention (DEP) mechanisms, such as setting a "no-execute" bit for certain memory portions, which triggers an exception if an unauthorized activity (e.g., a buffer overflow attack) attempts to execute code in that protected memory.
  • Motivation to Combine: A POSITA would combine Pike's DEP technique with the Capalik-King system to identify a broader range of threats. This modification would improve the system's ability to detect malware that uses common infection mechanisms like buffer overflows, which was described as a known technique for enhancing intrusion detection.
  • Expectation of Success: Success was expected because Capalik already taught the necessary hardware topology (processors, memory, VM) to support Pike's techniques. The modification was presented as a straightforward application of a well-known security feature (DEP) to an existing malware analysis framework.

Ground 3: Claim 17 is obvious over Capalik in view of King, and in further view of Farley.

• Prior Art Relied Upon: Capalik, King, and Farley (Patent 7,089,428).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground asserted that the Capalik-King combination taught the base method of claim 1 but lacked the specific limitation of claim 17: "determining an activity level representing a frequency of unauthorized activities... during a predefined time interval." Petitioner argued Farley taught this by disclosing a security management system that assembles "raw events" from various sources and analyzes them to calculate a "historical event frequency value," which indicates how frequently specific types of events occur over time.
  • Motivation to Combine: A POSITA would incorporate Farley's frequency analysis to improve the risk assessment capabilities of the Capalik-King system. Using historical frequency data to adjust the priority or perceived risk of a suspicious activity would provide a more efficient and accurate threat analysis, which is a known benefit in the field of intrusion detection.
  • Expectation of Success: A POSITA would have expected success in combining these teachings because it would involve modifying Capalik's existing processing module to capture frequency data, a task described as requiring straightforward programming modifications.

4. Key Claim Construction Positions

• "Association": Petitioner argued the term "association" is ambiguous. This petition proceeds under a narrower interpretation where "association" requires characterizing whether the action between an activity's source and target is authorized or unauthorized (i.e., benign or malignant). Petitioner noted that a concurrent petition (IPR2025-00070) was filed that argues for a broader interpretation where "association" simply means the action, event, or operation between the source and target, without requiring classification. The grounds in this petition were structured to demonstrate obviousness even under the narrower construction.

5. Arguments Regarding Discretionary Denial

• §325(d) Arguments: Petitioner argued that discretionary denial under §325(d) is not warranted. Although the primary reference, Capalik, was incorporated by reference into the ’872 patent, Petitioner asserted it was never substantively discussed or applied in a rejection by the Examiner during prosecution. Therefore, the core arguments presented in the petition are new to the Office.
• Fintiv Arguments: Petitioner argued that Fintiv factors favor institution. The jury trial date in the parallel district court litigation is set for November 16, 2026, which is more than six months after a Final Written Decision would be due in this proceeding. Petitioner also stated its intent to move to stay the district court case pending the outcome of the IPR.

6. Relief Requested

• Petitioner requests institution of inter partes review and cancellation of claims 1-21 of Patent 9,954,872 as unpatentable.