CrowdStrike Inc v. Skysong Innovations LLC

1. Case Identification

• Case #: IPR2025-01170
• Patent #: 11,892,897
• Filed: July 25, 2025
• Petitioner(s): CrowdStrike, Inc.
• Patent Owner(s): Skysong Innovations, LLC
• Challenged Claims: 1-20

2. Patent Overview

• Title: Predicting Software Vulnerability Exploitation
• Brief Description: The ’897 Patent describes systems and methods for predicting the likelihood that a software vulnerability will be exploited. The invention uses machine learning models that analyze features derived from data sources including online discussions, such as hacker communications on dark web forums.

3. Grounds for Unpatentability

Ground 1: Obviousness over Sabottke - Claims 1, 3, 5, 9-10, 14-15, 18, 20 are obvious over Sabottke.

• Prior Art Relied Upon: Sabottke (a 2015 publication from the 24th USENIX Security Symposium).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Sabottke, which teaches a "Twitter-based exploit detector," discloses all limitations of the challenged claims. Sabottke's system assesses the likelihood of software vulnerability exploitation by accessing datasets from Twitter feeds ("hacker communications") and public vulnerability databases (NVD, OSVDB). It extracts features for a machine learning model, including "Twitter Traffic" features such as the number of followers, friends, retweets, and replies, which correspond to the claimed "measures computed from social connections." Sabottke then applies a supervised learning algorithm (Support Vector Machine) to generate a classification model that predicts a binary class label ("exploited" or "not exploited"). Crucially, Petitioner asserted Sabottke explicitly teaches predicting exploitation based on hacker communications before the vulnerability is disclosed to a public database, citing Sabottke's analysis of the "Heartbleed" vulnerability.
  • Key Aspects: Petitioner contended that the ’897 Patent’s attempt to distinguish itself by focusing on dark web data is not reflected in the broad claims, which read directly on prior art systems like Sabottke that analyze hacker communications on public social media.

Ground 2: Obviousness over Smyth and Phillips - Claims 1-3, 5, 10-11, 13-15, 17-20 are obvious over Smyth and Phillips.

• Prior Art Relied Upon: Smyth (Patent 10,264,009) and Phillips (a 2015 conference paper on extracting social structure from dark web forums).

• Core Argument for this Ground:

  • Prior Art Mapping: Petitioner asserted that Smyth teaches a general framework for a "predictive engine for analyzing existing vulnerability information" that uses machine learning on data from a plurality of sources, including generic "online discussions" and "discussion forums." While Smyth provides the core system, it does not explicitly disclose using "hacker communications" from dark web forums or computing features from "social connections." Phillips was argued to supply these missing elements. Phillips teaches crawling dark web forums to collect data and applying Social Network Analysis (SNA) techniques to identify important forum members. The SNA metrics disclosed in Phillips, such as "Degree Centrality" and "Pagerank Score," directly correspond to the claimed "measures computed from social connections of users posting hacking-related content."
  • Motivation to Combine: A POSITA would combine Phillips with Smyth to improve Smyth's predictive engine. Incorporating Phillips's targeted analysis of dark web hacker communications and social network structures would provide a richer, more current source of threat data than the generic "online discussions" disclosed by Smyth, thereby enhancing the accuracy and predictive power of the system.
  • Expectation of Success: Petitioner argued a POSITA would have a reasonable expectation of success because Smyth's system is already designed to process unstructured text from online forums. Integrating Phillips's well-known techniques for crawling specific forums (dark web) and applying standard SNA metrics would be a straightforward modification to improve the quality of Smyth’s input data without undue experimentation.

• Additional Grounds: Petitioner asserted additional obviousness challenges based on the Smyth and Phillips combination, adding single references to teach specific dependent claim limitations. These included combinations with:

  • Nunes to teach cleaning exploit data of noise and irrelevant information (claims 4, 16).
  • Kuperman to teach optimizing classification models according to a predefined error rate (claim 6).
  • Marin to teach vectorizing text features using term frequency-inverse document frequency (TF-IDF) (claims 7, 13).
  • Bozorgi to teach sorting vulnerability data by time for training and testing models and accessing temporal features (claims 8, 12).

4. Relief Requested

• Petitioner requests institution of an inter partes review and cancellation of claims 1-20 of the ’897 Patent as unpatentable.