From Casetext: Smarter Legal Research

Securityprofiling, LLC v. Trend Micro Am., Inc.

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF TEXAS DALLAS DIVISION
Sep 25, 2018
Civil Action No. 3:17-CV-1484-N (N.D. Tex. Sep. 25, 2018)

Opinion

Civil Action No. 3:17-CV-1484-N

09-25-2018

SECURITYPROFILING, LLC, Plaintiffs, v. TREND MICRO AMERICA, INC., et al. Defendants.


ORDER

This Order addresses the issue of claim construction of the patents in suit. The Court has reviewed the parties' briefs and all related filings and evidence, including the patents-in-suit, the patent prosecution history to the extent it was submitted by the parties, as well as the parties' proposed claim constructions. The Court construes the disputed claims according to Markman v. Westview Instruments, Inc., 52 F.3d 967 (Fed. Cir. 1995) (en banc), aff'd, 517 U.S. 360 (1996).

I. BACKGROUND

This case involves U.S. Patent Nos. 8,266,699 (the '699 Patent), 8,984,644 (the '644 Patent), 9,100,431 (the '431 Patent), 9,117,069 (the '069 Patent), 9,118,708 (the '708 Patent), and 9,225,686 (the '686 Patent) (collectively, the Patents-in-Suit). The Patents-in-Suit are generally directed to methods and systems for identifying vulnerabilities associated with devices, such as computers on a local network, detecting attacks that attempt to exploit those vulnerabilities, and remediating the vulnerabilities through patches, policy settings or configuration options. Plaintiff SecurityProfiling, LLC ("SP"), the assignee of the Patents-in-Suit, claims that Defendants Trend Micro America, Inc. and Trend Micro, Inc. (collectively, "TM") offer computer security products and services that infringe the Patents-in-Suit.

II. CLAIM CONSTRUCTION

A. "Code" in These Claims Is Not a "Nonce" Term

1. Federal Circuit Precedent. - Three recent Federal Circuit decisions guide this inquiry. In Williamson v. Citrix Online, LLC, 792 F.3d 1339 (Fed. Cir. 2015) (en banc), the Federal Circuit considered the force of the presumption that use of the word "means" is necessary to invoke means-plus-function under 35 U.S.C. § 112, ¶ 6. The Court held that the presumption is not strong. Id. at 1349. It further held that use of the term "module" invoked means- plus-function. Id. at 1350. Following the district court, it understood that "module" is simply a generic description for software or hardware that performs a specified function. Id.

Only Part II.C.1 of the opinion is en banc. See id. at 1347 n.3.

After the prosecution of the Patents-in-Suit, this paragraph was recodified as 35 U.S.C. § 112(f). The parties have agreed to use the citation form in effect at the time, and the Court will follow suit.

Generic terms such as "mechanism," "element," "device," and other nonce words that reflect nothing more than verbal constructs may be used in a claim in a manner that is tantamount to using the word "means" because they
typically do not connote sufficiently definite structure and therefore may invoke § 112, para. 6.
Id. (quotation omitted). The Court also found it unavailing that one skilled in the art could have programmed a computer to perform that function. "[T]he fact that one of skill in the art could program a computer to perform the recited functions cannot create structure where none otherwise is disclosed." Id. at 1351. "The standard is whether the words of the claim are understood by persons of ordinary skill in the art to have a sufficiently definite meaning as the name for structure." Id. at 1349. "When a claim term lacks the word 'means,' the presumption can be overcome and § 112, para. 6 will apply if the challenger demonstrates that the claim term fails to 'recite sufficiently definite structure' or else recites 'function without reciting sufficient structure for performing that function.'" Id. (quoting Watts v. XL Sys., Inc., 232 F.3d 877, 880 (Fed. Cir. 2000)).

In Zeroclick, LLC v. Apple, Inc., 891 F.3d 1003 (Fed. Cir. 2018), a panel of the Court reversed a district court holding that "program" and "user interface code" were nonce terms under Williamson. The Circuit identified three errors in the district court's approach. "First, the mere fact that the disputed limitations incorporate functional language does not automatically convert the words into means for performing such functions." Id. at 1008 (citing Greenberg v. Ethicon EndoSurgery, Inc., 91 F.3d 1580, 1583 (Fed. Cir. 1996)). Second, the district court wrongly removed the terms from their context. Id. For example, "user interface code" was not a generic black box, but a reference to a conventional program existing in prior art at the time of the inventions. Id. Third, the district court failed to make pertinent fact findings that the terms it identified were used as a substitute for "means." Id. at 1009.

Most recently, in Diebold Nixdorf, Inc. v. Int'l Trade Comm'n, — F.3d —, 2018 WL 3862648 (Fed. Cir. 2018), the Circuit reversed a ruling by the International Trade Commission. The case dealt with the phrase "checque standby unit," which is a component of an automatic teller machine ("ATM"). The checque standby unit was described as an "escrow" where the ATM could hold a deposit after a customer physically placed items to be deposited into the ATM but before the customer had confirmed the transaction, to allow for the return of the deposit items if the customer cancelled the transaction. The Court held that "Diebold has shown that the term 'cheque standby unit,' as understood by one of ordinary skill in the art, both fails to recite sufficiently definite structure and recites a function without reciting sufficient structure for performing that function." Id. at *4. In reaching that holding, it noted that Diebold was not required to offer extrinsic evidence, but could meet its burden by relying only on intrinsic evidence. Id. at *5. The Court also held that the patent owner's expert's testimony did not show that "checque standby unit" had a reasonably well understood meaning in the art, and simply described the phrase in terms of its function. Id. at *6. The Circuit thus found that § 112, ¶ 6 applied, and then held that the specification did not disclose sufficient structure corresponding to the claimed function so the claims with those terms were indefinite. Id. at *8-9.

2. TM Fails to Rebut the Presumption. - The claim terms that TM argues should be construed under § 112, ¶ 6 are set forth in the Joint Claim Construction and Prehearing Statement, Exhibit A, at 8-31 [88]. As an initial matter, none of the disputed terms uses the word "means." This triggers the presumption that § 112, ¶ 6 does not apply. It is thus up to TM to demonstrate that the words of the claim are not understood by persons of ordinary skill in the art to have a sufficiently definite meaning as the name for structure.

Note that the question is not one of enablement, that is whether the term "code for X" would permit a programmer of ordinary skill to write a program that would do X without undue experimentation. "[T]he fact that one of skill in the art could program a computer to perform the recited functions cannot create structure where none otherwise is disclosed." Williamson, 792 F.3d at 1351. Likewise, the absence of any express algorithm is not dispositive. For example, "code for sorting a list of names into alphabetical order" might denote to a programmer of ordinary skill the use of any one of several well-known sorting algorithms, even in the absence of any express algorithm in the specification.

The Court first rejects two overbroad arguments. TM initially argued (before the Federal Circuit decided Zeroclick) that "code" was synonymous with "means," relying in part on the district court opinion in Zeroclick. After the Federal Circuit's decision, it is not sufficient to argue simply that "code" or "program" or "software" equals "means." The Court must look at the context of the use, i.e., code for X, in light of the specification and determine whether that would be understood by a person of ordinary skill in the art as a description of structure. Conversely, SP argues that the recitation of computer hardware provides enough structure. This argument proves too much. Code does not run in a vacuum; it runs on hardware. If the recitation of computer hardware were enough structure, Williamson would have come out the other way. In the context of code or program or software, the structure at issue is the programmatic structure or the algorithm.

The Court now considers whether TM has demonstrated that the words of the claim are not understood by persons of ordinary skill in the art to have a sufficiently definite meaning as the name for structure. First, neither party offers any extrinsic evidence on this point, such as a declaration of an expert regarding whether a person of ordinary skill in the art would have understood "code for X," in light of the specification, as describing an algorithmic structure. That does not end the inquiry, since Diebold teaches that the intrinsic record may be sufficient to rebut the presumption. By way of example, the Court will discuss the first term at issue:

code for, based on the user input causing selection of the first technique for utilizing the intrusion prevention system for occurrence mitigation, automatically applying the first technique for utilizing the intrusion prevention system for occurrence mitigation; . . . .
See, e.g., '069 Patent c. 31, ll. 6-10. The Court suspects that to one skilled in the art, this would suggest any one of several well known structures for conditional execution. That is beside the point, however. The point is that the language of the claim does not negate the presumption that it would connote structure to one skilled in the art. The Court has undertaken the same review of each of the challenged claims and comes to the same conclusion: unlike in Diebold, the intrinsic record here is not sufficient for TM to rebut the presumption that § 112, ¶ 6 does not apply. The Court, therefore, holds that § 112, ¶ 6 does not apply to the disputed terms.

B. Other Disputed Terms

1. "Vulnerability" Plaintiff's Proposed Construction: A security weakness, gap or flaw that could be exploited by an attack or threat. Defendants' Proposed Construction: A device configuration (including installed software) that can be exploited by an attack against [a/the] device. Analysis:

TM's proposed construction limits a vulnerability to (1) a device configuration that can be exploited by (2) an attack against the device. The Court does not find either of those limitations present in the specification. Accordingly, the Court adopts SP's proposed construction. 2. "intrusion prevention system" Plaintiff's Proposed Construction: A system that monitors and processes network traffic to detect and prevent vulnerability exploits. Defendants' Proposed Construction: A system that monitors and processes packets in network traffic to detect and prevent vulnerability exploits by dropping malicious packets in real time. Analysis:

For example, the current crop of speculative execution exploits, such as Spectre and Meltdown, are not caused by a device configuration, but in some cases can be remediated with code changes.

The two differences in proposed construction are that TM adds "packets in" to "network traffic" and qualifies "to detect and prevent vulnerability exploits" with "by dropping malicious packets in real time." The parties do not offer much on the first change. It appears to be consistent with TM's focus on the second change. TM argues (1) of necessity, an intrusion prevention system must operate in real time, and (2) all of the examples in the specification operate by dropping malicious packets in real time. With regard to the first point, if TM is correct that an intrusion prevention system must of necessity operate in real time, then adding those words to the construction is unnecessary. With regard to the second point, the Court finds that TM has committed the cardinal sin of importing limitations from the specification into the claims. See Phillips v. AWH Corp., 415 F.3d 1303, 1319-20 (Fed. Cir. 2005) (en banc). For example, neither claim 1 of the '644 patent nor claim 10 of the '686 patent include such limitations. The Court thus adopts SP's construction. 3. "firewall" Plaintiff's Proposed Construction: A security system to protect against external threats, that acts as a barrier through which information passing between external systems and one or more networks must travel. Defendants' Proposed Construction: A security system to protect against external threats, that acts as a barrier through which all information passing between external systems and one or more networks must travel. Analysis:

TM's definition requires that all traffic from external systems to the network must pass through the firewall. Thus, TM limits the topology of network to those that are entirely behind a firewall. But nothing in the claims suggests such a limitation. It is certainly conceivable that a network designer might want certain publicly facing components to be outside the firewall, such as a web server or file transport protocol server or demilitarized zone (DMZ). Because the Court finds no such restriction of network topology in the claim language, the Court adopts SP's construction. 4. "remediation technique" Plaintiff's Proposed Construction: An action that corrects or counteracts a vulnerability, including the closing of open ports on the device; installation of a patch that is known to correct the vulnerability; changing the device's configuration; stopping, disabling, or removing services; setting or modifying policies; registry settings or changes; updates to machines; or the like. Defendants' Proposed Construction: An action that makes changes to a device to correct a vulnerability on the device. Analysis:

There are three differences to the proposed construction. First, TM limits remediation techniques to changes to the vulnerable device. Second, SP addes "or counteracts" to "corrects." Finally, SP adds a litany of nonexclusive remediation techniques.

SP points out that the '699 Patent describes a preferred embodiment in which a vulnerability on a device inside the network is remediated by a configuration change to the firewall. See '699 Patent at 4:27-35. The Court declines to adopt a construction that excludes a preferred embodiment. See PPC Broadband, Inc. v. Corning Optical Commc'ns RF, LLC, 815 F.3d 747, 755 (Fed. Cir. 2016). For this reason, also, the Court believes "or counteracts" is appropriate. TM complains that this construction improperly conflates remediation with mediation. The Court does not agree.

SP's litany of techniques comes from the specification. See '699 Patent at 5:1-5. The Court finds that the list of exemplar remediation techniques would be unhelpful to the jury as, first, it is open ended, and second, the list itself introduces terms that would likely need definition for the jury.

Accordingly, the Court construes "remediation technique" as "an action that corrects or counteracts a vulnerability." 5. "each mitigation technique has a mitigation type including at least one of a patch, a policy setting, and a configuration option" Plaintiff's Proposed Construction: The mitigation techniques must include at least one of a patch, policy setting, or configuration option type, but otherwise not limited to those types. Defendants' Proposed Construction: The mitigation techniques must include each of a patch, policy setting, and configuration option type. Analysis:

TM relies on SuperGuide Corp. v. DirecTV Enters. Inc., 358 F.3d 870, 884-88 (Fed. Cir. 2004). In SuperGuide, the Federal Circuit relied upon rules of grammar and held that similar "at least one of A, B, and C" language meant "at least one of A and one of B and one of C." Id. This construction has also been followed by at least one district court with language "at least one of A, B, or C." See Ameranth, Inc. v. Menusoft Systems Corp., 2010 WL 1610079, at *6-7 (E.D. Tex. 2010). However, this rule of construction is not absolute. The SuperGuide Court acknowledged that this presumption of plain meaning could be rebutted by the specification. 358 F. 3d at 887 ("We further conclude that nothing in the specification rebuts the presumption that the'211 patentee intended the plain and ordinary meaning of this language.").

The Court finds here that the intrinsic evidence rebuts the presumption that a mitigation technique must include all three option types. First, dependent claim 17 of the '708 patent expressly requires all three option types. If TM's construction were correct, that claim would be redundant, in violation of the doctrine of claim differentiation. See Liebel-Flarsheim Co. v. Medrad, Inc., 358 F.3d 898, 910 (Fed. Cir. 2004) ("where the limitation that is sought to be 'read into' an independent claim already appears in a dependent claim, the doctrine of claim differentiation is at its strongest," collecting cases). Second, the specification of the '708 patent provides that "each remediation technique has a remediation type selected from the group consisting of patch, policy setting, and configuration option." '708 patent at 1:31-35. These two aspects of the intrinsic evidence sufficiently rebut the SuperGlide presumption.

The Court declines to address TM's indefiniteness argument at this time. --------

The Court therefore construes the claim language as: "The mitigation techniques must include at least one of the following three types: a patch, or a policy setting, or a configuration option type, but is otherwise not limited to those types." 6. "occurrence" Plaintiff's Proposed Construction: Any attempt to expose, deny, degrade, alter, disable, destroy, steal or gain unauthorized access to or make unauthorized use of a computer network. Defendants' Proposed Construction: Malicious packets targeting a device detected in network traffic. Analysis:

There are three points of difference in the proposed constructions: (1) TM limits an occurrence to packets, while SP includes any attempt to preform a litany of malicious acts; (2) TM's construction targets a device, while SP's construction targets a computer network; and (3) TM requires the packets to be detected. The Court addresses these issues in turn.

First, SP does not adequately explain what kind of occurrence could exist in the absence of packets. Certainly not all networks are packet switched, but the Court has not found any reference to other types of networks within the scope of the Patents-in-Suit. And while there could be attack vectors other than malicious packets - explosives, for example - those also do not appear within the scope of the Patents-in-Suit. Finally, SP's litany of malicious results ("expose, deny, degrade, alter, disable, destroy, steal or gain unauthorized access to or make unauthorized use of") appears to introduce unnecessary complexity. The Court will adopt TM's simpler construction of "malicious packets."

Second, the distinction between a device and a network here is somewhat elusive. There is no network without devices, and there could be no attack (in this context) on an unconnected device. SP correctly notes that the specification contemplates attacks that propagate from device to device once the network is penetrated. On the other hand, not all occurrences directed at a single device are necessarily attacks on the network as a whole. The Court thus adopts a hybrid of "one or more devices on a network."

Third, the Court does not see any reason to include the limitation that the occurrence be detected. It appears that TM contemplates some kind of contemporaneous detection. SP correctly notes that some occurrences may be detected after the fact. The Court, therefore, does not include that limitation.

In summary, the Court construed "occurrence" as: "Malicious packets targeting one or more devices on a network." 7. "occurrence packet" Plaintiff's Proposed Construction: A packet that is part of an occurrence. Defendants' Proposed Construction: A packet that is part of an occurrence detected in network traffic. Analysis:

In view of the Court's construction of "occurrence," this term does not require further construction. 8. "attack" Plaintiff's Proposed Construction: No construction needed, but, in the alternative, "attack" should have same construction as "occurrence" because Patents do not differentiate the two terms. Defendants' Proposed Construction: Malicious packets targeting a device detected in network traffic. Analysis:

The Court construes this as "an occurrence." No further construction is required.

CONCLUSION

The Court construes the disputed terms as indicated above. The Court will by separate Order establish a schedule for trial.

Signed September 25, 2018.

/s/_________

David C. Godbey

United States District Judge


Summaries of

Securityprofiling, LLC v. Trend Micro Am., Inc.

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF TEXAS DALLAS DIVISION
Sep 25, 2018
Civil Action No. 3:17-CV-1484-N (N.D. Tex. Sep. 25, 2018)
Case details for

Securityprofiling, LLC v. Trend Micro Am., Inc.

Case Details

Full title:SECURITYPROFILING, LLC, Plaintiffs, v. TREND MICRO AMERICA, INC., et al…

Court:UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF TEXAS DALLAS DIVISION

Date published: Sep 25, 2018

Citations

Civil Action No. 3:17-CV-1484-N (N.D. Tex. Sep. 25, 2018)

Citing Cases

TrackThings LLC v. Amazon.com

To overcome that presumption, Amazon must demonstrate that the words of the claim are not understood by…

Unicorn Glob. Inc. v. Golabs, Inc.

The Court will address the terms below, but will preface that with an overview of the applicable legal…