A series of patent lawsuits is challenging the history of malware detection

In early March, cybersecurity firm Webroot and its parent company OpenText launched a series of patent litigation containing some eye-opening claims. Filed March 4th in the famously patentholder-friendly Western District of Texas court, the four lawsuits claim that techniques fundamental to modern malware detection are based on patented technology — and that the company’s competitors are infringing on intellectual property rights with their implementation of network security software.

The defendants named in the suits are a who’s who of security companies: CrowdStrike, Kaspersky, Sophos, and Trend Micro are all named. According to OpenText, the companies are using patented technology in their anti-malware applications, specifically in the endpoint security systems that protect specific devices on a network. It’s a sweeping lawsuit that puts much of the security industry in immediate danger. And, for critics, it’s a bitter reminder of how much damage a patent troll can still do.

So far, endpoint security companies have shown fierce opposition to the very idea of the case. A Kaspersky spokesperson said that the company is “reviewing the issue” but did not offer any further comment on the case. 

Sara Eberle, vice president of global public relations at Sophos, was more forthcoming, telling The Verge that the company would fight the lawsuit: “Sophos prefers to compete in the marketplace rather than in the courtroom, but we will vigorously defend ourselves in this litigation,” Eberle said. “We invite Webroot and OpenText to join the ranks of serious cybersecurity companies that are trying to solve problems rather than create them.”

Responses from Trend Micro COO Kevin Simzer and CrowdStrike’s senior director of corporate communications Kevin Benacci went further: both accused OpenText of “patent trolling” in statements sent to The Verge.

Made notorious by companies like Intellectual Ventures, “patent trolling” refers to the practice of buying up patents for use in litigation rather than research and development. The end result is a drag on anyone building technology — but it can be quite lucrative for companies who can play the game well.

But OpenText insists the lawsuits are about protecting intellectual property. In response to the defendants’ comments, OpenText’s chief communications officer Jennifer Bell said that the lawsuits were being brought to defend the company against unfair and unlawful actions from its competitors. “OpenText brings these lawsuits to protect its intellectual property investments and to hold these parties accountable for their infringement and unlawful competition,” Bell said. “These lawsuits allege that defendants infringe and unlawfully compete against aspects of the OpenText family of companies’ endpoint security products and platforms. OpenText intends to vigorously enforce its intellectual property rights.”

Charles Duan, a postdoctoral fellow at Cornell University and specialist in intellectual property law, described possible outcomes that could range from financial redress to an effective ban on the infringing software should the plaintiff win the case.

“The court can issue a number of remedies here,” Duan said. “One of them is an injunction: they could say that all these other companies who are using the patented technology have to stop doing so. They can also issue money damages, basically saying that these companies have to compensate the company for using their patented technology.”

But simple economics suggest that the most likely outcome is a settlement: a fact that points to the incentives for bringing even flimsy patent suits and highlights the material basis for patent trolling.

“As a practical matter, a lot of these cases never actually get to that point [of judgment] just because the cost of litigation makes it not worth going through a whole trial, even if the patent is very questionable or it seems likely that the companies don’t infringe,” Duan said.

Though the lawsuit is being brought in 2022, a judgment would hinge in part on whether the techniques described in the patent were widely known at the time that the patent application was filed. One of the patents at the heart of the suit — US Patent No. 8,418,250, referred to as “the ‘250 patent” in the lawsuit — was granted in the United States in 2013 but first issued by the British patent office in 2005. Another, US Patent No. 8,726,389 or the ‘389 patent, was also issued in the UK in 2005 and granted in the US in 2014. 

Even taking into account the age of the patents, some experts are clear that the techniques described in them are overly broad. Joe Mullin, senior policy analyst at Electronic Frontier Foundation (EFF), told The Verge that some of the features in the patent were potentially too abstract to be unpatentable:

“The ‘389 patent claims very basic behavior that could be performed with a pen and paper,” Mullin said. “It simply describes ‘receiving data’ then ‘correlating’ and ‘classifying’ the data, ‘comparing’ the data to other computer objects, and then classifying something as malware (or not) based on that comparison.”

 “A core principle of patent law is that you can’t get a monopoly on an ‘abstract idea,’ because that would take away too much from the public and not represent a real invention by the patent holder. This patent should be found invalid because it concerns ‘abstract ideas,’” Mullin said.

But where critics see a broad patent, OpenText paints the case as an argument about the evolution of network security itself. In its complaint filed against Trend Micro, OpenText argues that where malware detection used to rely on a categorization of what a program is, the patented technology is based on analysis of what a program does. Instead of matching file data to a library of known viruses, modern endpoint security looks at actions performed within a computer system. As a result, this kind of malware detection can flag and contain previously unseen examples of malicious software. It’s a real shift in the way companies approach endpoint security. And, according to OpenText, the shift traces back to the patents listed in the case.

Opponents to these claims — including not only the defendants but also cybersecurity researchers who have criticized the lawsuits online — take issue with the broadness of the argument, alleging that the patented technology reflects general developments in the evolution of malware detection over time. (As a strategy, patent trolling relies on this kind of generality: according to EFF, an overworked US Patent and Trademark Office has issued “a flood of bad patents on so-called inventions that are unoriginal, vague, overbroad, and/or so unclear that bad actors can easily use them to threaten all kinds of innovators.”)

What’s more, opposition to the lawsuits may be based on the fact that OpenText was not involved in the research that created the patent: instead, through acquisition of Carbonite, which had previously acquired Webroot, OpenText came to own a number of patents that were assigned to the smaller cybersecurity firm. Having bought the company that controlled the original patents, OpenText now has valuable IP and a chance to extract value from it — regardless of skepticism over whether the techniques described in the patents can really be traced back to innovations developed by one group of researchers.

There are still some protections for defendants. Where patents are overly vague, the fight against them can happen in venues other than the courtroom — with one other option being an appeal to the patent office, Charles Duan explained. “There are proceedings that were created about 10 years ago, they go by the name of inter partes review or post-grant review, and these give companies the chance to argue to the patent office that when the office granted the patents they made a mistake,” Duan said. “That is probably an avenue that some of these security companies will be interested in pursuing.”

In a post-grant review process, companies attempt to convince the patent office that the techniques described in the patent should actually be considered unpatentable. If that argument is successful — and the patent office returns a decision before the trial date — then the basis for the lawsuit falls apart. But, since any delay could prove extremely costly, some companies can’t take the risk of waiting for that decision. 

In the meantime, critics of the current patent system will see the OpenText lawsuits as exemplary of an intellectual property framework that stifles innovation rather than promoting it. 

“What may be going on here is that [OpenText] is not really trying to stop these companies, and more that they’re signaling they will put up a fight before settling at some point,” said Duan.