2020001828 (P.T.A.B. Aug. 13, 2021)

ENTIT SOFTWARE LLC

Patent Trials and Appeals BoardAug 13, 2021

2020001828 (P.T.A.B. Aug. 13, 2021)

UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 15/280,954 09/29/2016 Sasi Siddharth Muthurajan 90214808 5270 146568 7590 08/13/2021 MICRO FOCUS LLC 500 Westover Drive #12603 Sanford, NC 27330 EXAMINER TORRES-DIAZ, LIZBETH ART UNIT PAPER NUMBER 2495 NOTIFICATION DATE DELIVERY MODE 08/13/2021 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): software.ip.mail@microfocus.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte SASI SIDDHARTH MUTHURAJAN and BARAK RAZ Appeal 2020-001828 Application 15/280,954 Technology Center 2400 Before JEAN R. HOMERE, CARL W. WHITEHEAD JR., and SCOTT RAEVSKY, Administrative Patent Judges. RAEVSKY, Administrative Patent Judge. DECISION ON APPEAL Appellant1 appeals under 35 U.S.C. § 134(a) from the Examiner’s decision to reject claims 1–20. We have jurisdiction under 35 U.S.C. § 6(b). We AFFIRM. 1 We use the term “Appellant” to refer to “applicant” as defined in 37 C.F.R. § 1.42. Appellant identifies the real party in interest as MICRO FOCUS LLC. Appeal Br. 2. Appeal 2020-001828 Application 15/280,954 2 CLAIMED SUBJECT MATTER The claims relate to emulating network traffic. Spec., Abstr. Claim 1, reproduced below, is illustrative of the claimed subject matter: 1. A non-transitory machine-readable storage medium encoded with instructions executable by a hardware processor of a computing device for emulating network traffic, the machine-readable storage medium comprising instructions to cause the hardware processor to: receive malware data specifying a malware feature; select, based on the malware data, a malicious traffic model; instantiate a plurality of virtual machines to emulate a plurality of host computing devices; generate benign network traffic by each of the plurality of virtual machines; generate, by a particular virtual machine of the plurality of virtual machines, a plurality of emulated domain name server requests based on the selected malicious traffic model, the plurality of emulated domain name server requests comprising malicious network traffic; and cause transmission of the benign network traffic and the plurality of emulated domain name server requests. REFERENCES The Examiner relied upon the following prior art: Name Reference Date Antonakakis US 2013/0191915 A1 July 25, 2013 Arnell WO 2016/164050 A1 Oct. 13, 2016 Villasenor A new worm traffic generator Aug. 2007 Sommers A framework for malicious workload generation, ACM, 82–87 2004 Appeal 2020-001828 Application 15/280,954 3 REJECTIONS The Examiner made the following rejections: Claim(s) Rejected 35 U.S.C. § Reference(s)/Basis 1, 4, 8, 11, 15 103 Sommers, Arnell 2, 3, 5, 6, 9, 10, 12, 13, 16–20 103 Sommers, Arnell, Villasenor2 7, 14 103 Sommers, Arnell, Antonakakis ANALYSIS Appellant raises three arguments. First, Appellant contends that the combination of Sommers and Arnell fails to teach or suggest claim 1’s “generate, by a particular virtual machine of the plurality of virtual machines, a plurality of emulated domain name server requests based on the selected malicious traffic model.” Appeal Br. 7–8; Reply Br. 2–5. Second, Appellant contends that the cited references fail to teach or suggest the “virtual machine” element of the previous limitation and of the limitation, “generate benign network traffic by each of the plurality of virtual machines.” Appeal Br. 8–9; Reply Br. 5–7. Finally, Appellant contends that one of ordinary skill in the art would not have combined the references. Appeal Br. 9–11; Reply Br. 7–8. We address each argument in turn. Argument 1—“emulated domain name server requests” Appellant’s first argument is that Sommers and Arnell fail to teach or suggest “generate, by a particular virtual machine of the plurality of virtual machines, a plurality of emulated domain name server requests based on the selected malicious traffic model.” Appeal Br. 7–8; Reply Br. 2–5. 2 The Examiner refers to this reference as “Ortiz.” Final Act. 7. Appeal 2020-001828 Application 15/280,954 4 Appellant contends that the Examiner’s rejection mapped Sommers’ HTTP requests to the claimed “emulated domain name server requests.” Appeal Br. 7 (emphasis omitted) (citing Final Act. 5). Appellant contends that the claimed domain name server (DNS) request and Sommer’s HTTP requests are “substantially different.” Id. Appellant further contends that Arnell does not teach generating emulated DNS requests based on a selected malicious traffic model but instead discloses actual live DNS traffic. Id. at 8. The Examiner initially finds that Sommers teaches this limitation, with the exception of “virtual machine/virtual machines,” for which the Examiner relies on Arnell. Final Act. 5–6 (citing Sommers, 84–85). In the Answer, the Examiner clarifies that Arnell discloses the use of DNS requests. Ans. 4. The Examiner explains, “one of ordinary skill in the art . . . would have found obvious to make use of DNS requests, as shown in . . . Arnell, in place of HTTP requests in order to conduct malware analysis in network traffic data.” Id. Appellant responds that the modified Sommers-Arnell combination, as newly articulated in the Answer, is improper. Reply Br. 3–5. Appellant summarizes the Examiner’s motivation to combine as having three separate rationales: as best understood, the Answer newly argued that the rationale for this particular modification is: (i) that the claim language does not recite any “particular activity . . . that distinguishes DNS requests from HTTP requests,” (ii) “in order to conduct malware analysis in network traffic data,” or (iii) “in order to analyze and detect a network anomaly.” Id. at 3. On rationale (i), Appellant argues that a lack of a claimed distinction between DNS and HTTP fails to explain why one of ordinary skill would have combined the references. Id. at 4. For rationale (ii), Appeal 2020-001828 Application 15/280,954 5 Appellant contends that this benefit is already provided by Sommers. Id. For rationale (iii), Appellant contends that the proposed modification results in “generating emulated requests, which would clearly not be usable to detect an actual network anomaly (as taught by Arnell).” Id. at 5 (emphasis omitted). We begin by noting that Appellant appears to no longer challenge that the combination of Sommers and Arnell discloses the claimed “generate, by a particular virtual machine of the plurality of virtual machines, a plurality of emulated domain name server requests based on the selected malicious traffic model.” Rather, Appellant’s argument has shifted to attacking the Examiner’s combination articulated in the Answer. See id. at 3–5. However, to the extent that Appellant maintains its argument that Arnell does not teach generating emulated DNS requests based on a selected malicious traffic model but instead discloses actual live DNS traffic, Appeal Br. 8, we find that this argument improperly argues the references individually. The Examiner relies on Sommers for emulation and the selected malicious traffic model, not Arnell. Final Act. 5. One cannot show non-obviousness by attacking references individually, where the rejections are based on combinations of references. In re Merck & Co., Inc., 800 F.2d 1091, 1097 (Fed. Cir. 1986). Regarding motivation to combine, the Examiner finds that “both references are in the same field of endeavor and are trying to solve the same issue in relation to network intrusion detection.” Ans. 7. The Examiner also finds that “HTTP requests and DNS requests are very similar” and that “both protocols are used in network intrusion detection systems.” Id. The Examiner further finds: Appeal 2020-001828 Application 15/280,954 6 Since virtual machines in Arnell’s invention are sending out DNS queries and capturing them to generate a network traffic flow (paragraphs [0007]-[0008]) in order to identify a network anomaly, it would be obvious to implement such virtual machine’s function to a computer in Sommers, which computer sends HTTP requests to also generate network traffic flow (pages 84-85, as identified above), in order to analyze and detect a network anomaly. Therefore, the rationale to combine both arts to analyze a network by generating and analyzing requests to detect anomalies would be reasonable to a person of ordinary skill in the art. Id. at 8. We find the Examiner’s rationale to combine persuasive. We disagree with Appellant that a lack of claimed distinction between DNS and HTTP fails to explain why one of ordinary skill would have combined the references. See Appeal Br. 4. The Examiner explains that HTTP and DNS requests are similar and explains why one of ordinary skill would have used Arnell’s DNS requests in place of Sommers’ HTTP requests. See Ans. 7–8. We agree because DNS and HTTP requests both represent types of network traffic that one of ordinary skill in the art would have sought to monitor for network intrusion purposes. See, e.g., Sommers, 84; Arnell ¶ 14. We also disagree with Appellant that Sommers’ already provides the benefits of Arnell, at least because Sommers does not employ virtual machines or DNS queries for malware analysis. See Appeal Br. 4; Sommers, 84–85. Lastly, we disagree with Appellant that the proposed modification would result in “generating emulated requests, which would clearly not be usable to detect an actual network anomaly (as taught by Arnell).” Id. at 5 (emphasis omitted). The Examiner applies Arnell’s DNS requests and virtual machines to Sommers’ emulation, not the other way around. See Final Act. 6. Appeal 2020-001828 Application 15/280,954 7 Accordingly, on this argument, Appellant does not persuade us of Examiner error. Argument 2—“virtual machine(s)” We next turn to Appellant’s argument that the cited references fail to teach or suggest the “virtual machine” element of the limitation, “generate, by a particular virtual machine of the plurality of virtual machines . . .,” and of the limitation, “generate benign network traffic by each of the plurality of virtual machines.” Appeal Br. 8–9; Reply Br. 5–7. Appellant contends that Arnell does not describe generating benign traffic by “each” of a plurality of virtual machines. Appeal Br. 8. According to Appellant, “Arnell merely describes that a single virtual machine generates actual DNS queries.” Id. Sommers also does not disclose this limitation, Appellant argues, because it uses “traffic generators” that are “randomly assigned source addresses from the same pool of ‘alias addresses.’” Id. at 9 (emphasis omitted). In the Final Action, the Examiner relies on Arnell for the claimed “virtual machine” and “virtual machines” and relies on Sommers for the remainder of claim 1’s limitations. Final Act. 4–6. As we noted above, in the Answer, the Examiner also relies on Arnell for its DNS teachings. Ans. 4. The Examiner further relies on Sommers for disclosing each host and a particular host and relies on Arnell for the virtual machine(s): The rejection was built based on the fact that Sommers teaches computers emulating network traffic . . . . Sommers [teaches] that each host (source and destination) are chosen to send legitimate traffic and that particular hosts that are running the MACE software (i.e. software to emulate attack vectors) generate attack loads . . . . However, Sommers does not Appeal 2020-001828 Application 15/280,954 8 explicitly teach . . . virtual machines. Arnell, however, explicitly teaches virtual machines . . . . Ans. 6 (emphasis added in part). Appellant responds that “the cited portions of Sommers are silent regarding ‘each host’ sending legitimate traffic.” Reply Br. 6. Appellant also contends that Sommers does not teach “a single host (or any subset of hosts) sending attack loads while multiple hosts send legitimate traffic.” Id. Rather, Appellant argues, “it is entirely possible that the single host was generating all of the attack loads and the legitimate traffic.” Id. Appellant’s argument does not persuade us of Examiner error. To the extent Appellant argues that Arnell does not disclose generating benign traffic by “each” of a plurality of virtual machines, Appeal Br. 8, Appellant impermissibly argues the references individually. Apart from the recitation of virtual machines, the Examiner cites Sommers for this element. Final Act. 4–5. Appellant’s arguments against Sommers are also unpersuasive. Sommers teaches that “[o]n each host in the internal network, we created 212 alias addresses . . . . Using two levels of benign background traffic, we generate attack traffic . . . . The six levels of attack load were generated by using one to five hosts running MACE.” Sommers, 85 (emphasis added). In other words, Sommers teaches, or at least suggests, that each of several hosts generates benign traffic and that “one” or more hosts generates attack traffic. These teachings, combined with Arnell’s virtual machine teachings (see Arnell ¶ 14), teach or suggest the disputed portions of the following limitations: “generate benign network traffic by each of the plurality of virtual machines” and “generate, by a particular virtual machine of the Appeal 2020-001828 Application 15/280,954 9 plurality of virtual machines, a plurality of emulated domain name server requests based on the selected malicious traffic model.” Accordingly, on this argument, Appellant does not persuade us of Examiner error. Argument 3—“motivation to combine” Finally, we address Appellant’s argument that one of ordinary skill in the art would not have combined Sommers and Arnell. Appeal Br. 9–11; Reply Br. 7–8. We have already addressed some of Appellant’s motivation to combine arguments above in the context of Argument 1, which arose in the Reply Brief. We now address the motivation to combine arguments that Appellant initially raised in its Appeal Brief. Appellant initially contends that the Examiner relies on hindsight because the references neither describe “generating emulated DNS requests based on a selected malicious traffic model” or “the specific arrangement of virtual machines as claimed.” Appeal Br. 9. On this point, we disagree. Any judgment on obviousness is in a sense necessarily a reconstruction based on hindsight reasoning, but so long as it takes into account only knowledge which was within the level of ordinary skill in the art at the time the claimed invention was made and does not include knowledge gleaned only from applicant’s disclosure, such a reconstruction is proper. In re McLaughlin, 443 F.2d 1392, 1394–95 (CCPA 1971). We do not view the Examiner’s approach here as invoking improper hindsight reasoning. Appellant next contends that Sommers is directed to a simulation environment, whereas Arnell monitors actual traffic. Appeal Br. 10. Thus, Appellant contends, “Sommers and Arnell are directed to two substantially Appeal 2020-001828 Application 15/280,954 10 different problems, and have quite different structures and functions.” Id. It appears to us that Appellant contends that Sommers and Arnell are not analogous art. But in doing so, Appellant does not properly analyze the two- part test for analogous art, which is “(1) whether the art is from the same field of endeavor, regardless of the problem addressed and, (2) if the reference is not within the field of the inventor’s endeavor, whether the reference still is reasonably pertinent to the particular problem with which the inventor is involved.” In re Bigio, 381 F.3d 1320, 1325 (Fed. Cir. 2004) (internal citation omitted). As Appellant does not address these tests, and in particular, does not address whether the references are reasonably pertinent to the particular problem with which the inventor is involved, we find Appellant’s argument unpersuasive. Finally, Appellant contends that the Examiner’s articulation to combine is vague and conclusory. Appeal Br. 10. As we noted above, the Examiner expanded on this rationale in the Answer, so even if the Final Action’s rationale was conclusory (which we need not decide), the Examiner articulated a sufficient rationale in the Answer. Ans. 7–8. Ultimately, Appellant does not point to evidence of record that the combination would be “uniquely challenging or difficult for one of ordinary skill in the art” or “represent[] an unobvious step over the prior art.” Leapfrog Enters. Inc. v. Fisher-Price, Inc., 485 F.3d 1157, 1162 (Fed. Cir. 2007) (citing KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 419–20 (2007)). Nor has Appellant provided objective evidence of secondary considerations, which our reviewing court states “operate[] as a beneficial check on hindsight.” Cheese Sys., Inc. v. Tetra Pak Cheese & Powder Sys., 725 F.3d 1341, 1352 (Fed. Cir. 2013). The Examiner’s findings are reasonable Appeal 2020-001828 Application 15/280,954 11 because the skilled artisan would “be able to fit the teachings of multiple patents together like pieces of a puzzle” because the skilled artisan is “a person of ordinary creativity, not an automaton.” KSR, 550 U.S. at 420–21. The claimed subject matter exemplifies the principle that “[t]he combination of familiar elements according to known methods is likely to be obvious when it does no more than yield predictable results.” Id. at 416. We, therefore, sustain the rejection, along with the rejection of independent claims 8 and 15 argued collectively with claim 1 and the dependent claims, which Appellant does not argue separately. See 37 C.F.R. § 41.37(c)(1)(iv). DECISION SUMMARY Claim(s) Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1, 4, 8, 11, 15 103 Sommers, Arnell 1, 4, 8, 11, 15 2, 3, 5, 6, 9, 10, 12, 13, 16–20 103 Sommers, Arnell, Villasenor 2, 3, 5, 6, 9, 10, 12, 13, 16–20 7, 14 103 Sommers, Arnell, Antonakakis 7, 14 Overall Outcome 1–20 No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a). See 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED