Ex Parte Ammon et alDownload PDFBoard of Patent Appeals and InterferencesAug 18, 200910147308 (B.P.A.I. Aug. 18, 2009) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE _____________ BEFORE THE BOARD OF PATENT APPEALS AND INTERFERENCES _____________ Ex parte KEN AMMON, CHRIS O’FERRELL, WAYNE MITZEN, DAN FRASNELLI, LAWRENCE WIMBLE, YIN YANG, TOM MCHALE, and RICK DOTEN _____________ Appeal 2009-0031781 Application 10/147,308 Technology Center 2600 ______________ Decided: August 20, 2009 _______________ Before JOHN C. MARTIN, JOSEPH F. RUGGIERO, and MAHSHID D. SAADAT, Administrative Patent Judges. MARTIN, Administrative Patent Judge. DECISION ON APPEAL 1 The real party in interest is Network Security Technologies, Inc., a wholly owned subsidiary of Verizon Communications Inc. Br. 1. Appeal 2009-003178 Application 10/147,308 2 STATEMENT OF THE CASE This is an appeal under 35 U.S.C. § 134(a) from the Examiner’s rejection of claims 1-42, which are all of the pending claims. We have jurisdiction under 35 U.S.C. § 6(b). We affirm in part. A. Appellants’ invention Appellants’ invention relates to wireless intrusion detection in data networks employing wireless local area network (WLAN) technology. Specification at ¶ 1001.2 Appellants’ wireless intrusion detection system (WIDS) and method performs monitoring of wireless networks (including at least one wireless network being protected, known as the wireless network of interest), stores the results of that monitoring, processes the results to determine whether any unauthorized access of the wireless network of interest has occurred, and notifies users of the results and the processing. Id. at ¶ 1010. The WID system includes one or more WIDS nodes (including at least one primary WIDS node) for monitoring a particular geographic area, and a WIDS collector for collecting from the primary WIDS node the information monitored by all of the nodes. Id. The WID system utilizes a beaconing method for controlling the communications between the collector and the nodes. Id. Specifically, upon power up, all WIDS nodes enter a beacon 2 References to the Specification are to the application as filed rather than the corresponding Patent Application Publication (2003/0217289). Appeal 2009-003178 Application 10/147,308 3 receive mode 404 or 428, wherein they wait to receive beacon packets from the WIDS collector. Id. at ¶ 1068. Figure 5 is reproduced below. Figure 5 is a flow chart of the operations of primary and secondary WIDS nodes after initialization. Id. at ¶ 1077-78. In step 512, each secondary WIDS node begins a monitoring cycle, receiving 802.11 packets that have been broadcast over one or more 802.11 networks. Id. at ¶ 1079. Appeal 2009-003178 Application 10/147,308 4 In step 516, each secondary WIDS node completes its monitoring cycle and, in step 518, stores the results of the monitoring in memory 570 within the secondary WIDS node. Id. After waiting for a clear to send indication in step 520, the secondary WIDS nodes retrieve from memory 570 the stored data from the completed monitoring cycle, hash the data, and encrypt the data and hash in a step 524 using a session key. Id. Once encrypted, the encrypted data and hash are sent to the primary WIDS node in step 528. In step 504, the primary WIDS node begins a monitoring cycle, which involves receiving 802.11 packets that have been broadcast over one or more 802.11 networks. Id. at ¶ 1078. In step 508, the primary WIDS node completes its monitoring cycle and, in step 510, stores the results of the monitoring in memory 550 within the primary WIDS node. Id. As shown in steps 532, 536, and 540, the encrypted data and hash are sent to the collector when a clear to send indication is received. Figure 8, not reproduced below, is a flow chart of intrusion detection processing in a WID system. Id. at ¶ 1088. This processing occurs in the WIDS collector, after the data is collected from the secondary WIDS nodes by a primary WIDS node and passed to the WIDS collector. Id. In step 802, all unprocessed events from an IDS events table will be read into the working memory of the WIDS collector. Id. The IDS events table contains information on all anomalous events that have been detected by each WIDS node, each such event being considered an IDS event. Id. Any detected events that occur at any of the WIDS nodes that are indicative of either an Appeal 2009-003178 Application 10/147,308 5 unauthorized access point or an unauthorized client of the wireless network will appear as an IDS event in the IDS events table. Id. If the event type flag indicates an unauthorized access point, a further check is made in step 814 of whether the detected unauthorized access point has already been detected during a previous monitoring cycle. Id. at ¶ 1090. B. The claims The independent claims before us are claims 1, 23, 28-30, 32, 35, and 38-42, of which claim 32 reads as follows: 32. A method comprising: receiving, from one or more nodes, results of a monitoring cycle of a plurality of signals from one or more wireless networks; processing the results of the monitoring cycle at a location remote from the location of the one or more nodes to generate at least one indicator indicative of unauthorized access to the wireless network of interest; and communicating the at least one indicator to an operator that monitors the status of the wireless network of interest. Claims App., Br. 79-80. C. The references and rejections The Examiner’s rejections are based on the following references: Amin et al. (Amin) US 5,953,652 Sep. 14, 1999 Schoen et al. (Schoen) US 6,285,318 B1 Sep. 4, 2001 Rockwell US 6,947,726 B2 Sep. 20, 2005 Appeal 2009-003178 Application 10/147,308 6 Claims 32-38 stand rejected under 35 U.S.C. § 102(b) as anticipated by Amin. Answer 3. Claims 1-29, 39, and 40 stand rejected under 35 U.S.C. § 103(a) for obviousness over Rockwell in view of Amin. Id. at 5. Claims 30, 31, 41, and 42 stand rejected under § 103(a) for obviousness over Schoen in view of Amin. Id. at 11. THE ISSUES Appellants have the burden on appeal to show reversible error by the Examiner in maintaining the rejection. See In re Kahn, 441 F.3d 977, 985- 86 (Fed. Cir. 2006) (“On appeal to the Board, an applicant can overcome a rejection by showing insufficient evidence of prima facie obviousness or by rebutting the prima facie case with evidence of secondary indicia of nonobviousness.” (citation omitted)). The principal issue in this appeal is whether Amin’s monitoring system 201 provides “results of a monitoring cycle of a plurality of signals from one or more wireless networks,” as recited in independent claim 32. Similar language appears in the other independent claims. THE § 102(b) REJECTION (BASED ON AMIN) A. Claims 32-34 Amin discloses a system and method for detecting unauthorized use of a mobile station in a wireless telecommunications system (Amin, col. 1, ll. 7-10), such as cloning fraud. Id. at col. 1, l. 39. Appeal 2009-003178 Application 10/147,308 7 The rejection is specifically based on Figures 2 and 3 of Amin, which are reproduced below. Appeal 2009-003178 Application 10/147,308 8 Figures 2 and 3 illustrate the preferred architecture of Amin’s fraud detection system 200. Id. at col. 5, ll. 14-16. A comparison of these figures reveals that the unnumbered block labeled “Analysis, Fraud Recognition, Logging, Action, Reporting,” which is inside the dashed-line box 200 (i.e., fraud detection system) in Figure 2 corresponds to blocks 205-10 in Figure 3. As illustrated in Figure 2, MSC (mobile switching center3) 20 is communicatively connected to HLR (home location register) 21 via a 3 Amin, col. 3, ll. 33-34. Appeal 2009-003178 Application 10/147,308 9 signaling data network typically comprising data links or channels and data switching elements 202, 203, e.g., signaling transfer points (STP). Id. at col. 5, ll. 25-29. These links carry messages between the MSC 20 and HLR 21, using, for example, the SS7 signaling system. Id. at col. 5, ll. 29- 35. Fraud detection system 200 preferably includes a monitoring system 201 (having a tap 204) for passively collecting SS7 messages going to and from HLR 21 (id. at col. 5, ll. 36-40) and also for time stamping each message. Id. at col. 5, ll. 47-48. The messages forwarded by the monitoring system 201 preferably include a header block and binary data, of which the header block contains at least a time stamp, the data link number being monitored, the direction the message is going, and the length of the binary data, which is the SS7 message. Id. at col. 5, ll. 60-64. The messages are forwarded from monitoring system 201 to a message signaling unit (MSU) Standard Interface 205 (part of the unnumbered “Analysis, Fraud Recognition, . . .” block in Fig. 2) via an Ethernet connection. Id. at col. 6, ll. 15-16. Amin explains that [t]he fraud detection system 200 will place messages in standard format. This format will pair SS7 transactions, which, according to IS41 protocol, are typically, but are not limited to, a series of independent transactions. Each transaction comprises an INVOKE message signaling unit (MSU) between two network elements (such as the MSC and HLR), and a RETURN RESULT between the same two network elements. The fraud detection system 200 looks for these INVOKE and RETURN RESULTS Appeal 2009-003178 Application 10/147,308 10 MSUs to create a single data element of a transaction. The message will then be placed into the fraud detection system’s defined format. Id. at col. 6, ll. 4-14. The foregoing functions are performed by MSU Standard Interface 205, which preferably includes the following capabilities: (a) transaction pairing to provide both the INVOKE and RETURN RESULT as a transaction pair; (b) translation of proprietary mobility management MSUs to IS41 equivalents; (c) filters unnecessary message types and forwards transactions to pattern recognizers; and (d) forwards all messages to a logging function. Id. at col. 6, ll. 19-28. The aforementioned logging function is performed by a transaction log or database 206 that is connected to the MSU Standard Interface 205 and stores all SS7 messages coming into the fraud detection system 200 as log files. Id. at col. 6, ll. 29-31. All MSUs are captured into log files in a manner that data can be retrieved by an authorized fraud analyst at user interface 220 using keyed fields, such as MIN, date, time, and message type. Id. at col. 6, ll. 31-35. In addition, the log file display is configured to select messages in the following manner: date range, start time, stop time, MIN range, ESN, or message type. Id. at col. 6, ll. 35-37. MSU Standard Interface 205 also forwards messages to pattern recognizers 208, which contain user-defined pattern recognition algorithms indicative of fraud and process the filtered SS7 messages as they arrive to identify potentially fraudulent activity. Id. at col. 6, ll. 45-49. Messages not required by the pattern recognizers 208 are filtered out by data filter 207, thereby reducing the tile record processing load on each pattern recognizer Appeal 2009-003178 Application 10/147,308 11 208. Id. at col. 6, ll. 38-42. The pattern recognizers 208 run concurrently on each MSU pair of SS7 messages as they arrive at the pattern recognizers. Id. at col. 6, ll. 49-51. When one of the pattern recognizers 208 identifies a possible fraud condition, that condition is reported as a possible or probable fraudulent event to the fraud event manager 209, which logs each such fraudulent event with at least the following information: date, time, event type, MIN, MSCID, priority, and level of confidence of fraud. Id. at col. 6, ll. 52-58. A reporting system 210 thereafter marks for reporting each fraud event communicated by the fraud event manager 209. Id. at col. 7, ll. 6-8. Amin’s monitoring system 201 can be used to monitor, for example, Registration Notification (IS41) messages (RegNot), which are generated every time a mobile station sends a registration message to the cell site, or when the mobile station attempts to initiate a call and there is no current VLR. Id. at col. 7, ll. 26-31. The pattern of RegNot messages can be analyzed at the HLR and potentially counterfeit or fraudulent mobile stations can be identified by searching for unrealistic movements between MSCs (e.g., from New York to Los Angeles in a period of 10 minutes). Id. at col. 7, ll. 50-54. The Examiner reads the recited “one or more nodes” of the first step of claim 32 (“receiving, from one or more nodes, results of a monitoring cycle of a plurality of signals from one or more wireless networks”) on HLR 21 and reads the recited “results of a monitoring cycle of a plurality of signals from one or more wireless networks” on the messages that are Appeal 2009-003178 Application 10/147,308 12 collected by monitoring system 201 and forwarded to the “Analysis, Fraud Recognition, . . .” block (Fig. 2) in fraud system 200. Specifically, the Examiner found that “the results are received by the ‘analysis, fraud recognition, . . .’ block of 200 in fig. 2 from node (HLR 21 in fig. 2) by way of monitoring system 210 [sic, 201] (fig. 2).” Answer 3.4 The Examiner then found that the recited “processing step” reads on components of the “Analysis, Fraud Recognition, . . .” block. See Final Action 2 (“the processing takes place in fig. 3 numerals 205-209, which are remote from node 21 (fig. 3) and monitoring system 201 (fig. 3).”). In reading claim 32 on Amin in the above manner, the Examiner concluded that “[t]he claims do not state that the node itself does the monitoring.” Final Action 12. Appellants make several arguments against the Examiner’s position. Before addressing Appellants’ specific arguments, we note that Appellants repeatedly assert (e.g., Br. 9, 10) that Amin fails to disclose or suggest “receiving, from one or more nodes, results of a monitoring cycle of a plurality of signals from one or more wireless networks” (i.e., the first step of claim 32). This type of assertion is unpersuasive because it lacks 4 The Examiner refers to the “Analysis, Fraud Recognition, . . .” block of Figure 2 as the “fraud recognition device” at page 2 of the Advisory Action mailed August 8, 2007: “[A]ny group of signals sent from the SS7 monitor 201 to the fraud recognition device (inside 200) can be considered a monitoring cycle.” Appellants are therefore incorrect to “assume that the Examiner intended to reference fraud detection system 200 instead of a fraud detection device.” Br. 13. Appeal 2009-003178 Application 10/147,308 13 sufficient specificity regarding which claim terms are not satisfied and why. One of Appellants’ more specific arguments is that the data stored in Amin’s HLR 21 (on which the Examiner reads the recited “one or more nodes”) does not represent results of a “monitoring cycle of a plurality of signals from one or more wireless networks”: AMIN et al. specifically discloses that HLR 21 is a database that contains permanent subscriber data and temporary data, such as the addresses of Service Centers that have stored short messages for a mobile station 30. Contrary to the Examiner’s allegation, AMIN et al. in no way discloses or suggests receiving, from one or more HLRs 21, results of a monitoring cycle of a plurality of signals from one or more wireless networks, as would be required by claim 32 based on the Examiner’s interpretation of AMIN et al. Br. 11. This argument is unpersuasive because it overlooks the fact that monitoring system 201 monitors messages to and from HLR 21 rather than monitoring the data stored therein, as acknowledged at page 10 of the Brief (“monitoring system 201 . . . passively collects SS7 messages going to and from the home location register (HLR) 21” (emphasis added)). Appellants also argue that the messages collected by monitoring system 201 are not “results” and are not obtained during a monitoring “cycle.” These terms must be interpreted as broadly as is reasonable and consistent with Appellants’ Specification, In re Thrift, 298 F.3d 1357, 1364 (Fed. Cir. 2002), while “taking into account whatever enlightenment by way of definitions or otherwise that may be afforded by the written description contained in the applicant’s specification,” In re Morris, 127 F.3d 1048, Appeal 2009-003178 Application 10/147,308 14 1054 (Fed. Cir. 1997), and without reading limitations from examples given in the specification into the claims, In re Zletz, 893 F.2d 319, 321-22 (Fed. Cir. 1989). Neither term is expressly defined in Appellants’ Specification. Although Appellants argue that reading the recited “results” on the SS7 messages collected by monitoring system 201 “is inconsistent with Appellants’ use and the dictionary definition of the term” (Br. 11) and that “results” and “monitoring cycle” should be “given their customary meaning” (id. at 12), no dictionary definition of either term has been provided by Appellants or the Examiner. Nor have Appellants explained how those terms should be defined. In the absence of such an explanation, Appellants’ arguments are effectively an invitation for the Board to consult Appellants’ Specification and the prior art in order to arrive at some unspecified interpretation that is narrower than the Examiner’s interpretation (addressed infra). This approach to arguing patentability fails to recognize that the burden of defining the invention rests on Appellants, rather than on the Examiner or the Board. Morris, 127 F.3d at 1056. Appellants have not explained why the claim term “results,” when given its broadest reasonable interpretation, cannot be read on the messages that are collected by monitoring system 201. Before addressing Appellants’ arguments regarding the claimed “monitoring cycle,” we note that the Examiner has given three different reasons why the term should be read on Amin. The first reason is that “the claims do not state any sort of length of a monitoring cycle. Therefore, the examiner can assume that the cycle is of infinite length.” Final Action 11. Appeal 2009-003178 Application 10/147,308 15 The second reason is that “[t]here is no indication as to when the cycle starts or stops. Therefore, any group of signals sent from the SS7 monitor 201 to the fraud recognition device (inside 200) can be considered a monitoring cycle.” Advisory Action 2. Appellants have not shown error in these reasons. Because the term “monitoring cycle” is undefined, it is broad enough to read, for example, on the entire time period that monitoring system 201 is being used to collect messages. The Examiner’s third reason for reading the term “monitoring cycle” on Amin’s collected data is that col. 6, lines 7-14 of the Amin reference . . . show[s] that a “transaction” can equate to a “monitoring cycle”. These transactions all contain a start time and a stop time as shown in col. 6, lines 35-37. This clearly means that these “transactions” contain[] a cycle, simply because by the definition of cycle, the transaction starts and stops at some point. Answer 13. As already noted, lines 35-37 of column 6 explain that “the log file display is configured to select messages in the following manner: date range, start time, stop time, MIN range, ESN or message type.” Although Appellants have correctly pointed out in their Reply Brief (at 5) that Amin’s cited discussion of start times and stop times (col. 6, ll. 35-37) “refers to a log file in which a transaction log or database 206 stores all SS7 message[s] coming into fraud detection system 200,” they fail to explain why those start and stop times cannot reasonably be considered to designate the beginning and end of “a monitoring cycle.” Instead, Appellants argue that AMIN et al. specifically discloses that a monitoring system 201 of fraud detection system 200 passively collects SS7 messages (see, Appeal 2009-003178 Application 10/147,308 16 for example, col. 5, lines 37-39). Passively collecting SS7 messages, as disclosed by AMIN et al., is in no way equivalent to receiving, from one or more nodes, results of a monitoring cycle of a plurality of signals from one or more wireless networks, as recited in claim 32. AMIN et al. does not mention a monitoring cycle. Reply Br. 6. Appellants have not explained, and it is not apparent, why the claim language precludes passive collection of the messages. For all of the foregoing reasons, Appellants have failed to persuade us that the Examiner erred in finding that Amin anticipates claim 32. The rejection of claim 32 for anticipation by Amin is therefore affirmed, as is the anticipation rejection of its dependent claims 33 and 34, which are not separately argued. B. Claims 35-37 Claim 35 is more specific than claim 32 in that it recites, as the last step, “refining responses to the results of the monitoring cycle based on recognized patterns”: 35. A method comprising: receiving, from a node, results of a monitoring cycle of a plurality of signals from one or more wireless access devices in a wireless network of interest; processing the results of the monitoring cycle to generate at least one indicator indicative of unauthorized access to the wireless network of interest; recognizing patterns in the results of the monitoring cycle; and Appeal 2009-003178 Application 10/147,308 17 refining responses to the results of the monitoring cycle based on recognized patterns. In addition to repeating the above-discussed arguments made with respect to claim 32, Appellants argue that Amin fails to disclose or suggest the last step of the claim. Br. 16. The Examiner (Answer 4) reads the third step of “recognizing patterns in the results of the monitoring cycle” on pattern recognizer 208 and reads the last step of “refining responses to the results of the monitoring cycle based on recognized patterns” on the following paragraphs: When one of the pattern recognizers 208 identifies a possible fraud condition, that condition is reported by the pattern recognizer 208 to the fraud event manager 209 as a possible or probable fraudulent event. The fraud event manager 209 logs each such fraudulent event with at least the following information: date, time, event type, MIN, MSCID, priority and level of confidence of fraud. Priority and level of confidence of fraud are defined based on the event type. Market specific, service provider defined actions based upon the priority and level of confidence of the identified fraudulent event may then be automatically performed by the fraud event manager 209, which action may be tailored to the market environment, the probability of fraud and current subscriber status. Such actions may range from reporting the fraudulent event to requiring a user of a suspect mobile station to communicate with a fraud analyst of the service provider before initiating a call. The fraud event manager 209 is preferably capable of generating standard event messages through CCITT X.25 protocol, ethernet, and async ports to drive the network elements it will interface with. A reporting system 210 thereafter marks for reporting each fraud event communicated by the fraud event manager 209. Appeal 2009-003178 Application 10/147,308 18 Amin, col. 6, l. 52 to col. 7, l. 8 (emphasis added). Appellants have not explained why it is unreasonable to read the claimed “refining responses” on Amin’s disclosure that the “action may be tailored to the market environment, the probability of fraud and current subscriber status.” Id. at col. 6, ll. 64-66 (emphasis added). The rejection of claim 35 is therefore affirmed. Claim 36 depends on claim 35 and further recites “applying adaptive learning techniques to evolve recognition of unauthorized access to the wireless network of interest.” The Examiner (Answer 15) reads this limitation on Amin’s disclosure of “user-defined pattern recognition algorithms indicative of fraud.” Amin, col. 6, ll. 47-48. We agree with Appellants (Br. 18) that this language does not describe an adaptive learning technique and therefore are reversing the rejection of claim 36 and its dependent claim 37. C. Claim 38 Claim 38 reads: 38. A method comprising: receiving results from a node of a monitoring cycle of a plurality of signals from one or more wireless networks; processing the results of the monitoring cycle to generate at least one indicator indicative of unauthorized access to the wireless network of interest; and determining, based on the processing of the results of the monitoring cycle, a location of any unauthorized access to the wireless network of interest. Appeal 2009-003178 Application 10/147,308 19 The Examiner (Answer 5) reads the first two steps on Amin in the same manner as the first two steps of claim 32 and reads the third step on Amin’s description of analyzing the messages received by the particular pattern recognizer 208 to identify unrealistic geographic movement between VLRs and authentication messages. Amin, col. 7, ll. 17-26. Appellants argue that the cited section of Amin “does not disclose or suggest determining, based on the processing of the results of the monitoring cycle, a location of any unauthorized access to the wireless network of interest” (Br. 24-25) and that Amin “does not even relate to determining a location of anything based on processing of results of a monitoring cycle” (id. at 25). Because Appellants have not separately argued the “determining . . . a location” language, we understand Appellants to be merely repeating their above-discussed, unpersuasive arguments regarding the terms “results” and “monitoring cycle.” The rejection of claim 38 is therefore affirmed. THE § 103(a) REJECTION BASED ON ROCKWELL IN VIEW OF AMIN Although independent claims 1, 23, 28, 29, 39, and 40 stand rejected for obviousness over Rockwell in view of Amin, the Examiner has also found that those claims are anticipated by Amin. Specifically, after concluding that terms “results” and “monitoring cycle” as used in claims 32 and 35 must be broadly construed because they are not “elaborated on” or Appeal 2009-003178 Application 10/147,308 20 “specifically defined” in the claims (Advisory Action 2), the Examiner stated that [t]he [Examiner’s] above statements regarding the lack of elaboration of “results” of a “monitoring cycle” also apply to independent claims 1, 23, 28, 29, 39, and 40. If [sic] fact, the examiner believes that the Amin reference alone could also be used to teach “monitoring, for at least one monitoring cycle, a wireless network of interest for a plurality of signals from one or more wireless access devices” for the same reasons as stated above, thus making the rejection a 102. Id. at 3, quoted in Br. 27. Although the above-quoted language appears in only claims 1, 39, and 40, similar language appears in claims 23, 28, and 29. As a result, we understand the Examiner’s position to be that each of independent claims 1, 23, 28, 29, 39, and 40 is anticipated by Amin. In the following discussion of the individual claims, we will address this position of the Examiner after addressing the question of obviousness. “[T]he examiner bears the initial burden, on review of the prior art or on any other ground, of presenting a prima facie case of unpatentability.” In re Oetiker, 977 F.2d 1443, 1445 (Fed. Cir. 1992). A rejection under 35 U.S.C. § 103(a) must be based on the following factual determinations: (1) the scope and content of the prior art; (2) the level of ordinary skill in the art; (3) the differences between the claimed invention and the prior art; and (4) any objective indicia of non-obviousness. DyStar Textilfarben GmbH & Co. Deutschland KG v. C.H. Patrick Co., 464 F.3d 1356, 1360 (Fed. Cir. 2006) (citing Graham v. John Deere Co., 383 U.S. 1, 17 (1966)). Appeal 2009-003178 Application 10/147,308 21 “The combination of familiar elements according to known methods is likely to be obvious when it does no more than yield predictable results.” Leapfrog Enters., Inc. v. Fisher-Price, Inc., 485 F.3d 1157, 1161 (Fed. Cir. 2007) (quoting KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 416 (2007)). “[W]hen a patent claims a structure already known in the prior art that is altered by the mere substitution of one element for another known in the field, the combination must do more than yield a predictable result.” KSR, 550 U.S. at 416 (citation omitted). Although it is necessary to show “some articulated reasoning with some rational underpinning to support the legal conclusion of obviousness,” such reasoning “need not seek out precise teachings directed to the specific subject matter of the challenged claim.” KSR, 550 U.S. at 418 (quoting Kahn, 441 F.3d at 988). In fact, [o]ften, it will be necessary . . . to look to interrelated teachings of multiple patents; the effects of demands known to the design community or present in the marketplace; and the background knowledge possessed by a person having ordinary skill in the art, all in order to determine whether there was an apparent reason to combine the known elements in the fashion claimed by the patent at issue. Id. A. Claims 1-22 Claim 1 reads as follows: Appeal 2009-003178 Application 10/147,308 22 1. A method comprising: monitoring, for at least one monitoring cycle, a wireless network of interest for a plurality of signals from one or more wireless access devices; storing results from the monitoring cycle; transmitting the results of the monitoring cycle to a data collector; processing the results of the monitoring cycle to determine whether any access of the wireless network of interest has occurred; and notifying a user of the results of the processing of the monitoring cycle. Rockwell discloses a network security architecture for monitoring security activities in a mobile network platform, such as an aircraft. Rockwell, col. 1, ll. 12-14, 60-63. Rockwell employs state machines to represent the security policies of the security architecture. Id. at col. 4, ll. 23-27. Figures 2A and 2B illustrate basic state machines, which model the security policy associated with a user access point in the mobile network platform. Id. at col. 4, ll. 27-30. In Figure 2A, each user access point can be in one of three defined states. Id. at col. 4, ll. 31-32. In the Final Action, the Examiner read the first step of claim 1 (“monitoring, for at least one monitoring cycle, a wireless network of interest for a plurality of signals from one or more wireless access devices”) on column 5, lines 34-46 of Rockwell and relies on Amin for the remaining steps, including reading the recited transmitting of results to a data collector on the transmission of messages from monitoring system 201 to elements Appeal 2009-003178 Application 10/147,308 23 205-09. Final Action 4-5. The above-cited lines of Rockwell read as follows: The airborne policy enforcement component 62 is provided by the airborne security manager 34. The primary responsibilities of the airborne security manager include (but are not limited to) managing and monitoring intrusion detection sensors, monitoring other airborne event sources, responding to security events in accordance with the applicable security policy, monitoring the airborne intrusion detection sensors, configuring static network traffic filters at user access points, executing any manual overrides commands from the terrestrial-based network security management system, installing new security policies received from the terrestrial-based network security management system, and reporting events and status of interest to the terrestrial-based network security management system. Rockwell, col. 5, ll. 33-46. In the Answer (at 14), the Examiner additionally relies on column 5, lines 10-15 of Rockwell, of which lines 4-16 of column 5 read as follows: Each state machine can be represented by a data structure 51 as depicted in FIG. 3. The data structure includes a current state 52, a possible security event 54, a resulting state 56 and a possible response 58. In this way, each state can be cross- referenced against possible events to produce a resulting state and a list of possible actions. Possible events may include (but are not limited to) a security intrusion event having high priority, a security intrusion event having medium priority, a security intrusion event having a low priority, a reset event, a timer expiration event, a communication link up event, a communication link down event and one or more custom events for supporting manual control commands from the security administrator. Appeal 2009-003178 Application 10/147,308 24 The Examiner’s stated motivation for combining the above teachings of Rockwell with those of Amin is that “it would have been obvious to one of ordinary skill in the art the time the invention was made to provide the teachings of Amin to said method of Rockwell in order to provide a quicker and more reliable response to intrusion detection.” Final Action 5. The Examiner also states in the Answer that “both references teach monitoring against unwanted access to wireless networks and the combination would benefit because it would allow for the better and more efficient monitoring against unwanted access in a larger variety of wireless networks, including networks on an airplane or any vehicle.” Answer 16, ¶ E. We agree with Appellants that “the Examiner’s purported motivation to combine the cited references is merely conclusory and based on impermissible hindsight” and thus falls short of the “articulated reasoning with some rational underpinning” required to support a conclusion of obviousness. KSR, 550 U.S. at 418 (quoting Kahn, 441 F.3d at 988); Br. 28. The Examiner has not adequately identified the factual basis for the conclusion that a person having ordinary skill in the art would reasonably have expected that applying Amin’s teachings to Rockwell would (a) provide a quicker and more reliable response to intrusion detection or (b) allow for better and more efficient monitoring against unwanted access in a larger variety of wireless networks, including networks on an airplane or any vehicle. Nor has the Examiner adequately explained how the reference teachings are to be combined to achieve these alleged improvements. Appeal 2009-003178 Application 10/147,308 25 Turning now to the Examiner’s alternative position that Amin anticipates claim 1, Appellants argue that AMIN et al. does not disclose or suggest monitoring, for at least one monitoring cycle, a wireless network of interest for a plurality of signals from one or more wireless access devices, as recited in claim 1, for at least reasons similar to reasons given above with respect to claims 32 and 35. Br. 27. This argument is unpersuasive because, for the reasons given above in the discussion of claim 32, Appellants have not shown error in the Examiner’s finding that Amin’s monitoring system 201 monitors, for at least one monitoring cycle, a wireless network of interest for a plurality of signals from one or more wireless access devices. Appellants also argue (Br. 27) that the Examiner erred in finding that Amin discloses or suggests “transmitting the results of the monitoring cycle to a data collector, as also recited in claim 1.” Because Appellants have not separately argued the “transmitting the results . . . to a data collector,” we assume Appellants are relying on their above-discussed, unpersuasive argument that Amin’s monitoring system 201 does not collect “results” obtained during a monitoring “cycle.” For this reason, we are affirming the rejection of claim 1 and its dependent claims 5, 6, 8, 13, 16, 17, and 20-22, which are not separately argued. Of the argued claims that depend on claim 1, the Examiner reads the limitations of claims 2, 18, and 19 only on Rockwell and reads the Appeal 2009-003178 Application 10/147,308 26 limitations recited in the remaining dependent claims (viz., claims 3, 4, 7, 9- 12, 14, and 15) only on Amin. We begin our analysis with claims 2, 18, and 19, regarding which the Examiner relies on Rockwell in combination with Amin. Claim 2 reads as follows: 2. The method of claim 1, further comprising: detecting access points in the wireless network; and detecting clients in the wireless network. Appellants argue that “ROCKWELL and AMIN et al. do not disclose or suggest detecting access points in the wireless network.” Br. 29. The rejection of this claim is based on the above-quoted passage from column 5, lines 33-46 of Rockwell, which was relied on in the rejection of claim 1. Final Action 6. The rejection of claim 2 is unpersuasive to the extent based on Rockwell because, as explained above in the discussion of claim 1, the Examiner has not provided “articulated reasoning with some rational underpinning” for combining the cited teachings of Rockwell and Amin. However, although Appellants also deny that Amin discloses “detecting access points in the wireless network” (Br. 29), they have not explained why that claim language fails to read on Amin, e.g., on Amin’s detection of the geographic location (i.e., state) that includes the access point being used by a mobile station to access the network. Amin, col. 7, ll. 50- 54. We are therefore affirming the rejection of claim 2. Claims 18 and 19 read as follows: Appeal 2009-003178 Application 10/147,308 27 18. The method of claim 1, wherein the transmitting of results [of the monitoring cycle to a data collector] further comprises transmitting over a wireless communications medium. 19. The method of claim 18, wherein the transmitting of results over a wireless communications medium further comprises transmitting a 900 MHz radio transmission. In Amin, the results are preferably communicated from monitoring system 201 to MSU Standard Interface 205 via “an ethernet link using TCP/IP protocol.” Amin, col. 5, ll. 50-52. In rejecting these claims, the Examiner (Final Action 7) reads the claim 18 limitation on column 5, lines 45-46 of Rockwell (calling for “reporting events and status of interest to the terrestrial-based network security management system”) and reads the more specific claim 19 limitation on column 3, lines 38-50 of Rockwell (explaining, inter alia, that “the cabin distribution system may be composed of . . . 802.11X wireless access points”). Id. Appellants argue that in view of the Examiner’ reliance on Amin rather than Rockwell for claim 1’s recitation of “transmitting the results of the monitoring cycle to a data collector,” it is not understood how the Examiner can rely on Rockwell for claim 18’s more specific limitation of transmitting those results to the data collector over a wireless communications medium. Br. 40. We agree. However, Appellants have not asserted that, let alone explained why, it would have been unobvious with or without the cited teachings in Rockwell to implement the connection between Amin’s monitoring system 201 and MSU Standard Interface 205 as a wireless communications connection (claim 18), such as a 900 MHz radio Appeal 2009-003178 Application 10/147,308 28 transmission link (claim 19). The rejection of claims 18 and 19 is therefore affirmed. Turning now to the remaining claims that depend on claim 1, claim 3 reads: 3. The method of claim 1, further comprising: using a separate communications channel for the transmission of the results of the monitoring cycle to the data collector. For the reason given above in the discussion of claim 1, Appellants have not shown that the Examiner erred in reading the recited transmitting of results to a data collector on Amin’s transmission of messages from monitoring system 201 to elements 205-09 (including log 206). Final Action 5. The “separate communications channel” recited in claim 3 reads on the “ethernet link using TCP/IP protocol” that connects monitoring system 201 to MSU Standard Interface 205. Amin, col. 5, ll. 50-52. Furthermore, Amin explains that [w]ireless telecommunications networks such as that illustrated in FIG. 1 typically comprise many units that need to communicate signaling information for controlling establishment of connections. Such signalling [sic] information is typically communicated over links or channels separate from the channels carrying actual voice or data communications between the customers being connected. Amin, col. 3, ll. 48-54.5 The rejection of claim 3 is therefore affirmed. 5 Cited by the Examiner in addressing a similar limitation in claim 26. Final Action 9. Appeal 2009-003178 Application 10/147,308 29 Claim 4 reads: 4. The method of claim 1, further comprising: encrypting the results from the monitoring cycle prior to transmitting to the collector. The Examiner (Final Action 6) reads this language on the following passage in Amin: The filtered messages are then forwarded within the fraud detection system 200 to pattern recognizers 208, which contain user-defined pattern recognition algorithms indicative of fraud and process the filtered SS7 messages as they arrive to identify potentially fraudulent activity. The pattern recognizers 208 run concurrently on each MSU pair of SS7 messages as they arrive at the pattern recognizers. Amin, col. 6, ll. 45-51. We agree with Appellants’ argument that this passage fails to disclose or suggest encryption and are accordingly reversing the rejection of this claim. Br. 31. Claims 7, 9-11, 14, and 15 read as follows: 7. The method of claim 1, further comprising: tracking of authorized and unauthorized access points and clients. 9. The method of claim 1, further comprising: determining the status of any authorized access points. 10. The method of claim 9, further comprising: determining whether any authorized access points have changed. 11. The method of claim 9, further comprising: determining whether any authorized access points are not operating. Appeal 2009-003178 Application 10/147,308 30 14. The method of claim 1, further comprising: tracking how long any unauthorized device has attempted to access the wireless network. 15. The method of claim 1, further comprising: identifying attempts to spoof an authorized access point. The Examiner (Final Action 7) reads all of these claim limitations on the following passage in Amin: When one of the pattern recognizers 208 identifies a possible fraud condition, that condition is reported by the pattern recognizer 208 to the fraud event manager 209 as a possible or probable fraudulent event. The fraud event manager 209 logs each such fraudulent event with at least the following information: date, time, event type, MIN, MSCID, priority and level of confidence of fraud. Priority and level of confidence of fraud are defined based on the event type. Amin, col. 6, ll. 52-60. We agree with Appellants’ arguments (Br. 33-39) that Amin does not disclose or suggest (a) performing any of the claimed functions recited in claims 7 and 9-11 with respect to access points or (b) tracking how long any unauthorized device has attempted to access the wireless network (claim 14) and are therefore reversing the rejection of those claims. However, Appellants have not explained why claim 15 (“identifying attempts to spoof an authorized access point”) does not read on using Amin’s system to identify a cloned mobile device. Presumably, the cloned mobile device is connected to the network through an authorized access point. The rejection of claim 15 is therefore affirmed. Claim 12 reads: Appeal 2009-003178 Application 10/147,308 31 12. The method of claim 1, further comprising: identifying any denial of service attempts. The Examiner (Final Action 7) reads this claim limitation on the following passage in Amin: Market specific, service provider defined actions based upon the priority and level of confidence of the identified fraudulent event may then be automatically performed by the fraud event manager 209, which action may be tailored to the market environment, the probability of fraud and current subscriber status. Amin, col. 6, ll. 61-66. We agree with Appellants that “[t]his section of AMIN et al. does not relate to denial of service attacks” and that “[i]n fact, the entire AMIN et al. disclosure does not even mention any type of attack.” Br. 37. The rejection of claim 12 is therefore reversed. B. Claim 23 Claim 23 reads as follows: 23. A wireless intrusion detection system, comprising: one or more nodes, each node configured to monitor, for a monitoring cycle, a wireless network of interest for signals received from at least one wireless access device; and a collector, each of the one or more nodes in communication with the collector; wherein the collector receives results from the monitoring cycle of signals by the one or more nodes and determines whether any unauthorized access of the wireless network of interest has occurred. Appeal 2009-003178 Application 10/147,308 32 The Examiner reads the first paragraph of claim 23 on the same passage in Rockwell on which he reads the first step of claim 1 (i.e., col. 5, ll. 34-46) and reads the remaining limitations on Amin. Final Action 8. For the reasons given above with respect to claim 1, we agree with Appellants (Br. 46-47) that the Examiner has not presented “articulated reasoning with some rational underpinning” for combining the teachings of Rockwell and Amin in the manner proposed by the Examiner. KSR, 550 U.S. at 418 (quoting Kahn, 441 F.3d at 988). We are nevertheless affirming the rejection of claim 23 due to Appellants’ failure to show that the Examiner erred in finding that Amin’s monitoring system 201 collects the results of a monitoring cycle. The rejection of claim 23 and its dependent claims 24, 25, and 27, which are not separately argued, is therefore affirmed. Claim 26, which depends on claim 23, reads as follows: 26. A system as in claim 23, wherein the communications between the collector and the one or more nodes occur over a different communications path than the wireless network of interest. This claim language appears to read on the “ethernet link using a TCP/IP protocol” that connects monitoring system 201 to MSU Standard Interface 205. Amin, col. 5, ll. 50-52. Furthermore, column 3, lines 48-54 of Amin (reproduced above in the discussion of claim 3) explains that “signalling [sic] information is typically communicated over links or channels separate from the channels carrying actual voice or data Appeal 2009-003178 Application 10/147,308 33 communications between the customers being connected.” The rejection of claim 26 is therefore affirmed. C. Claim 28 Claim 28 reads: 28. A wireless intrusion detection node, comprising: means for performing a monitoring cycle of a plurality of signals from one or more wireless networks, including one wireless network of interest; means for storing results from the monitoring cycle; and means for transmitting the results of the monitoring cycle to a data collector. The Examiner reads the first paragraph of this claim on the same passage in Rockwell on which he reads the first step of claim 1 (i.e., col. 5, ll. 34-46) and reads the remaining limitations on Amin. Final Action 9-10. For the reasons given above with respect to claim 1, we agree with Appellants (Br. 46-47) that the Examiner has not presented articulated reasoning with some rational underpinning for combining the teachings of Rockwell and Amin in the manner proposed by the Examiner. However, we are affirming the rejection of claim 28 due to Appellants’ failure to show that the Examiner erred in finding that Amin’s monitoring system 201 collects the results of a monitoring cycle. D. Claims 29, 39, and 40 Claim 29 reads: Appeal 2009-003178 Application 10/147,308 34 29. A wireless intrusion detection collector, comprising: means for receiving from a node results of a monitoring cycle of a plurality of signals from one or more wireless networks, including one wireless network of interest; means for processing the results of the monitoring cycle; and means for notifying a user of the results of the monitoring cycle. The Examiner’s discussion of claim 29 was limited to stating that “[c]laim 29 has similar limitations to claim 1.” Final Action 5. The Examiner has taken the same position with respect to independent claims 39 and 40. Final Action 10. Regarding the rejection of claims 29, 39, and 40, Appellants merely repeat their claim 1 arguments. Br. 51-60. The rejection of claim 29, 39, and 40 is therefore affirmed for the same reason that the rejection of claim 1 is affirmed. THE § 103(a) REJECTION BASED ON SCHOEN IN VIEW OF AMIN Claims 30, 31, 41, and 42, the claims that are rejected for obviousness over Schoen in view of Amin, each recite “beacon packets.” Claim 30 reads: 30. A method for controlling a wireless intrusion detection system comprising: transmitting a plurality of beacon packets from a collector; Appeal 2009-003178 Application 10/147,308 35 receiving one or more of the beacon packets at a node; and establishing a communications link between the collector and the node for detecting unauthorized access of a wireless network of interest; wherein the collector controls a wireless intrusion detection system by a communications link that utilizes a different means of communication than the wireless network. The Examiner reads the first and second steps on Schoen and reads the remaining steps on Amin. Final Action 10. Schoen discloses a “[m]icro-miniature beacon transmit-only geo- location emergency system for personal security.” Schoen, title. The beacon-transmitting device “can be placed in pockets, strapped to legs or wrists, or be Velcro-attached or sewn into clothing” or can be disguised as a watch. Id. at col. 8, ll. 14-16. The CPU 18 causes the device to broadcast an intermittent single-burst coded signal pattern that consists of n repetitions of a signal pattern, such as the pattern shown in Figure 7. Id. at col. 8, ll. 24-43. The pattern of n repetitions can be intermittently broadcast at predetermined intervals, or activated by either the user carrying the beacon or via an activation command transmitted to the beacon (in which case the emit burst can be synchronized with the satellite receive window). Id. at col. 8, ll. 44-48. Figure 1 of Schoen is reproduced below. Appeal 2009-003178 Application 10/147,308 36 Figure 1 is a diagram showing LEO (low earth orbit) communication satellites for receiving beacon signals and higher orbit global positioning satellites (GPS). Id. at col. 5, ll. 56-58. The signal emitted by the emergency beacon 2 is detected by several (>2) satellites 4, and the location of the beacon is determined from the Doppler shifts at the receiving satellites and the satellite positions (which are determined from on-board GPS receivers). Id. at col. 6, ll. 30-36. In high population areas, a third mode of operation is possible, which is depicted in Figure 2 (id. at col. 6, ll. 46-48), reproduced below. Appeal 2009-003178 Application 10/147,308 37 Figure 2 is a diagram showing terrestrial communications networks such as cellular telephone receiver nodes or wireless radio data transmission system antennas. Id. at col. 5, ll. 59-61. The Examiner (Final Action 10) relies on the following passage in Schoen: These nodes can be cellular telephone modes, or can be wireless antennas operating in a slightly different bandwidth. The cellular nodes are typically a few miles apart, whereas the wireless RF/radio links can receive signals up to 30 kilometers from the transmitting unit. Both systems rely on direction finding techniques to determine the location of the emergency beacon signal. Schoen, col. 6, ll. 49-55. Regarding the motivation for combining the teachings of Schoen and Amin, the Examiner stated that Schoen does not teach establishing a communications link between the collector and the node for detecting unauthorized access of a network of interest, wherein the collector controls an intrusion detection system by a communications link that utilizes a different means of communication than the network. Amin Appeal 2009-003178 Application 10/147,308 38 teaches establishing a communications link between the collector and the node for detecting unauthorized access of a network of interest (see the process from node 21 (fig. 3) through the monitoring cycle 201 to the collector 205 where the process of 206-209 in fig. 3 detects unauthorized access of a network of interest), wherein the collector controls an intrusion detection system by a communications link that utilizes a different means of communication than the network (see 200 in fig. 2 where the connection is by TCP/IP). Therefore, it would have been obvious to one of ordinary skill in the art [at] the time the invention was made to provide the teachings of Amin to said method of Schoen in order to increase the accessibility of the device. Final Action 10-11. We agree with Appellants that this explanation of the “motivation to combine the cited references is merely conclusory and based on impermissible hindsight” (Br. 63) and thus does not constitute the “articulated reasoning with some rational underpinning” required to support a conclusion of obviousness. KSR, 550 U.S. at 418 (quoting Kahn, 441 F.3d at 988). The Examiner has not adequately identified the factual basis for the conclusion that a person having ordinary skill in the art would reasonably have expected that applying Amin’s teachings to Schoen would “increase the accessibility of the device” in Schoen (Final Action 11) or explained how the reference teachings can be combined to achieve that goal. We are therefore reversing the rejection of claim 30 and its dependent claim 31. For the same reason, we are reversing the rejection of independent claims 40 and 41. Appeal 2009-003178 Application 10/147,308 39 DECISION The rejection under 35 U.S.C. § 102(b) for anticipation by Amin is affirmed with respect to claims 32-35 and 38 and reversed with respect to claims 36 and 37. The rejection of under 35 U.S.C. § 103(a) for obviousness over Rockwell in view of Amin is affirmed with respect to claims 1-3, 5, 6, 8, 13, 15-29, 39, and 40 and reversed with respect to claims 4, 7, 9-12, and 14. The rejection of claims 30, 31, 41, and 42 under § 103(a) for obviousness over Schoen in view of Amin is reversed. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1). See 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED-IN-PART babc VERIZON PATENT MANAGEMENT GROUP 1320 North Court House Road 9th Floor ARLINGTON, VA 22201-2909 Copy with citationCopy as parenthetical citation
