12490773 (P.T.A.B. Sep. 27, 2016)

Ex Parte Basak et al

Patent Trial and Appeal BoardSep 27, 2016

12490773 (P.T.A.B. Sep. 27, 2016)

UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. 12/490,773 36378 7590 VMWARE, INC, DARRYL SMITH FILING DATE 0612412009 09/29/2016 3401 Hillview Ave. PALO ALTO, CA 94304 FIRST NAMED INVENTOR Debashis BASAK UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. A333 4144 EXAMINER DESROSIERS, EV ANS ART UNIT PAPER NUMBER 2491 NOTIFICATION DATE DELIVERY MODE 09/29/2016 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address( es): ipteam@vmware.com ipadmin@vmware.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte DEBASHIS BASAK, RO HIT TOSHNIW AL, and ALLWYN SEQUEIRA Appeal2015-005903 Application 12/490,773 Technology Center 2400 Before ST. JOHN COURTENAY III, JENNIFER L. McKEOWN, and CARLL. SILVERMAN, Administrative Patent Judges. McKEOWN, Administrative Patent Judge. DECISION ON APPEAL Appellants appeal under 35 U.S.C. Â§ 134(a) from the Examiner's decision to reject claims 1-11 and 13-23. Claim 12 is cancelled. We have jurisdiction under 35 U.S.C. Â§ 6(b). We affirm-in-part. Appeal2015-005903 Application 12/490,773 STATEMENT OF THE CASE Appellants' invention relates to: A method ... to control the flow of packets within a system that includes one or more computer networks comprising: policy rules are provided that set forth attribute dependent conditions for communications among machines on the one or more networks; machine attributes and corresponding machine identifiers are obtained for respective machines on the networks; and policy rules are transformed to firewall rules that include machine identifiers of machines having attributes from among the obtained machine attributes that satisfy the attribute dependent policy rules. Abstract. Claim 1 is illustrative of the claimed invention and reads as follows: 1. A method to control the flow of packets through a firewall that is implemented in a system that includes one or more computer networks comprising: storing policy rules in machine readable storage media that set forth attribute dependent conditions for communications among machines on the one or more computer networks; obtaining respective machine attributes and corresponding machine identifiers for respective machines on the one or more computer networks; transforming the policy rules to firewall rules that include machine identifiers of machines having attributes from among the obtained machine attributes that satisfy the attribute dependent policy rules, wherein transforming the policy rules to firewall rules further includes: matching an attribute condition within a policy rule with one or more obtained machine attributes, and generating at least one firewall rule for each machine identifier of a machine having all machine attributes required to satisfy the attribute condition within the policy rule; storing the firewall rules in machine readable storage media; and 2 Appeal2015-005903 Application 12/490,773 filtering communications from and to a first machine on the one or more computer networks and communications from and to a second machine on the one or more computer networks at the firewall according to the firewall rules. THE REJECTIONS The Examiner rejected claims 1--4, 6-11, and 13-19 under 35 U.S.C. Â§ 103(a) as unpatentable over Prigent et al. (US 2006/0010491 Al; pub. Jan. 12, 2006) and Aaron (US 2008/0115190 Al; pub. May 15, 2008). Final Act. 3-9. 1 The Examiner rejected claim 5 under 35 U.S.C. Â§ 103(a) as unpatentable over Prigent, Aaron, and Hutchison (US 2007/0192635 Al; pub. Aug. 16, 2007). Final Act. 9-10. The Examiner rejected claims 20-23 under 35 U.S.C. Â§ 103(a) as unpatentable over Prigent, Aaron, and Litvin et al. (US 2009/0249470 Al; pub. Oct. 1, 2009). Final Act. 10-11. THE OBVIOUSNESS BASED ON PRIGENT AND AARON Claims 1-3, 6--11, and 19 ISSUE UnderÂ§ 103, has the Examiner erred by finding that Prigent and Aaron combined teaches or suggests "matching an attribute condition within a policy rule with one or more obtained machine attributes, and generating at least one firewall rule for each machine identifier of a machine having all 1 Throughout this opinion, we also refer to ( 1) the Final Action, mailed Dec. 13, 2013 ("Final Act."); (2) the Appeal Brief filed May 13, 2014 ("App. Br."); (3) the Examiner's Answer mailed July 31, 2014 ("Ans."); and (4) the Reply Brief filed Sept. 14, 2014 ("Reply Br."). 3 Appeal2015-005903 Application 12/490,773 machine attributes required to satisfy the attribute condition within the policy rule," as recited in claim 1, and the similar matching limitation of claim 19? ANALYSIS Based on the record before us, we are not persuaded the Examiner erred in rejecting claims 1-3, 6-11, and 19 as unpatentable over Prigent and Aaron. Appellants contend the Examiner erred in relying on Aaron as teaching the recited "matching an attribute condition within a policy rule with one or more obtained machine attributes, and generating at least one firewall rule for each machine identifier of a machine having all machine attributes required to satisfy the attribute condition within the policy rule." App. Br. 8-10; see also Reply Br. 2. Appellants, in particular, argue that Aaron's disclosure of using firewall rules including pattern matching techniques "refer to pattern matching that is applied to packets and communications into and out of a network, rather than 'one or more obtained machine attributes' as recited in the claims." App. Br. 9. Further, Appellants assert that Aaron's system merely assigns and reassigns users to various firewall policy groups and, as such, does not generate at least one firewall rule. App. Br. 9. We find Appellants' arguments unpersuasive. Aaron describes monitoring user activity and automatically reassigning the user to a different firewall policy group if the user activity indicates that a change in detail level of rules is necessary. Ans. 4--5; see also Aaron Abstract, ,-r 53. More specifically, Aaron's activity analyzer component analyzes the collected user 4 Appeal2015-005903 Application 12/490,773 activity information as well as relevant rules and determines what firewall rule level is appropriate for the user activity. See, e.g., Aaron i-f 42. Given this evidence, we find Aaron at least suggests matching the received user activity, i.e. machine attributes, with the corresponding user activity within a policy rule. Additionally, Aaron teaches automatically reassigning a user to a different firewall policy group. Ans. 4--5; see also Aaron Abstract, i-f 53. By reassigning the user, we find Aaron at least suggests generating firewall policy rules to apply to the newly assigned firewall policy group rules to the reassigned user. Likewise unavailing is Appellants' argument that Aaron fails to teach the generating step or act because Aaron assigns firewall policy groups based on user activity, rather than machine attributes. App. Br. 9. We note that the Specification broadly describes that machine attributes are merely attributes that represent characteristics of machines, including, for example, software that the machine executes and physical location (e.g. VLAN, IP address, wired, wireless). Spec. i-f 29. Aaron similarly describes monitoring or collecting information, such as source and destination addresses of a communication and software application information. Aaron i-f 39. Although Aaron generally refers to user activity, we find this activity at least includes machine attributes which are within the scope of representative claim 1. As such, we are not persuaded that Aaron fails to teach or suggest the recited machine attributes. 5 Appeal2015-005903 Application 12/490,773 Accordingly, we sustain the Examiner's rejection of claims 1-3, 6-11, and 19 as unpatentable over the combination of Prigent and Aaron. 2 Claim 4 Claim 4 depends indirectly from claim 1 and recites: 4. The method of claim 3, wherein the change in an attribute includes a change in an inventory of software running on a machine from the at least one of the networks. Appellants contend that the Examiner erred in finding that Prigent teaches or suggests this limitation. According to Appellants: The cited phrase "update themselves" actually refers to "acquire and keep up to date the associations between the identities of the appliances and their address on the network." See, Prigent, paragraph [0057]. As such, Prigent merely discloses updating associations between appliance identities and their network address, and does not disclose "the change in an attribute includes a change in an inventory of software running on a machine from the at least one of the networks." App. Br. 10-11. The argument, however, fails to consider that Prigent more generally teaches a variety of possible changes or updates, including a change of service status on an appliance in the community and adding new appliances. Aaron i-fi-155, 56. We find these types of changes at least suggest a change in 2 Based on Appellants' arguments, we decide the appeal of claims 1-3, 6-11, and 19 on the basis of representative claim 1. See 37 C.F.R. Â§ 41.37(c)(l)(iv). 6 Appeal2015-005903 Application 12/490,773 an inventory of software running on a machine (i.e. appliance) from the at least one of the networks. Accordingly, we sustain the Examiner's rejection of claim 4 as unpatentable over the combination of Prigent and Aaron. Claims 13 and 14 Based on the record before us, we find that the Examiner fails to sufficiently support the rejection of claims 13 and 14. Claim 13 recites: 13. The method of claim 1, wherein transforming the policy rules to firewall rules further includes: resolving at least one set operation within the attribute condition to produce a resolved attribute condition; and generating at least one firewall rule for each machine identifier of a machine having all attributes required to satisfy the resolved attribute condition within the policy rule. In rejecting claim 13, the Examiner relies on paragraphs 46, 47, and 53 of Aaron. Ans. 9-10. As Appellants point out; paragraph 47 describes the conditional limitation, but this limitation applies to whether the user is notified of a firewall policy change. App. Br. 11. Paragraphs 46 and 53 are similarly deficient in disclosing a set operation or resolving a set operation. As such, because it is unclear from the Examiner's rejection what the Examiner relies on in the teachings of Aaron and Prigent as either the set operation or resolving a set operation, we decline to make speculative 7 Appeal2015-005903 Application 12/490,773 assumptions regarding the Examiner's intended mapping of these disputed limitations. Accordingly, we do not sustain the Examiner's rejection of claim 13, as well as claim 14, which depends from claim 13. Claim 15 With respect to claim 15, Appellants assert that the Examiner fails to "consider all elements or articulate a reasoning to support the legal conclusion of obviousness" for claim 15. App. Br. 13. Appellants, though, merely recite the language of claim 15 without any substantive argument. As such, we find Appellants' argument unpersuasive. See In re Lovin, 652 F.3d 1349, 1357 (Fed. Cir. 2011) ("[W]e hold that the Board reasonably interpreted Rule 41.37 to require more substantive arguments in an appeal brief than a mere recitation of the claim elements and a naked assertion that the corresponding elements were not found in the prior art."). Accordingly, we sustain the Examiner's rejection of claim 15 as unpatentable over the combination of Prigent and Aaron. Claims 16-18 Independent claim 16 recites limitations similar to claim 1, but additionally requires the matching an attribute condition to be matching a 8 Appeal2015-005903 Application 12/490,773 source attribute condition and matching a destination attribute condition. The Examiner finds that Aaron teaches or suggests these limitations. In response to the Examiner's newly added citation to paragraph 39 of Aaron to reject claim 16 (see Ans. 5---6), Appellants contend: the Examiner has improperly limited the focus of whether the words "source" and "destination" appeared in any context in Aaron (i.e., "the concept of source and destination"), and failed to consider the invention as a whole. Specifically, the Examiner points to an excerpt that mentions "source and destination addresses" or "source and destination ports," which are distinguishable from "source attribute conditions" and "destination attribute conditions" as claimed. As such, the Examiner has failed to consider whether the combination of references would have been obvious to one skilled in the art at the time the invention. Reply Br. 3. We disagree. Aaron describes that the source and destination addresses and source and destination ports are types of user activity (i.e. machine attributes) that is monitored. See Ans. 5---6; Aaron i-f 39. As discussed above, Aaron analyzes this information in view of the relevant rules to match the user activity with the appropriate firewall policy group. See, e.g., Aaron i-f 42. Given this evidence, we are not persuaded that the Examiner erred in finding that the combination of Prigent and Aaron fails to teach the limitations of claim 16. 9 Appeal2015-005903 Application 12/490,773 Accordingly, we sustain the Examiner's rejection of representative claim 16, as well as dependent claims 17-18, as unpatentable over the combination of Prigent and Aaron. 3 THE REMAINING OBVIOUSNESS REJECTIONS Claims 5 and 20--23 Appellants do not separately argue patentability for dependent claims 5 and 20-23 and, instead, relies on the arguments presented for claims 1, 16, and 19. See Reply Br. 3--4. For the reasons discussed above, we find these arguments unpersuasive. Accordingly, we sustain the Examiner's rejection of claims 5 and 20-23 as unpatentable over the cited combinations of prior art. DECISION We affirm the Examiner's decision to reject claims 1-11 and 15-23 and reverse the Examiner's decision to reject claims 13 and 14. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. Â§ 1.136(a)(l )(iv). AFFIRMED-IN-PART 3 Based on Appellants' arguments, we decide the appeal of claims 16-18 on the basis of representative claim 16. See 37 C.F.R. Â§ 41.37(c)(l)(iv). 10