Ex Parte Beskrovny et alDownload PDFPatent Trial and Appeal BoardFeb 8, 201714023559 (P.T.A.B. Feb. 8, 2017) Copy Citation United States Patent and Trademark Office UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O.Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 14/023,559 09/11/2013 Evgeny Beskrovny IL920120050US2_8150-0436 1636 73109 7590 02/10/2017 Cuenot, Forsythe & Kim, LLC 20283 State Road 7 Ste. 300 Boca Raton, EL 33498 EXAMINER ABRISHAMKAR, KAVEH ART UNIT PAPER NUMBER 2494 NOTIFICATION DATE DELIVERY MODE 02/10/2017 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): ibmptomail@iplawpro.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte EVGENY BESKROVNY and OMER TRIPP Appeal 2016-006159 Application 14/023,5591 Technology Center 2400 Before THU A. DANG, STEPHEN C. SIU, and JOYCE CRAIG, Administrative Patent Judges. SIU, Administrative Patent Judge DECISION ON APPEAL This is a decision on appeal under 35 U.S.C. § 134(a) from the Examiner’s Final Rejection of claims 1—8. We have jurisdiction under 35 U.S.C. § 6(b). This matter is related to Appeal No. 2016-006203, US Serial No. 13/623,067. We affirm. 1 According to Appellants, the real party in interest is IBM Corporation (Appeal Brief, filed Nov. 23, 2015 (“App. Br.”) 1). Appeal 2016-006159 Application 14/023,559 The disclosed invention relates generally to vulnerability of a Web application. Spec 14. Independent claim 1 reads as follows: 1. A method comprising: identifying infrastructure supporting a Web application; obtaining vulnerability data for the Web application from an external data source according to the infrastructure; deriving a test payload from the vulnerability data using a processor; determining a type of vulnerability exploited by the test payload; and selecting an existing validation operation of a testing system for validating a response from the Web application to the test payload according to the type of vulnerability. Appellants appeal the Examiner’s rejection of claims 1 and 4 under 35 U.S.C. § 103(a) as unpatentable over Zaninotti (U.S. 7,894,501 B2, issued July 19, 2011) and Xiong et al., “A Model-Driven Penetration Test Framework for Web Applications,” 2010 (“Xiong”); claim 2 under 35 U.S.C. § 103(a) as unpatentable over Zaninotti, Xiong, and Yunus et al. (US 2006/0277606 Al, published Dec. 7, 2006); claims 3, 5, and 8 under 35 U.S.C. § 103(a) as unpatentable over Zaninotti, Xiong, and Mendelev et al. (US 2013/0160130 Al, published June 20, 2013); claim 6 under 35 U.S.C. § 103(a) as unpatentable over Zaninotti, Xiong, and Sima et al. (US 2008/0120722 Al, published May 22, 2008); claim 7 under 35 U.S.C. § 103(a) as unpatentable over Zaninotti, Xiong, and Hugard et al. (US 2013/0247206 Al, published Sept. 19, 2013). 2 Appeal 2016-006159 Application 14/023,559 ISSUE Did the Examiner err in rejecting claims 1—8? ANALYSIS Claim 1 recites obtaining vulnerability data for a Web application and deriving a test payload from the vulnerability data. Appellants argue that Zaninotti fails to disclose or suggest a “test payload . . . derived from the vulnerability data.” App. Br. 10-12. However, we agree with the Examiner’s finding that Zaninotti discloses this feature. Final Act. 9 (citing Zaninotti 4:38 — 5:25). As the Examiner finds, Zaninotti discloses a “Web application” (or “web component” — Zaninotti 4:41 42) and obtaining vulnerability data for the web component (or “checking for the existence of security flaws” and obtaining data used to “determine if the application is vulnerable” — Zaninotti 4:39-40, 47-48). Zaninotti also discloses that the system performs a “vulnerability analysis” to “look[] for a . . . database of attacks to be constructed against the web component[].” Zaninotti 4:52—54. In other words, as the Examiner points out, Zaninotti discloses deriving (or “constructing”) a test payload (or constructing a database of attacks against the web component) from the vulnerability data (or from using data in the “vulnerability analysis”). We agree with the Examiner’s findings that Zaninotti discloses and suggests the contested limitation. 3 Appeal 2016-006159 Application 14/023,559 Claim 1 requires determining a type of vulnerability exploited by the test payload. Appellants argue that Zaninotti fails to disclose or suggest the “type of vulnerability is determined from the test payload.” App. Br. 10—11. We agree with the Examiner’s finding that Zaninotti discloses this feature. Final Act. 6 (citing Zaninotti 4:38 — 5:25). As an initial matter, we note that claim 1 recites “determining a type of vulnerability exploited by the test payload” and does not recite that the type of vulnerability is determined from the test payload, as Appellants contend. In any event, as the Examiner finds, Zaninotti discloses “determining the type of technology” and constructing a database of attacks against a web component (i.e., a “test payload”) based on a vulnerability analysis using vulnerability data and the type of technology. Zaninotti also discloses an example of a “type” of technology and vulnerability in which “an open-source PHP web component [i.e., a PHP “type” of technology] will cause the system to try to append a set of. . . HTTP variables with invalid parameters.” Zaninotti 4:51-58. In other words, Zaninotti discloses a “type” of vulnerability that is “exploited by” (i.e., susceptible to such “attacks against [the] web component”) the test payload (i.e., an “attack” in the constructed database of such attacks against the web component). We agree with the Examiner that such teachings teach or suggest the disputed limitation. Claim 1 further recites “selecting an existing validation operation of a testing system for validating a response from the Web application to the test 4 Appeal 2016-006159 Application 14/023,559 payload according to the type of vulnerability.” Appellants argue that Zaninotti fails to disclose or suggest “the existing validation operation is selected based upon the type of vulnerability.” App. Br. 10. We agree with the Examiner’s finding that Zaninotti discloses this feature. Final Act. 9—10 (citing Zaninotti 4:38 — 5:25). As the Examiner finds, Zaninotti discloses at least one example of a response from a web application (e.g., a “PHP web component” that “cause[s] the system to try to append a set of. . . variables with invalid parameters” — 4:55—57), selecting an existing validation operation (e.g., from “a provided [i.e., “existing”] database of attacks to be constructed against the web component’s set of URIs” — 4:52—53), and validating the response from the web application according to the type of vulnerability (e.g., “appending] . . .variables with invalid parameters” is “a characteristic of [the “type” of vulnerability] of PHP-based components” — 4:56-58). Although Appellants argue that Zaninotti fails to disclose or suggest “how [the] type of vulnerability is used to select an existing validation operation” (App. Br. 10—11), claim 1 recites “selecting an existing validation operation.” Appellants do not demonstrate persuasively that claim 1 also recites “how” a type of vulnerability is used to select an existing validation operation. To the extent Appellants argue that Zaninotti fails to disclose selecting an existing validation operation “according to the type of vulnerability,” as recited in claim 1, this argument was previously addressed above. 5 Appeal 2016-006159 Application 14/023,559 For these reasons, we are not persuaded the Examiner erred in finding that the combination of Zaninotti and Xiong teaches or suggests the limitations recited in claim 1. Appellants do not provide additional, substantive arguments in support of claims 2—8 or additional, substantive arguments with respect to Yunus, Mendelev, Sima, or Hugard. App. Br. 17-20. SUMMARY We affirm the Examiner’s rejection of claims 1 and 4 under 35 U.S.C. § 103(a) as unpatentable over Zaninotti and Xiong; claim 2 under 35 U.S.C. § 103(a) as unpatentable over Zaninotti, Xiong, and Yunus; claims 3, 5, and 8 under 35 U.S.C. § 103(a) as unpatentable over Zaninotti, Xiong, and Mendelev; claim 6 under 35 U.S.C. § 103(a) as unpatentable over Zaninotti, Xiong, and Sima; claim 7 under 35 U.S.C. § 103(a) as unpatentable over Zaninotti, Xiong, and Hugard. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(l)(iv). AFFIRMED 6 Copy with citationCopy as parenthetical citation
