Ex Parte Calcaterra et alDownload PDFPatent Trial and Appeal BoardMay 23, 201613034647 (P.T.A.B. May. 23, 2016) Copy Citation UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE FIRST NAMED INVENTOR 13/034,647 02/24/2011 46917 7590 05/25/2016 KONRAD RA YNES DAVDA & VICTOR, LLP, ATTN: IBM37 350 SOUTH BEVERLY DRIVE, SUITE 360 BEVERLY HILLS, CA 90212 Jeffrey A. Calcaterra UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. TUC920110022US 1 1207 EXAMINER CELANI, NICHOLAS P ART UNIT PAPER NUMBER 2449 NOTIFICATION DATE DELIVERY MODE 05/25/2016 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address( es): krvuspto@ipmatters.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte JEFFREY A. CALCATERRA and JOHN R. HIND Appeal2014-008194 Application 13/034,647 Technology Center 2400 Before ROBERT E. NAPPI, JOHN P. PINKERTON, and NATHAN A. ENGELS, Administrative Patent Judges. PINKERTON, Administrative Patent Judge. DECISION ON APPEAL Appellants appeal under 35 U.S.C. § 134(a) from the Examiner's Final Rejection of claims 1-21, which constitute all the claims pending in this application. 1 We have jurisdiction under 35 U.S.C. § 6(b). We affirm. 1 Appellants identify International Business Machines Corporation as the real party in interest. App. Br. 1. Appeal2014-008194 Application 13/034,647 STATEivIENT OF THE CASE Introduction Appellants' disclosed and claimed invention generally relates to providing a declaration of security requirements to a security program to use to control application operations. Spec. i-f 1. 2 Claim 1 is representative of the claims on appeal and reads as follows (with disputed limitations emphasized): 1. A computer program product compnsmg a computer readable storage medium having computer readable program code including an application embodied therein that executes to communicate with a security program, the operations compnsmg: communicating to the security program, by the application, a declaration of security requirements indicating application actions designated to be performed by the application with respect to indicated resources in the computer system, wherein the security program restricts the application to only perform the indicated actions with respect to the indicated resources, and wherein the declaration of security requirements is communicated before the application initiates performing operations that will result in the indicated actions with respect to the indicated resources; performing, by the application, application operations in response to the declaration of security requirements being communicated to the security program; and performing, by the application, during the execution of the application operations, the indicated application actions with 2 Our Decision refers to the Final Office Action (mailed Nov. 12, 2013) ("Final Act."); Appellants' Appeal Brief (filed Apr. 26, 2014) ("App. Br."); the Examiner's Answer (mailed May 21, 2014) ("Ans."); Appellants' Reply Brief (filed July 21, 2014) ("Reply Br."); and, the Specification (filed Feb. 24, 2011) ("Spec."). 2 Appeal2014-008194 Application 13/034,647 respect to the indicated resources at the computer system indicated in the declaration of security requirements. App. Br. 18 (Claims App.). References Joshi US 2005/0149726 A 1 July 7, 2005 Gladstone US 2006/0156380 Al July 13, 2006 Dunn US 2007 /0038765 Al Feb. 15,2007 Back US 2007 /0220507 Al Sept. 20, 2007 Schwartz US 2008/0040797 Al Feb. 14,2008 Lipscombe US 2008/0155245 Al June 26, 2008 Hickie US 2010/0081417 Al Apr. 1, 2010 Laiho US 2010/0235443 Al Sept. 16, 2010 Wikipedia, User Account Control, 1-7 (Sept. 24, 2010) (https:// en. wikipedia.org/w/index. php?title= User_Account_Control&oldid=386700350) (last visited June 5, 2013) ("UAC") Rejections on Appeal Claims 1, 8, 10, 15, 16, and 21 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over the combination ofUAC and Hickie. Claims 2, 11, and 17 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over the combination ofUAC, Hickie, and Dunn. Claims 3, 12, and 18 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over the combination ofUAC, Hickie, Dunn, and Schwartz. Claims 4, 13, and 19 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over the combination ofUAC, Hickie, Dunn, and Black. Claim 5 stands rejected under 35 U.S.C. § 103(a) as being unpatentable over the combination ofUAC, Hickie, and Gladstone. 3 Appeal2014-008194 Application 13/034,647 Claims 6, 7, 14, and 20 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over the combination ofUAC, Hickie, and Black. Claim 9 stands rejected under 35 U.S.C. § 103(a) as being unpatentable over the combination ofUAC, Hickie, and Lipscombe. Claim 1 stands rejected under 35 U.S.C. § 103(a) as being unpatentable over the combination ofUAC, Laiho, and Joshi. 3 ANALYSIS We have reviewed the Examiner's rejections in light of Appellants' arguments in the Briefs and are not persuaded the Examiner erred. Unless otherwise noted, we agree with, and adopt as our own, the findings and reasons set forth by the Examiner in the Final Office Action from which this appeal is taken (Final Act. 3-25), and in the Answer in response to Appellants' Appeal Brief (Ans. 16-19), and we concur with the conclusions reached by the Examiner. For emphasis, we consider and highlight specific arguments as presented in the Briefs. Rejection of Claims 1, 10, and 16under§103(a) as Obvious Over Combination of UA C and Hickie Appellants contend UAC and Hickie do not teach or suggest the disputed limitations of claims 1, 10, and 16. App. Br. 7-9; Reply Br. 2--4. In particular, Appellants argue there is no teaching in UAC "that the application itself communicates to the security program the declaration of security requirements" and "that the entity that sent the UAC task list comprises the application that is designated to perform the indicated actions 3 This is a separate and distinct rejection of claim 1, which the Examiner lists under the heading "Alternate Grounds." See Final Act. 22. 4 Appeal2014-008194 Application 13/034,647 with respect to the indicated resources." App. Br. 7-8. Appellants also argue UAC does not teach "the claim requirement of performing, by the application which sent the security requirements the application operations in response to the declaration of security requirements being communicated to the security program" because in UAC, "it is an administrator, not the application that provides the authorization for more privileges." Id. at 9. Thus, according to Appellants, "UAC teaches away from having the application [program] perform its operations after sending the declaration." Id. Appellants further argue Hickie does not teach "the security program restricts the application to only perform the indicated actions with respect to the indicated resources." Id. at 8. We are not persuaded by Appellants' arguments that the Examiner erred. Regarding UAC, the Examiner finds as follows: To meet the claim language, Examiner need only show that the [application] send an action coupled to a resource. Under the "Tasks that trigger a UAC prompt" section; we see a listing of tasks which require the privileges, and it is noted that other tasks, such as changing the time zone, do not. Above, in the "History" section, it notes that "When an application requests higher privileges ... UAC will prompt for conformation and, if consent is given, start the process using the unrestricted token." Taking "Changing settings for Windows Firewall" as an example task; it is an action (setting modification) for a resource (the firewall). Ans. 3 (emphasis omitted). We note UAC teaches "User Account Control (UAC) is a technology and security infrastructure," i.e., a security program. See UAC 1 (emphasis omitted). Thus, we agree with the Examiner "that UAC fairly teaches, on its own," an application communicating to the security program a task it intends to do (e.g., modify the setting) in respect to a given resource (e.g., the 5 Appeal2014-008194 Application 13/034,647 firewall), and would thus constitute "communicating to the security program, by the application, a declaration of security requirements" as recited in claims 1, 11, and 16. Id. at 4. We also are not persuaded by Appellants' argument that UAC does not teach "the claim requirement of performing, by the application which sent the security requirements the application operations in response to the declaration of security requirements being communicated to the security program" because in UAC, "it is an administrator, not the application that provides the authorization for more privileges." App. Br. 9. In that regard, we agree with the Examiner's finding that "the source of authorization is an unclaimed feature." Ans. 5. In other words, Appellants' argument is not persuasive because it is not commensurate with the scope of the claims. See In re Self, 671 F.2d 1344, 1348 (CCPA 1982) ("[A]ppellant's arguments fail from the outset because ... they are not based on limitations appearing in the claims"). Regarding Appellants' argument that Hickie does not teach "the security program restricts the application to only perform the indicated actions with respect to the indicated resources" (App. Br. 8), we are not persuaded because, as the Examiner finds, Hickie teaches, in response to a request by an application for another operation, a resource trust verification step may be carried out "where a list is sent to the process which validates ... [the] operation against a trusted list of accessible resources (whitelist)." See Ans. 4 (Hickie i-f 133). That is, the security program or process restricts the application to only perform the indicated actions with respect to the indicated resources based on the trust verification against the whitelist. 6 Appeal2014-008194 Application 13/034,647 For these reasons, we sustain the Examiner's rejection of claims 1, 10, and 16 under 35 U.S.C. § 103(a) for obviousness in view of the combination ofUAC and Hickie. We also sustain the rejection of claims 2, 5, 9, 11, and 17, which depend variously from claims 1, 10, and 16 and are not separately argued. See App. Br. 10, 13 and 15; 37 C.F.R. § 41.37(c)(l)(iv). Having sustained the rejection of claim 1 under 35 U.S.C. § 103(a) for obviousness over UAC and Hickie, we find it unnecessary to reach a decision on the cumulative rejection of claim 1under35 U.S.C. § 103(a) for obviousness over UAC and Laiho. See 37 C.F.R. § 41.50(a)(l) ("The affirmance of the rejection of a claim on any of the grounds specified constitutes a general affirmance of the decision of the examiner on that claim ... "). Rejection of Claims 8, 15, and 21under§103(a) as Obvious Over Combination of UA C and Hickie Appellants contend the cited portions ofUAC do not teach the limitations "determining, by the application, that the security program received the declaration of security requirements, wherein the application operations are performed in response to determining that the security program received the declaration of security requirement," as recited in claims 8, 15, and 21. App. Br. 9-10; see UAC Requesting Elevation section i-f 2 and History section i-f 4. In particular, Appellants argue the cited portions ofUAC discuss how configuration is needed to elevate privileges for an application, "which is different than the application determining whether the security program received a declaration of security requirements as claimed." App. Br. 10. The Examiner finds as follows: The claim language is "determining, by the application, that the security program received the declaration." See History ("User applications are then started with the restricted token ... an application requests higher privileges ... if consent is given, 7 Appeal2014-008194 Application 13/034,647 stan tne process using the unrestricted token .. ). As is often the case in networked systems, the application can certainly determine if a message has been received when the results of the message are returned to it. Thus receipt of an unrestricted token and consent to start the process indicate a determination by the application that (1) the security program received the declaration Ans. 6 (emphasis omitted). For the reasons stated by the Examiner, we agree with the Examiner's finding that UAC teaches or suggests the limitations of claims 8, 15, and 21 and, therefore, we sustain the rejection of claims 8, 15, and 21. Rejection of Claims 3, 12, and 18 under§ 103(a) as Obvious Over Combination of UA C, Hickie, Dunn, and Schwartz Appellants contend Schwartz does not teach or suggest the claim requirements of an application sending a request to the security program to switch operation modes from a first to a second operation mode and receiving a response from the security program indicating permission is granted if the declaration of security requirements permits the switch, as recited in claims 3, 12, and 18. App. Br. 11; Reply Br. 4--5. In particular, Appellants argue Schwartz does not teach ( 1) an application requesting to switch operation modes from the security program and waiting to receive permission and (2) that permission to switch modes is predicated upon that requested action being permitted in a declaration of security requirements that the application previously communicated to the security program. App. Br. 11. Appellants further argue Schwartz's discussion of an elevation request to increase privileges of the application does not teach determining whether an application has permission to switch its operation mode from a first operation mode to a second operation mode, 8 Appeal2014-008194 Application 13/034,647 where an operation mode is a mode in which the application operates. Reply Br. 4--5. The Examiner finds that Appellants' arguments are "based upon an improper piecemeal analysis of the rejection." Ans. 7. The Examiner also finds that the combination ofUAC, Hickie, and Schwartz teaches or suggests the limitations in dispute: Examiner thus cited Schwartz, which teaches at paras. 41, 42 and 51 a transition of privileges from one mode to another ("elevating"). Modifying UAC/Hickie with Schwartz would create a situation where rather than making a determination and then assigning the appropriate token, it would assign a low level token and then make a determination about elevating that token into a higher state. Thus the request in UAC would become a request to switch modes. This teaches the limitation. Id. (emphasis omitted). We are not persuaded by Appellants' arguments the Examiner errs in rejecting claims 3, 12, and 18 as obvious based on the combination ofUAC, Hickie, and Schwartz. We agree with the Examiner that Appellants' arguments improperly attack Schwartz on a piecemeal basis because the Examiner's rejection is based on the combined teachings ofUAC, Hickie, and Schwartz. See Final Act. 13-15; Ans. 7. Non-obviousness cannot be established by attacking references individually where the rejection is based upon the teachings of a combination of references. In re Merck & Co., Inc., 800 F.2d 1091, 1097 (Fed. Cir. 1986). The relevant inquiry is whether the claimed subject matter would have been obvious to those of ordinary skill in the art in light of the combined teachings of the references. See In re Keller, 642 F.2d 413, 425 (CCPA 1981). As discussed supra regarding claim 1, the Examiner relies on the combination ofUAC and Hickie as teaching or suggesting the application communicating to the security program a declaration of security requirements. Schwartz is relied on by the Examiner 9 Appeal2014-008194 Application 13/034,647 as teaching a plurality of operation modes, an un-elevated state and an elevated state, and in response from an application program, transitioning from one mode to another, i.e., from an un-elevated privilege to an elevated privilege, such as a secure application. Final Act. 13-14 (citing Fig. 3, i-fi-1 41, 42, and 51 ); Ans. 7. For the reasons set forth by the Examiner in the Final Office Action and Answer, we agree with the Examiner's findings that the combination of the teachings ofUAC, Hickie, and Schwartz teaches the limitations in dispute of claims 3, 12, and 18. Thus, we sustain the Examiner's rejection of these claims. Rejection of Claims 4, 13, and 19 under§ 103(a) as Obvious Over Combination of UAC, Hickie, Dunn, and Back Appellants contend Backs' discussion of different types of processes, such as an installation process, does not teach or suggest that the actions performed and resources accessed by the installation process are indicated in a declaration of security requirements that the installation process presents to the security program to indicate the actions the installation process will perform. App. Br. 12; Reply Br. 5. The Examiner finds that paragraph 26 of Back "teaches the required types of modes (installation, normal and update)" and that Appellants' arguments improperly attack Back individually, where the rejection is based on the combined teachings of the cited art. Ans. 7-8; see also Final Act. 15-16. We agree with the Examiner's findings and, therefore, we sustain the Examiners' rejection of claims 4, 13, and 19 based on the combined teachings ofUAC, Hickie, and Dunn. 10 Appeal2014-008194 Application 13/034,647 Rejection of Claims 6, 7, j4, and 20 under§ j03(a) as Obvious Over Combination of UAC, Hickie, and Back Regarding claims 6, 14, and 20, Appellants contend: Although the cited Back discusses an installation package and an installation process to update the application, there is no teaching of the claim requirement that the installation package includes the declaration of security requirements that is communicated to the security program and that the declaration is sent in response to the execution of the installation routine, and that installation routine operations are performed in response to communicating the declaration to the security program. App. Br. 13-14. Regarding claim 7, Appellants contend: The Examiner has not shown where Back's discussion of an installation process and installation mechanisms teaches the specific claim requirement that a declaration of security requirements communicated by the application to the security program is in response to the application executing the update routine and that the update package includes the declaration of security requirements. App. Br. 14--15. The Examiner finds as follows: Appellant admits that Back, para. 23 teaches an installation package (see Appeal Brief, pg. 14). This is all Examiner need point out, as all that is left is straightforward combination. UAC already taught the security declaration, Back teaches an installation package, and Appellant does not argue it would not be obvious to combine the teachings. Examiner believes this is really an improper piecemeal argument against the rejection again. With respect to claim 7, Appellant argues on page 14 that "there is no teaching of an update package" in para. 23. Examiner notes that Appellant admits that "the cited para. 26 discusses an installation process that receives new installation data to update the application or component." (Brief, pg. 13) Further, installation versus update is often not really a structural 11 Appeal2014-008194 Application 13/034,647 anrerence. u one has iv11croson word version 1 on their computer, and they run a program that replaces it with Microsoft Word version 2, it would be accurate to say they have updated the Word program, and it would be just as accurate to say that they deleted Microsoft Word version 1 and installed Microsoft Word version 2. Thus even without the mention of para. 26, the installation of claim 6 and the update of claim 7 are obvious over each other. Ans. 8-9 (emphasis omitted). For the reasons stated by the Examiner, we agree with the Examiner's findings. Specifically, we agree that paragraph 23 of Back teaches an installation package and that an update package is taught by paragraph 26 of Back or is obvious in view of Back's teaching of an installation package, as the Examiner finds. We also agree that Appellants improperly attack Beck individually, where the Examiner's rejection is based on the combined teachings ofUAC, Hickie, and Back. See Merck, 800 F.2d at 1097 ("Non- obviousness cannot be established by attacking references individually where the rejection is based upon the teachings of a combination of references"). We further agree with the Examiner's findings that the limitations at issue are taught or suggested by the "straightforward combination" ofUAC and Back. Thus, we sustain the Examiner's rejection of claims 6, 7, 14, and 20. DECISION We affirm the Examiner's decision rejecting claims 1-21 under 3 5 U.S.C. § 103(a). No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(l )(iv). 12 Appeal2014-008194 Application 13/034,647 AFFIRivIED 13 Copy with citationCopy as parenthetical citation