Ex Parte ChoiDownload PDFPatent Trial and Appeal BoardJun 24, 201411433940 (P.T.A.B. Jun. 24, 2014) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE ________________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ________________ Ex parte THOMAS CHOI1 ________________ Appeal 2011-008488 Application 11/433,940 Technology Center 2100 ________________ Before STANLEY M. WEINBERG, JOHNNY A. KUMAR, and JOHN G. NEW, Administrative Patent Judges. NEW, Administrative Patent Judge. DECISION ON APPEAL 1 The Real Party-in-Interest is Nortel Networks Limited. App. Br. 1. Appeal 2011-008488 Application 11/433,940 2 SUMMARY Appellant files this appeal under 35 U.S.C. § 134(a) from the Examiner’s Final Rejection of claims 1, 2, and 4-14 under 35 U.S.C. § 102(e) as being anticipated by Judge (US 2006/0174341 A1, August 3, 2006) (“Judge”). We have jurisdiction under 35 U.S.C. § 6(b). We AFFIRM. NATURE OF THE CLAIMED INVENTION Appellant’s invention is directed to a system and method for filtering anomalous electronic communications, e.g., spam. In particular, the method provides for detecting behavior data or behavioral characteristics of a source of the electronic communication, processing of the behavioral characteristic data to determine anomalous communications and filtering anomalous communications. Source behavior data comprises that of a sending host and its neighboring hosts. By employing a machine learning algorithm, detection is based on knowledge obtained during a training period. Abstract. GROUPING OF CLAIMS Because Appellant argues that claims 1, 4-9, and 11, stand or fall together, we select independent claim 1 as representative of these claims. See App. Br. 4. Claim 1 recites: 1. A method for filtering electronic communications in a communication network including a destination computer, a source computer and at least one neighboring host of the source computer, the method comprising: receiving an electronic communication; Appeal 2011-008488 Application 11/433,940 3 retrieving behavior data associated with the source computer and the at least one neighboring host of the source computer; processing the behavior data; detecting an anomalous electronic communication based on processed behavior data; and filtering the anomalous electronic communication.. Claim App’x A. Appellant also groups claims 10 and 11 together, and claims 12 and 13 together, but makes substantially the same argument for all of the claims on appeal. App. Br. 4. ISSUES AND ANALYSES A. Claim 1 Issue Appellant argues that the Examiner erred in finding that Judge discloses the limitation of claim 1 reciting “retrieving behavior data associated with the source computer and the at least one neighboring host of the source computer.” App. Br. 5. We therefore address the issue of whether the Examiner so erred. Analysis Appellant argues that, according to one embodiment of the invention, a data server provides a server module with behavior data that describes the behavior of a source of the electronic communication; the source comprising Appeal 2011-008488 Application 11/433,940 4 the sending host and its neighboring hosts. App. Br. 5 (citing Spec. ¶ [0021]). Appellant contends that the behavior data associated with the source are obtained and stored in the data server as a set of Domain Name Server (DNS) TXT records. App. Br. 5-6 (citing Spec. ¶ [0022]). Appellant argues that Judge, by contrast, discloses receiving a communication and generating a threat profile based on the received communication. App. Br. 6 (citing Judge ¶¶ [0045]; [0047]). Appellant contends that Judge does not disclose generating a threat profile based on behavior data associated with the source. App. Br. 6. Furthermore, argues Appellant, to the extent that Judge discloses applying one or more tests to the received electronic communication to compare the sender’s address in the received electronic communication to addresses contained in the one or more white lists, Judge nevertheless does not disclose generating a threat profile based on behavior data associated with the sender’s address. Id. (citing Judge ¶ [0049]). Appellant disagrees with the Examiner’s finding that the risk profile disclosed by Judge is analogous to the claimed behavior data. However, argues Appellant, even assuming, arguendo, that the Examiner’s finding was not erroneous, Judge nevertheless discloses generating a risk profile based on data associated with the received communication. App. Br. 6 (citing Judge ¶¶ [0045]; [0047]). On the other hand, claim 1, Appellant argues, is directed to “retrieving behavior data associated with the source computer and the at least one neighboring host of the source computer.” App. Br. 6. Consequently, Appellant argues, the claimed subject matter is distinguishable from Judge’s disclosure, which fails to disclose or suggest “retrieving behavior data associated with the source computer.” Id. Appeal 2011-008488 Application 11/433,940 5 Appellant argues further that the Examiner also erred in finding that Judge necessarily discloses retrieving behavior data associated with at least one neighboring host of the source computer. App. Br. 6. According to Appellant, Judge discloses peer-to-peer based messaging security systems and generating a risk profile associated with the received communication from these peer-to-peer networks. Id. (citing Judge, ¶¶ [0047]). Appellant argues that this disclosure is distinguishable from claim 1, which recites “retrieving behavior data associated with the source computer and the at least one neighboring host of the source computer.” App. Br. 6. Appellant contends that it “does not necessarily follow that analyzing a communication received from a peer node is the same as retrieving behavior data associated with a source node.” App. Br. 7 (emphasis in original). The Examiner responds that Judge discloses receiving the behavior data in the form of an electronically communicated risk profile, and that Judge’s disclosure of a “risk profile” reads on the claim term “behavior data.” Ans. 11 (citing Judge ¶ [0047]. The Examiner finds that a risk profile, as is well known in the art, is data accumulated from previous behaviors that pose a threat, indicate a risk or is an anomaly, as is clearly specified in Judge. Id. at 11-12. The Examiner also finds that claim 1’s term “neighboring host of the source computer” is identical to Judge’s disclosure of a peer-to-peer messaging system. Ans. 11 (citing Judge ¶ [0042]). The Examiner finds that Judge discloses that a peer-to-peer messaging system comprises a ring of untrusted or trusted peers and that communication occurs by exchanging messages between neighbors constituting the ring. Ans. 11-12 (citing Judge ¶ [0039]). The Examiner finds further that each system of the peer-to-peer is Appeal 2011-008488 Application 11/433,940 6 a computer system, and therefore the ring of peers corresponds to claim 1’s term “neighboring host of source computers.” Ans. 12. We are not persuaded by Appellant’s arguments. Judge discloses that: In some embodiments, an electronic communication directed to or originating from an application server is received. The source of the electronic communication may be any appropriate internal or external client or any appropriate internal or external application server. One or more tests are applied to the received electronic communication to evaluate the received electronic communication for a particular security risk. A risk profile associated with the received electronic communication is stored based upon this testing. The stored risk profile is compared against data accumulated from previously received electronic communications to determine whether the received electronic communication is anomalous. Judge ¶ [0047] (emphasis added). We agree with Appellant that Judge discloses that the risk profile is constructed from the information contained in the received message. However, Judge also discloses that the risk profile thus constructed is next compared against data accumulated from previously received electronic communications. Id. Moreover, Judge further discloses a peer-to-peer system which “operates between a set of trusted peers”; therefore data received from previously received electronic communications will include data received from the source computer as well as a neighboring host of the source computer. Judge ¶ [0039]. Consequently, we find that Judge discloses the limitation of claim 1 reciting “retrieving behavior data associated with the source computer and the at least one neighboring host of the source computer.” Appeal 2011-008488 Application 11/433,940 7 Nor are we persuaded by Appellant’s contention that “Judge does not disclose generating a threat profile based on behavior data associated with the sender’s address.” See App. Br. 6. The language of claim 1 does not employ the term “risk profile based on behavior data”; rather, it merely recites “retrieving behavior data associated with the source computer and the at least one neighboring host of the source computer.” As related supra, we find that this limitation is disclosed by Judge. We consequently find that Judge discloses the disputed limitation of claim 1 and we affirm the Examiner’s rejection of the claim. B. Claims 2, 10, 12, and 14 Appellant argues separately claims 2, 10, 12, and 14. However, Appellant, after a brief exegesis on the limitations of these claims, relies upon substantially the same arguments set forth with respect to claim 1. See App. Br. 8, 9, 10, 11. We have related supra our reasons as to why Appellant’s arguments with respect to claim 1 are unavailing. Moreover, we do not analyze Appellant’s contentions for potential ground of patentability based on arguments not presented by Appellant. See 37 C.F.R. § 41.37(c)(vii) (Any argument or authorities not included in the brief or reply brief filed pursuant to § 41.41 will be refused consideration by the Board, unless good cause is shown”). We consequently affirm the Examiner’s rejection of these claims. DECISION The Examiner’s rejection of claims 1, 2, and 4-14 as unpatentable under 35 U.S.C. § 102(e) is affirmed. Appeal 2011-008488 Application 11/433,940 8 No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1). See 37 C.F.R. § 1.136(a)(1)(iv) (2010). AFFIRMED cdc Copy with citationCopy as parenthetical citation