Ex Parte Chow et alDownload PDFPatent Trial and Appeal BoardFeb 10, 201613352451 (P.T.A.B. Feb. 10, 2016) Copy Citation UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE 13/352,451 01/18/2012 48116 7590 02/10/2016 FAY SHARPE/LUCENT 1228 Euclid Avenue, 5th Floor The Halle Building FIRST NAMED INVENTOR Stanley Chow UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. LUTZ200574US02 8483 EXAMINER TABOR, AMARE F Cleveland, OH 44115-1843 ART UNIT PAPER NUMBER 2434 MAILDATE DELIVERY MODE 02/10/2016 PAPER Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte STANLEY CHOW, BASSEM ABDEL-AZIZ, and FAUDKHAN Appeal2014-001578 Application 13/352,451 Technology Center 2400 Before NATHAN A. ENGELS, CARLL. SILVERMAN, and JAMES W. DEJMEK, Administrative Patent Judges. ENGELS, Administrative Patent Judge. DECISION ON APPEAL Appellants appeal under 35 U.S.C. § 134(a) from a final rejection of claims 21and22. Claims 1-3, 5-12, and 14--20 have been allowed. We have jurisdiction under 35 U.S.C. § 6(b ). We affirm. STATEMENT OF THE CASE Appellants' invention is directed to systems and methods of malware detection. Spec. 1. Claims 21 and 22 are reproduced below. 21. A method of detecting malware infected computing devices in a network, the method comprising: Appeal2014-001578 Application 13/352,451 allocating at least one net\'l/ork address in a net\'l/ork element coupled to a communications network as a bait address; sending at least one outgoing bait packet from the bait address to the network according to a policy table stored in the network element; receiving an incoming packet from the network at the bait address; and selectively identifying a source of the incoming packet as infected with malware if the incoming packet is unexpected or from an unauthorized source. APPELLANTS' CONTENTIONS Appellants contend the Examiner erred in rejecting claims 21 and 22 under 35 U.S.C. § 103(a) as being unpatentable over the combination of Keromytis (US 2009/0241191 Al; Sept. 24, 2009); Sharim (US 7,870,608 B2; Jan. 11, 2011); and Wang (US 2007/0208822 Al; Sept. 6, 2007). ANALYSIS 1A:\.ppellants contend the cited combination of references fails to teach or suggest the allocating, sending, and receiving steps of claim 21 and similar limitations of claim 22. Specifically, Appellants argue Keromytis does not to teach or suggest "bait address allocation, outgoing bait packet transmission from the bait address, or receipt of incoming packets at a bait address." App. Br. 10. Further, Appellants argue the "bait information" or "bait traffic" in Keromytis is entirely "within the host system" and not routed through a network. Reply Br. 8-12. We find Appellants' arguments unpersuasive. As the Examiner finds (Final Act. 3 (citing Keromytis Fig. 1, i-fi-130-43)), Figure 1 of Keromytis teaches "decoy systems 106" that form part of a "network-wide deception infrastructure, 114." Keromytis Fig. 1, i137. Further, Keromytis states that 2 Appeal2014-001578 Application 13/352,451 "dedicated bait servers and/or \'l/orkstations can send emails from a decoy account to another decoy account through shared email servers, DNS servers, web servers, and/ or various other shared network infrastructures." Keromytis i-f 38. We agree with the Examiner that Keromytis teaches or suggests the claimed "bait address" with its disclosure of a network- connected bait server, for example. See Spec. i-fi-1 5---6 (describing bait addresses as network addresses such as a MAC address or IP address of a switch or router). We are also unpersuaded by Appellants' argument that Keromytis fails to teach or suggest "bait packets," as Appellants' Specification states that "packets as used herein is intended to encompass all forms of frames, data packets, etc. sent over the network" (Spec. i-f 14; see also Spec. i-f 22 (broadly reciting bait packet types by listing known network protocols)) and a person of ordinary skill in the art would have understood Keromytis' s disclosures of sending and receiving "bait information" to include data in the form of packets as claimed (see Ans. 5). We further agree with the Examiner that Keromytis teaches the "sending" and "receiving" limitations (Ans. 5 (citing Keromytis Fig. 2, i-fi-134--46, 206-208)) with, for example, its disclosure of a dedicated server for "injecting and receiving bait information" as part of the "deception network." Keromytis i-f 37; see also Keromytis i-f 3 8 (bait servers "can send emails from a decoy account to another decoy account through shared email servers, DNS servers, web servers, and/or various other shared network infrastructures"). We are also unpersuaded by Appellants' arguments that Keromytis does not teach or suggest selectively identifying a source of an incoming packet as being infected with malware if the incoming packet is unexpected 3 Appeal2014-001578 Application 13/352,451 or from an unauthorized source. 1A .. pp. Br. 11-12; Reply Br. 12-13. Keromytis states that "the ultimate goal of setting up the decoy systems is to identify the external attackers" (Keromytis i-f 1 7) and "bait traffic [] can be closely monitored in such manner than any artificially induced deviations can be easily detected." Keromytis i-f 44. We agree with the Examiner (Final Act. 3 (citing Keromytis i-fi-1 44--46)) that a person of ordinary skill would have understood the "unexpected" limitation to encompass Keromytis' s teachings of "artificially induced" deviations from pre-scripted bait traffic or other "anomalous events" used to "correctly identify a wrong doer or to reinforce the previous findings against the wrong doer." Keromytis i-fi-1 45--46. We are also unpersuaded by Appellants' arguments that the Examiner's combination of references fails to teach an outgoing bait packet sent to the network according to a policy table. App. Br. 14; Reply Br. 15. Appellants' Specification describes a policy table as including lists of bait packet types and bait packet schedules for scripted transmission of bait packets to the network. Spec. i-f 21 ("Outgoing bait packets ... may advantageously be sent from the allocated bait address to the network 2 according to a script such as a policy table 32 in the switch 26 that includes a bait packet types list 33 and a bait packet schedule 34."). Each of Keromytis, Shraim, and Wang teaches applying scripts to schedule sending files for malware detection. See, e.g., Keromytis i-fi-1 44--46 (describing "pre- scripted bait traffic"); Shraim, col. 12, 11. 50-53 ("each correlation engine 125 may be configured to periodically retrieve messages/ data files from the honey pot 110 (e.g., using a scheduled FTP process, etc.)"); Wang, Figs. 4, 6 (describing waiting a set time period before analyzing a trace file containing 4 Appeal2014-001578 Application 13/352,451 a list of \vebsite URLs ); i-f 34 ("Strider tracer module 310 is adapted to trace certain events (e.g., operations, actions, etc.) within a given machine."); i-f 39 (describing "predetermined time periods"). Without addressing the scope or meaning of the claimed "policy table," Appellants advance what amounts to conclusory arguments directed only at Wang, arguing "even to the extent that Wang's tracer file 604 'contains traced files, visited URLs, etc.' ... the policy table of claims 21 and 22 is used in relation to sending an outgoing bait packet from a bait address to a network." Reply Br. 14. The Examiner relies on Keromytis and Shraim, not Wang, for its teachings regarding sending outgoing bait packets from a bait address to a network. See In re Merck & Co. Inc., 800 F.2d 1091, 1097 (Fed. Cir. 1986) (nonobviousness cannot be established by attacking prior art references individually when a rejection is predicated upon a combination of prior art disclosures). Further, applying the broadest reasonable interpretation in light of Appellants' Specification, we agree with the Examiner that "sending at least one outgoing bait packet from the bait address to the network according to a policy table stored in the network element" would have been obvious to a person of ordinary skill in view of the cited combination. See Final Act. 4. DECISION For the above reasons, the Examiner's rejection of claims 21 and 22 is affirmed. No time period for taking any subsequent action in connection with this appeal may be extended. 37 C.F.R. § 1.136(a)(l )(iv). AFFIRMED 5 Copy with citationCopy as parenthetical citation
