Ex Parte Coon et alDownload PDFPatent Trial and Appeal BoardFeb 18, 201411669575 (P.T.A.B. Feb. 18, 2014) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE ____________________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________________ Ex parte JAMES R. COON, DANIEL P. KOLZ, and JEFFREY M. UEHLING ____________________ Appeal 2011-009868 Application 11/669,575 Technology Center 2600 ____________________ Before KALYAN K. DESHPANDE, WILLIAM V. SAINDON, and MITCHELL G. WEATHERLY, Administrative Patent Judges. DESHPANDE, Administrative Patent Judge. DECISION ON APPEAL Appeal 2011-009868 Application 11/669,575 2 STATEMENT OF CASE1 Appellants seek review under 35 U.S.C. § 134(a) of a final rejection of claims 1-14 and 17-20, the only claims pending in the application on appeal. We have jurisdiction over the appeal pursuant to 35 U.S.C. § 6(b). We AFFIRM. Appellants claim to have invented methods, systems, and products for preventing false positive detections in an intrusion detection system. Specification 1:11-12. An understanding of the claimed invention can be derived from a reading of exemplary claim 1, which is reproduced below: 1. A computer-implemented method of preventing false positive detections in an intrusion detection system, the method comprising: establishing one or more activity profiles for an intrusion detection system, each activity profile specifying system activity for detection by the intrusion detection system; receiving, in the intrusion detection system, an exception notification for a specific activity profile, the exception notification specifying that the specific activity profile represents authorized system activity; determining, by the intrusion detection system, whether current system activity matches the specific activity profile that represents authorized system activity; and administering, by the intrusion detection system, the current system activity if current system activity matches the specific activity profile. 1 Our decision will make reference to Appellants’ Appeal Brief (“App. Br.,” filed December 13, 2010), the Examiner’s Answer (“Ans.,” mailed February 28, 2011), and the Final Rejection (“Final Rej.,” mailed July 16, 2010). Appeal 2011-009868 Application 11/669,575 3 REFERENCES The Examiner relies on the following prior art: Shay Gustafson US 2004/0098619 A1 US 2008/0244741 A1 May 20, 2004 Oct. 2, 2008 REJECTIONS Claims 1-9, 11-14, and 17-20 stand rejected under 35 U.S.C. § 102(e) as being anticipated by Gustafson. Ans. 3. Claim 10 stands rejected under 35 U.S.C. § 103(a) as being unpatentable over Gustafson and Shay. Ans. 13. ISSUE The issue of whether the Examiner erred in rejecting claims 1-9, 11- 14, and 17-20 under 35 U.S.C. § 102(e) as being anticipated by Gustafson and claim 10 under 35 U.S.C. § 103(a) as unpatentable over Gustafson and Shay turns on (1) whether Gustafson describes “establishing one or more activity profiles for an intrusion detection system, each activity profile specifying system activity for detection by the intrusion detection system,” as recited in independent claims 1, 11, and 14, and (2) whether Gustafson describes “the exception notification specifying that the specific activity profile represents authorized system activity,” as recited in independent claims 1, 11, and 14. ANALYSIS We have reviewed the Examiner’s rejections in light of Appellants’ contentions that the Examiner has erred. Appeal 2011-009868 Application 11/669,575 4 We disagree with Appellants’ conclusions. We adopt as our own (1) the findings and reasons set forth by the Examiner in the action from which this appeal is taken and (2) the reasons set forth by the Examiner in the Examiner’s Answer in response to Appellants’ Appeal Brief. We concur with the conclusion reached by the Examiner. We highlight the following arguments for emphasis. Claims 1-9, 11-14, and 17-20 under 35 U.S.C. § 102(e) as being anticipated by Gustafson Appellants contend that Gustafson fails to describe “establishing one or more activity profiles for an intrusion detection system, each activity profile specifying system activity for detection by the intrusion detection system,” as recited in independent claims 1, 11, and 14. App. Br. 6-7. Appellants specifically argue that Gustafson fails to disclose activity profiles specifying system activity. App. Br. 7. Appellants further argue that while Gustafson discloses profiles of each host, bridge or router, service and vulnerability, these profiles describe a network device and not system activity. Id. We disagree with Appellants. While the Specification does not specially define a “system activity,” it does provide examples and context to illustrate a meaning for a “system activity.” The Specification describes a “system activity” to include local system activity that results from manipulations of the node (104) by user (114) or computer software installed on the node (104). The system activity detected by the IDS (120) may also include network activity generated or received by the other nodes (110, 112) and servers (142, 144) connected to the network (102). Appeal 2011-009868 Application 11/669,575 5 Specification 6:24-29. The Specification also describes a node as “a computer device having installed upon it an intrusion detection system (120).” Specification 6:21-22. As such, a “node” encompasses a host (i.e., a computer device), and “manipulations of the node by user or computer software installed on the node” encompasses running services (i.e., computer software on a computer device) and vulnerabilities (i.e., a user or computer software interacting with a computer device) of hosts. The Examiner construed the term “system activity” to include information about running services and vulnerabilities for specific hosts as well as services detected on a network and vulnerabilities detected on a network. Ans. 3, 14-15. Appellants have not provided any persuasive evidence or rationale to rebut this construction by the Examiner. Accordingly, we find the Examiner’s construction of a “node” and a “system activity” to be both reasonable and consistent with the Specification. The Examiner further found that Gustafson discloses activity profiles specifying system activity in its teaching of host profiles containing information about hosts, running services, and vulnerabilities for specific hosts. Id. (citing Gustafson ¶ 27-28). Thus, we agree with the Examiner that Gustafson discloses establishing one or more activity profiles for an intrusion detection system, each activity profile specifying system activity for detection by the intrusion detection system. Appellants further contend that Gustafson fails to describe, “the exception notification specifying that the specific activity profile represents authorized system activity,” as recited in independent claims 1, 11, and 14. App. Br. 7-9. Appellants specifically argue that Gustafson specifies unauthorized system usage, not authorized system activity. App. Br. 8. Appeal 2011-009868 Application 11/669,575 6 We disagree with Appellants. As pointed out by the Examiner, Gustafson discloses exceptions to its policy configuration that allow for certain hosts to run certain services. Ans. 4, 16-17. For example, Gustafson specifically discloses, “An exception is made to allow host X to additionally run HTTP. Also, host Y is allowed to run WindowsTM 2003 Server with no service restrictions.” Gustafson ¶ 41(emphases added). Here, the activity is HTTP and host X has an exception to run HTTP. Similarly, host Y has an exception to run WindowsTM 2003 Server. These examples illustrate exceptions for authorized system activity. Appellants do not provide any persuasive evidence or rationale to rebut this finding by the Examiner. Absent persuasive evidence or rationale, we agree with the Examiner that Gustafson discloses the exception notification specifying that the specific activity profile represents authorized system activity. Claim 10 under 35 U.S.C. § 103(a) as being unpatentable over Gustafson and Shay Appellants contend that the Examiner erred in rejecting claim 10 for the same reasons set forth above in support of claim 1. App. Br. 9-10. We are not persuaded by Appellants’ arguments in support of claim 1, as discussed above, and are not persuaded the Examiner erred in rejecting claim 10 for the same reasons. CONCLUSIONS The Examiner did not err in rejecting claims 1-9, 11-14, and 17-20 under 35 U.S.C. § 102(e) as being anticipated by Gustafson. The Examiner did not err in rejecting claim 10 under 35 U.S.C. § 103(a) as unpatentable over Gustafson and Shay. Appeal 2011-009868 Application 11/669,575 7 DECISION To summarize, our decision is as follows. The rejection of claims 1-9, 11-14, and 17-20 under 35 U.S.C. § 102(e) as being anticipated by Gustafson is sustained. The rejection of claim 10 under 35 U.S.C. § 103(a) as unpatentable over Gustafson and Shay is sustained. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv) (2010). AFFIRMED bab Copy with citationCopy as parenthetical citation
