Ex Parte GassowayDownload PDFPatent Trial and Appeal BoardJan 8, 201310832692 (P.T.A.B. Jan. 8, 2013) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE ____________________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________________ Ex parte PAUL A. GASSOWAY ____________________ Appeal 2010-006874 Application 10/832,692 Technology Center 2400 ____________________ Before DEBRA K. STEPHENS, JUSTIN BUSCH, and HUNG H. BUI, Administrative Patent Judges. BUI, Administrative Patent Judge. DECISION ON APPEAL Appellant1 seeks our review under 35 U.S.C. § 134(a) of the Examiner’s Final Rejection of claims 2, 4-9, 11-19, 21-26, 28-34, 36-41, and 43-49.2 We have jurisdiction under 35 U.S.C. § 6(b). We AFFIRM. 1 Real Party in Interest is Computer Associates Think, Inc. 2 Claims 1, 3, 10, 20, 27, 35, and 42 are cancelled and are not on appeal. Appeal 2010-006874 Application 10/832,692 2 I. STATEMENT OF THE CASE3 Appellant’s Invention Typical intrusion detection systems (IDSs) and antivirus programs rely either on signatures of known malicious programs (stored in a database) or heuristic recognition to detect malicious code embedded within a computer program, and generate an alert upon detection of a malicious program. See Appellant’s Spec. pg. 2, ll. 25-30; pg. 3, ll. 1-24. However, signature detection may be prone to detecting multiple instances of malicious programs that are not necessarily an actual threat to a computer system or network. Id. Likewise, heuristic recognition may be prone to generate false negatives or false positives. Id. Consequently, important alerts in an alert log (i.e., database) can be overcrowded or difficult to notice when surrounded by many alerts of lesser significance. Id. Appellant’s invention seeks to solve these problems by adding an alert to an alert log (i.e., database) along with “information pertaining to an importance of the detected malicious program infection.” See Appellant’s Spec. pg. 3, ll. 30- 31 and Abstract. Claims on Appeal Claims 6, 8, 16, 17, 24, 32, 33, 40, and 48 are independent. Claim 6 is representative of the invention, as reproduced below with disputed limitations emphasized: 3 Our decision refers to Appellant’s Appeal Brief filed January 4, 2010 (“App. Br.”); Reply Brief filed April 14, 2010 (“Reply Br.”); Examiner’s Answer mailed March 2, 2010; and the original Specification filed April 22, 2004 (“Spec.”). Appeal 2010-006874 Application 10/832,692 3 6. A method for detecting malicious programs, the method comprising: scanning data to detect a malicious program infection; matching the scanned data to a signature associated with a malicious program, the signature comprising: a representation of malicious code associated with a malicious program; and a risk assessment value comprising a value assigned to the malicious program, the risk assessment value identifying the nature of the threat and the potential for damage to a system as posed by the scanned data that matches the signature; generating an alert when a malicious program infection has been detected; and adding said alert to an alert log along with information pertaining to an importance of said detected malicious program, wherein said importance is based on a confidence level signifying how closely the scanned data matches the signature associated with the malicious program. Evidence Considered The prior art relied upon by the Examiner in rejecting the claims on appeal is: Hershey U.S. 5,414,833 May 9, 1995 Connary U.S. 2004/0044912 A1 Mar. 4, 2004 Bruton U.S. 7,076,803 B2 Jul. 11, 2006 Appeal 2010-006874 Application 10/832,692 4 Wang U.S. 7,454,418 B1 Nov. 18, 2008 Examiner’s Rejections Claims 2, 4-9, 11-19, 21-26, 28-34, 36-41, and 43-49 stand rejected under 35 U.S.C. §103(a) as being unpatentable over the combination of Connary, Hershey, Bruton, and Wang. II. ISSUE The dispositive issue on appeal is whether the Examiner has erred in rejecting claims 2, 4-9, 11-19, 21-26, 28-34, 36-41, and 43-49 under 35 U.S.C. §103(a) as being unpatentable over the proposed combination of Connary, Hershey, Bruton, and Wang. App. Br. 19. In particular, the issue turns on whether: (1) the proposed combination of Connary, Hershey, Bruton, and Wang discloses or suggests “an alert log along with information pertaining to an importance ... wherein said importance is based on a confidence level signifying how closely the scanned data matches the signature associated with the malicious program” as recited in independent claim 6, and similarly recited in independent claims 8, 17, 24, 33, and 40 (App. Br. 22-24; Reply Br. 2-3) (emphasis added); (2) the proposed combination of Connary, Hershey, Bruton, and Wang discloses or suggests “wherein displaying said one or more alerts according to said priority further comprises displaying only those of said one or more alerts that have been categorized as high importance and providing an option for the display of those of said one or more alerts that have been categorized as low importance” as recited in independent claim Appeal 2010-006874 Application 10/832,692 5 16, and similarly recited in independent claims 32 and 48 (App. Br. 24-27; Reply Br. 3-4) (emphasis added); (3) the proposed combination of Connary, Hershey, Bruton, and Wang discloses or suggests “wherein an alert is prioritized as high importance in response to a high confidence level that indicates that the scanned data more closely matches the signature, and wherein an alert is prioritized as low importance in response to a low confidence level that indicates that the scanned data less closely matches the signature” as recited in dependent claims 13, 22, 29, 38, 45, and 49 (App. Br. 27-28; Reply Br. 4- 5) (emphasis added); and (4) the Examiner has engaged in an impermissible hindsight reconstruction of Appellant’s claims 2, 4-9, 11-19, 21-26, 28-34, 36-41, and 43-49 and, consequently, has pieced together disjointed portions of four (4) unrelated references, including Connary, Hershey, Bruton, and Wang (App. Br. 29-30; Reply Br. 5-6). III. ANALYSIS We have considered Appellant’s arguments raised in the Briefs, but do not find them persuasive to demonstrate reversible error in the Examiner’s position. In re Jung, 637 F.3d 1356, 1365 (Fed. Cir. 2011). Arguments that Appellant could have made but chose not to make in the Briefs are deemed to be waived. See 37 C.F.R. § 41.37(c)(1)(vii). We agree with the Examiner and thus, we adopt as our own (1) the findings and reasons set forth by the Examiner in the Final Office Action from which this appeal is taken, and (2) the responses set forth by the Examiner in the Examiner’s Answer in response to each of the arguments raised by Appeal 2010-006874 Application 10/832,692 6 Appellant in the Briefs. We also concur with the conclusions reached by the Examiner. We highlight and address specific findings and arguments for emphasis as follows. With respect to independent claim 6 and similarly independent claims 8, 17, 24, 33, and 40, Appellant contends that the combination of Connary, Hershey, Bruton, and Wang fails to disclose or suggest “an alert log along with information pertaining to an importance ... wherein said importance is based on a confidence level signifying how closely the scanned data matches the signature associated with the malicious program.” App. Br. 22-24; Reply Br. 2-3 (emphasis added). In particular, Appellant acknowledges that Connary discloses an alert log along with information pertaining to a priority (i.e., importance) of the malicious program infection, and that Wang discloses the confidence level of signature matching. App. Br. 22-23; see also Wang, col. 8, ll. 23-26. Nevertheless, Appellant argues that: (1) the threat priority of Connary is determined based on a source or destination address of an event (Reply Br. 2); and (2) Wang merely discloses comparing a string against signature fragments to identify if there are any positive matches, terminating the scanning only after it is determined that there is no match or when it is determined with 100% confidence that there is a match, and does not disclose “information pertaining to an importance ... based on a confidence level ...” App. Br. 23-24; Reply Br. 3. However, we are not persuaded by Appellant’s arguments. As correctly found by the Examiner, ¶0085 of Connary describes a computing device 12 coupled to a user interface (GUI) 16, shown in FIG. 2, to generate a threat report 44 and/or threat presentation 45 that includes the event data 38, the threat level data 40 associated with respective event data 38, and any Appeal 2010-006874 Application 10/832,692 7 alert data 42 based upon preset criteria or rules so that a user (i.e., network administrator) will be able to determine the degree of danger posed by a threat and to distinguish and prioritize serious threats (i.e., threat levels) from those that are less significant. Ans. 20-21. In addition, ¶0092 of Connary also describes threat priority (i.e., importance) assigned to the threat event. Ans. 21. As a secondary reference, Wang is simply cited for disclosing the confidence level of signature matching, i.e., how closely the scanned data matches the signature associated with the malicious program. Ans. 6, 10, 13, 16, 19, and 22. We see no reason, and Appellant has not provided sufficient evidence or argument as to why Wang and Connary cannot be combined to generate “information pertaining to an importance of [a] detected malicious program ... based on a confidence level signifying how closely the scanned data matches the signature associated with the malicious program” as suggested by the Examiner. Ans. 5. For the reasons set forth above, Appellant has not persuaded us of error in the Examiner’s rejection of independent claims 6, 8, 17, 24, 33, and 40. Accordingly, we sustain the Examiner’s rejection of claims 6, 8, 17, 24, 33, and 40, and their respective dependent claims 2, 4-5, 7, 9, 11-12, 14-15, 18-19, 21, 23, 25-26, 28, 30-31, 34, 36-37, 39, 41, 43-44, and 46-47 under 35 U.S.C. § 103(a) as being unpatentable over Connary, Hershey, Bruton, and Wang. With respect to independent claims 16, 32, and 48, Appellant contends that the combination of Connary, Hershey, Bruton, and Wang fails to disclose or suggest “wherein displaying said one or more alerts according to said priority further comprises displaying only those of said one or more Appeal 2010-006874 Application 10/832,692 8 alerts that have been categorized as high importance and providing an option for the display of those of said one or more alerts that have been categorized as low importance.” (App. Br. 24-27; Reply Br. 3-4) (emphasis added). Appellant further argues that ¶0151 and FIG. 13 of Connary do not disclose “providing an option for the display of those of said one or more alerts that have been categorized as low importance.” Reply Br. 4 (emphasis in the original). We disagree. As correctly found by the Examiner, ¶0150 and FIG. 12 of Connary describe a GUI 62 having “top threats” tab 86. As such, when the “top threats” tab 86 is activated, via mouse-controlled cursor, the “top threats” report 44 is generated to indicate events having the highest threat levels, i.e., only those of said one or more alerts that have been categorized as high importance. Ans. 23. Conversely, ¶0151 and FIG. 13 of Connary describe a GUI 62 having “Realtime Events” tab 112. As such, when the “Realtime Events” tab 112 is activated, via mouse-controlled cursor, the threat presentation 45 is generated to indicate event data 38 and threat level data 40 (arranged in row 140). Ans. 24. Threat level data 40 includes all threat levels (high and low) in real time. Since Appellant’s claims 16, 32, and 48 do not require that “only” those alerts that have been categorized as low importance are displayed, the display of all threat levels (high and low) are necessarily inclusive of the display of those of said one or more alerts that have been categorized as low importance, as recited in Appellant’s claims 16, 32, and 48. And it follows that the ability to choose the Realtime Events is “an option” for the display of those alerts. For these reasons, Appellant has not persuaded us of error in the Examiner’s rejection of independent claims 16, 32, and 48. Accordingly, we Appeal 2010-006874 Application 10/832,692 9 sustain the Examiner’s rejection of claims 16, 32, and 48 under 35 U.S.C. § 103(a) as being unpatentable over Connary, Hershey, Bruton, and Wang. With respect to dependent claims 13, 22, 29, 38, 45, and 49, Appellant argues that the combination of Connary, Hershey, Bruton, and Wang fails to disclose or suggest “wherein an alert is prioritized as high importance in response to a high confidence level that indicates that the scanned data more closely matches the signature, and wherein an alert is prioritized as low importance in response to a low confidence level that indicates that the scanned data less closely matches the signature.” (App. Br. 27-28; Reply Br. 4-5) (emphasis added). However, we agree with the Examiner’s discussions of Connary and Wang, and the response provided to Appellant’s arguments. Ans. 20-22 and 25. We also agree with the Examiner’s findings and conclusions and adopt them as our own. Therefore, we do not find any error in the Examiner’s rejection of claims 13, 22, 29, 38, 45, and 49. Lastly, with respect to dependent claims 2, 4-9, 11-19, 21-26, 28-34, 36-41, and 43-49, Appellant argues that the Examiner has engaged in impermissible hindsight reconstruction, and has pieced together disjointed portions of four references, including Connary, Hershey, Bruton, and Wang. App. Br. 29-30; Reply Br. 5-6. However, we do not find this argument availing. Any judgment on obviousness is . . . necessarily a reconstruction based on hindsight reasoning, but so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made and does not include knowledge gleaned only from applicant's disclosure, such a reconstruction is proper. In re McLaughlin, 443 F.2d 1392, 1395 (CCPA 1971). See also Radix Corp. v. Appeal 2010-006874 Application 10/832,692 10 Samuels, 13 USPQ2d 1689, 1693 (D.D.C. 1989) ("[A]ny obviousness inquiry necessarily involves some hindsight."). Here, Connary, Hershey, Bruton, and Wang all disclose existing network security products. For example, Connary discloses an integrated network security system to detect and generate an overall assessment of the threat level posed by a network attack, for example, malicious programs such as viruses or worms. See [0006] and [0056] of Connary. Hershey discloses a network security system in which a signature is associated with a malicious program. See col. 3, ll. 25-30 of Hershey. Bruton discloses an integrated intrusion detection system in which a suspicion level (high or low) is assigned with a signature. See col. 21, ll. 51-58, and FIG. 18 of Bruton. Wang discloses a method for signature scanning in which a confident level is associated with signature matching. See col. 8, ll. 26-28 of Wang. The Examiner's reasons for combining teachings from Hershey, Bruton, and Wang with those of Connary are based on the teachings of these references. We determine these reasons do not include knowledge gleaned only from the Appellants' disclosure. Moreover, we are not persuaded that a motivation to combine Connary, Hershey, Bruton and Wang for a skilled artisan is lacking. Therefore, we sustain the Examiner’s rejection of claims 2, 4-9, 11- 19, 21-26, 28-34, 36-41, and 43-49 under 35 USC § 103(a) as being unpatentable over Connary, Hershey, Bruton, and Wang. V. CONCLUSION On the record before us, we conclude that the Examiner has not erred in rejecting claims 2, 4-9, 11-19, 21-26, 28-34, 36-41, and 43-49 under 35 Appeal 2010-006874 Application 10/832,692 11 U.S.C. §103(a) as being unpatentable over Connary, Hershey, Bruton, and Wang. VI. ORDER As such, we affirm the Examiner’s final rejection of claims 2, 4-9, 11- 19, 21-26, 28-34, 36-41, and 43-49 under 35 U.S.C. §103(a). No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv) (2011). AFFIRMED tj Copy with citationCopy as parenthetical citation
