Ex Parte Gupta et alDownload PDFPatent Trial and Appeal BoardFeb 21, 201712888626 (P.T.A.B. Feb. 21, 2017) Copy Citation United States Patent and Trademark Office UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O.Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 12/888,626 09/23/2010 Chetan Kumar GUPTA 82264760 4802 56436 7590 Hewlett Packard Enterprise 3404 E. Harmony Road Mail Stop 79 Fort Collins, CO 80528 EXAMINER LE, UYEN T ART UNIT PAPER NUMBER 2157 NOTIFICATION DATE DELIVERY MODE 02/23/2017 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): hpe.ip.mail@hpe.com chris. mania @ hpe. com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte CHETAN KUMAR GUPTA, SONG WANG, ABHAY MEHTA and STEFAN BERGSTEIN Appeal 2015-002442 Application 12/888,626 Technology Center 2100 Before JEFFREY S. SMITH, AMBER L. HAGY, and MICHAEL M. BARRY, Administrative Patent Judges. SMITH, Administrative Patent Judge. DECISION ON APPEAL Appeal 2015-002442 Application 12/888,626 STATEMENT OF THE CASE This is an appeal under 35 U.S.C. § 134(a) from the rejection of claims 1—20, which are all the claims pending in the application. We have jurisdiction under 35 U.S.C. § 6(b). We affirm. Illustrative Claim 1. A method for event correlation, the method comprising: receiving events from a network of systems; classifying the events into itemsets, each itemset including a set of frequently correlated events; calculating a confidence value for each of the itemsets, the confidence value indicating a likelihood that the events in each itemset are related by a common cause; identifying itemsets whose confidence values conform to a confidence criterion; and varying the confidence criterion to compress the number of the identified itemsets, thereby selecting a smaller number of identified itemsets for presenting to an operator. Prior Art Singh US 2008/0186974 A1 Aug. 7,2008 Saurabh US 2009/0064333 A1 Mar. 5, 2009 Malik US 2010/0174670 A1 July 8,2010 James J. Treinen & Ramakrishna Thurimella, A Framework for the Application of Association Rule Mining in Large Intrusion Detection Infrastructures, 2—18 (2006) (hereinafter “Treinen”). 2 Appeal 2015-002442 Application 12/888,626 Examiner’s Rejections Claims 1, 2, 4—7, 9-11, 13—16, and 18—20 stand rejected under 35 U.S.C. § 103(a) as unpatentable over Saurabh and Treinen. Claims 3 and 12 stand rejected under 35 U.S.C. § 103(a) as unpatentable over Saurabh, Treinen, and Malik. Claims 8 and 17 stand rejected under 35 U.S.C. § 103(a) as unpatentable over Saurabh, Treinen, and Singh. ANALYSIS We adopt the findings of fact made by the Examiner in the Final Action and Examiner’s Answer as our own. We concur with the conclusions reached by the Examiner for the reasons given in the Examiner’s Answer. We highlight the following for emphasis. Section 103 rejections of claims 1—6, 8, 9, 19, and 20 Claim 1 recites “the confidence value indicating a likelihood that the events in each itemset are related by a common cause.” Appellants contend Treinen teaches determining a confidence level of whether a third event z of a data set will be found when events x and y are found, but does not indicate how the co-existence of events x, y, and z “are related by a common cause” as recited in claim 1. Reply Br. 5—6. However, the cited section of Treinen that discusses determining the co-existence of events (Ans. 3^4 (citing Treinen pp. 1, 5)) teaches that the goal is finding a true attack. The Examiner finds the true attack is “a common cause” within the meaning of claim 1. Ans. 4. Appellants have not persuasively rebutted the Examiner’s finding. 3 Appeal 2015-002442 Application 12/888,626 We further highlight Appellants’ contention is inconsistent with other sections of Treinen which disclose the goal of defining an attack as a rule (Abstract), proving causal relationships between an attack and a combination of alarms (Section 1 (Introduction)), performing root cause analysis (Section 2 (Related Work)), generating signature specific rules (Section 4 (The Approach)), and using root cause analysis to discover the actual cause of alarms (Section 5). Although the reference teaches discovering the actual cause or the root cause of related alarms, rather than using the words “common cause” as claimed, Appellants have not provided a definition of “common cause” that excludes an actual cause, a root cause, or a true attack as taught by Treinen. We sustain the rejection of claim 1 under 35 U.S.C. § 103. Appellants do not present arguments for separate patentability of claims 2—6, 8, and 9, which fall with claim 1. Appellants present arguments for the patentability of claims 19 and 20 similar to those presented for claim 1, which we find unpersuasive for the reasons given in our analysis of claim 1. Section 103 rejections of claims 10—15, 17, and 18 Claim 10 recites “replacing the compressed identified itemsets by a single representative event.” The Examiner finds Treinen teaches this limitation by adjusting parameters to return a range of rules, including a single rule, by adjusting parameters. Ans. 5 (citing Treinen Fig. 4 and p. 14). Appellants contend returning a single rule does not teach replacing compressed identified itemsets with a single representative event. Reply Br. 8-9. 4 Appeal 2015-002442 Application 12/888,626 Appellants find support for this limitation in Paragraphs 10 and 32 of Appellants’ Specification. App. Br. 8. Paragraph 10 discloses evaluating sets of correlated events in light of confidence criteria. Paragraph 32 discloses varying the confidence criterion to achieve an optimum compression. Paragraphs 10 and 32 of Appellants’ Specification do not provide a limiting definition of “replacing the compressed identified itemsets by a single representative event” that excludes the single rule taught by Treinen. We highlight Pages 14 and 15 of Treinen teach that the rule identifies the root cause of alarms, which is “a single representative event” within the meaning of claim 10. We sustain the rejection of claim 10 under 35 U.S.C. § 103. Appellants do not present arguments for separate patentability of claims 11— 15, 17, and 18, which fall with claim 10. Section 103 rejection of claims 7 and 16 Claim 7 recites “identifying intersections among those found itemsets that include the current set of events as a subset.” The Examiner finds Paragraph 55 of Saurabh teaches this limitation by converting discovered patterns into correlation rules, then finding specific instances of the pattern in future or replayed event streams, where the specific instances of the pattern correspond to the claimed current set of events as a subset. Ans. 5—6. Appellants contend Saurabh does not teach that the specific instances of the pattern are a “subset.” Reply Br. 10. However, Appellants have not provided persuasive evidence or argument to distinguish the claimed “subset” from the pattern of events, which is a subset of all of the events in the event stream of Paragraph 55 of Saurabh. 5 Appeal 2015-002442 Application 12/888,626 We sustain the rejection of claims 7 and 16 under 35 U.S.C. § 103. DECISION The rejections of claims 1—20 are affirmed. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a). See 37 C.F.R. § 41.50(f). AFFIRMED 6 Copy with citationCopy as parenthetical citation
