Ex Parte Hadar et alDownload PDFPatent Trial and Appeal BoardSep 7, 201612565474 (P.T.A.B. Sep. 7, 2016) Copy Citation UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE 12/565,474 0912312009 106095 7590 09/09/2016 Baker Botts LLP 2001 Ross Avenue, 6th Floor Dallas, TX 75201 FIRST NAMED INVENTOR Ethan Hadar UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. 063170.9283 1531 EXAMINER NGUY,CHID ART UNIT PAPER NUMBER 2435 NOTIFICATION DATE DELIVERY MODE 09/09/2016 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address( es): PTOmaill@bakerbotts.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte ETHAN HADAR, NIMROD VAX, AMIR JERBI, and MICHAEL KLETSKIN Appeal2015-003632 Application 12/565,4741 Technology Center 2400 Before JOHNNY A. KUMAR, CARL L. SILVERMAN, and KAMRAN JIVANI, Administrative Patent Judges. SILVERMAN, Administrative Patent Judge. DECISION ON APPEAL Appellants appeal under 35 U.S.C. § 134(a) from the Examiner's non- final rejection of claims 1-21. Non-Final Act. 1. We have jurisdiction under 35 U.S.C. § 6(b). We affirm. 1 The real party in interest is identified as Computer Associates Think, Inc. Br. 3. Appeal2015-003632 Application 12/565,474 STATEMENT OF THE CASE Appellants' invention relates to access control enforcement in cloud computing systems. Abstract. Claim 1 is exemplary of the matter on appeal: 1. A system comprising one or more processors coupled to a memory, the one or more processors when executing logic encoded in the memory providing: a topology manager configured to: maintain a security topology of a plurality of hosts, the security topology associating one or more virtual host policies with a plurality of virtual hosts in a cloud computing deployment; and trigger a query from one or more of the plurality hosts to identify one or more candidate hosts for which there is a need to enforce the security topology; and a portability manager configured to: receive a request to deploy an access control agent on the one or more candidate hosts, the access control agent being configured to control entry points to the cloud computing deployment; determine an optimal access control agent to be deployed from a list of available access control agents based on the security topology; and deploy the optimal access control agent on the one or more candidate hosts. Br. 20 (Claims Appendix). REJECTIONS Claims 1, 2, 4---6, 8, 9, 11-13, 15, 16, and 18-20 stand rejected under pre-AIA 35 U.S.C. § 103(a) as being unpatentable over Nessett et al. (US 5,968, 176; Oct. 19, 1999) ("Nessett") in view of Etheridge (US 2009/0052451 Al; published Feb. 26, 2009). Non-Final Act. 3-7. 2 Appeal2015-003632 Application 12/565,474 Claims 3, 10, and 17 stand rejected under pre-AIA 35 U.S.C. § 103(a) as being unpatentable over Nessett, Etheridge, and Gbadegesin et al. (US 2009/0228967 Al; published Sept. 10, 2009) ("Gbadegesin"). Non-Final Act. 7-8. Claims 7, 14, and 21 are rejected under pre-AIA 35 U.S.C. § 103(a) as being unpatentable over Nessett, Etheridge, and Mascarenhas et al. (US 2009/0327905 Al; published Dec. 31, 2009) ("Mascarenhas"). Non-Final Act. 8-9. ANALYSIS Appellants argue N es sett does not disclose or suggest the claim 1 limitation "the security topology associating one or more virtual host policies with a plurality of virtual hosts in a cloud computing deployment." Br. 13-14. According to Appellants, "Nessett's topology data[] includes 'information about security functions operating in [a] set of nodes in r al network, and about [sic] interconnection of nodes in the network.' Nessett, Col. 4, Lines 7-10 (emphasis added)" and "[ n ]one of those nodes corresponds to a 'virtual host in a cloud computing system' because none of those nodes is able to distribute its process execution across multiple other nodes simultaneously." Id. at 13. Appellants argue a 'virtual host[] in a cloud computing deployment' comprises one or more remote systems that are configured to operate simultaneously and to distribute and delegate the functions of a process over multiple pieces of equipment, or virtual machines, such that the process is hosted 'virtually' on that equipment, rather than natively on a user's system. 3 Appeal2015-003632 Application 12/565,474 Id. at 13-14. Appellants argue Nessett describes a "special 'virtual' node" "that differs from what is known to those of ordinary skill" because N es sett describes "that a 'special 'virtual' node named 'external' ... represents end systems outside the management domain of the multilayer firewall." Id. (citing Nessett col. 8, 11. 18-20). According to Appellants: rather than describing the virtualization of a process on one or more nodes that may be accessed and controlled remotely, Nessett uses the term "virtual" to describe a node that hosts processes that are beyond its control (i.e., that are "outside the management domain of the multilayer firewall")(footnote omitted). Nessett therefore fails to disclose or suggest a "security topology" that "associat[ es] one or more virtual host policies with a plurality of virtual hosts in a cloud computing deployment," as recited in each of independent Claims 1, 8, and 15. (Emphasis added). Etheridge also fails to disclose or suggest that feature. Id. at 14. We are not persuaded by Appellants' arguments and, instead, agree with the Examiner's findings. The Examiner finds Nessett discloses a network management station with a topology database storing information about nodes, end systems or hosts for use with security and "at least discloses a security topology that associates host policies with hosts." Ans. 10 (citing Nessett col. 8, 11. 1-3, 27----65; col. 7, 11. 13-35; col. 9, 11. 16-32; col. 10, 1. 24---col. 11, 1. 18; Figs. 1-2). The Examiner finds Nessett's security enforcement includes remote servers which allow remote resources and access to Internet Service Providers. Ans. 11 (citing Nessett Fig. 2, col. 14, 1. 52---col. 15, 1. 46) and: Furthermore, as is known to those of ordinary skills in the art, cloud computing system is internet-based networks of remote servers and centralized data storages that allow access to online services or resources, and virtual host system allows a service 4 Appeal2015-003632 Application 12/565,474 Id. or resource provider to utilize one physical host computer to simulate multiple hosts to service client requests made to any of the multiple network addresses or domain names. Without virtual hosting, the Internet Service Providers would have to provide a separate physical host computer with a unique network address or domain name for every customer that purchases host services or web pages. Thus at least the remote access server, access server, and/or terminal server disclosed by N es sett are virtual hosts correspond to the claimed "virtual hosts in a cloud computing system." Appellants present no persuasive evidence why the Examiner's interpretation of "virtual host" to include the teachings of N es sett is unreasonable or overbroad. Claim terms in a patent application are given the broadest reasonable interpretation consistent with the Specification, as understood by one of ordinary skill in the art. In re Crish, 393 F.3d 1253, 1256 (Fed. Cir. 2004). However, great care should be taken to avoid reading limitations of the Specification into the claims. E=Pass Techs., Inc. v. 3Com Corp., 343 F.3d 1364, 1369 (Fed. Cir. 2003). Regarding Appellants' proffered definition of "virtual host," mere lawyer's arguments and conclusory statements that are unsupported by factual evidence are entitled to little probative value. In re Geisler, 116 F.3d 1465, 1470 (Fed. Cir. 1997) ("An assertion of what seems to follow from common experience is just attorney argument and not the kind of factual evidence that is required to rebut a prima facie case of obviousness."); see also In re De Blauwe, 736 F.2d 699, 705 (Fed. Cir. 1984). Accordingly, absent persuasive rebuttal evidence or technical reasoning to the contrary, we are not persuaded that the Examiner erred. 5 Appeal2015-003632 Application 12/565,474 Appellants argue Nessett and Etheridge do not disclose or suggest the claim 1 limitation "determin[ing] an optimal access control agent to be deployed from a list of available access control agents." Br. 14--17. In particular, Appellants argue the Examiner acknowledges Nessett does not disclose or suggest this limitation and "Etheridge describes two different processes that involve matching a packet to an ACE in an ACL: 1) a packet routing process and 2) an ACL optimization process." Id. at 15. According to Appellants, Id. rather than describing a process for 'determin[ing] an optimal access control agent to be deployed from a list of available access control agents,' as recited in each of independent Claims 1, 8, and 15, Etheridge describes a process for optimizing the list from which such a determination may be made, which allows for sub-optimal results (e.g., backward redundancy) when Etheridge simply selects the first matching ACE from that list. \Ve are not persuaded by 1A .. ppellants' arguments and, instead, agree with the Examiner's findings that the combination ofNessett and Etheridge teaches this limitation. The Examiner finds Nessett discloses this limitation, except "Nessett does not explicitly disclose determining an optimal access control agent from a list of available access control agents. (Emphasis added)." Ans. 12 (citing Office Act., p. 4, 11. 8-11). The Examiner finds N es sett's security management discloses determining the nodes and/ or the best script language to configure the security policy at a specific node or an optimal access control agent to be deployed based on the security topology. Nessett discloses set of security policy statements and different programs/scripting languages that the nodes, end systems or network devices use. 6 Appeal2015-003632 Application 12/565,474 Ans. 13 (citing Nessett col. 7, 11. 22-35, col. 8, 11. 34--55, col. 10, 11. 23--41). The Examiner finds Etheridge discloses a method that determines the best access control entries or rules or the most used entries or rules in an Access Control List (ACL) used in controlling communications between distributed network components by comparing each access control entry or rule in the Access Control List with other the entries or rules in the list to find the redundant or conflicted entries or rules or comparing the numbers of times each access control entry match with the number of packets processing by the Access Control List (i-fi-f [0036], [0050]- [0053]). Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate the teaching of Etheridge into the teaching ofNessett to determine from the security topology data which contains information about the nodes and the configuration data match or choice of rules in nodes own security policy language for the purpose of saving cost, lessen the load on large networks and increasing the speed of processing data (Etheridge, i-f[i-f [0015]-[0017). Ans. 13-14. Appellants argue the references individually whereas the rejection is based on the combination of the references. In re Keller, 642 F.2d 413, 426 (CCP A 1981) ("[O]ne cannot show non-obviousness by attacking references individually where, as here, the rejections are based on combinations of references" (citations omitted)); In re Merck & Co., Inc., 800 F.2d 1091, 1097 (Fed. Cir. 1986). The test for obviousness is not whether the features of a secondary reference may be bodily incorporated into the structure of the primary reference; nor is it that the claimed invention must be expressly suggested in 7 Appeal2015-003632 Application 12/565,474 any one or all of the references. Rather, the test is what the combined teachings of the references would have suggested to those of ordinary skill in the art. See Keller, 642 F.2d at 425. As stated by the Supreme Court, the Examiner's obviousness rejection must be based on some articulated reasoning with some rational underpinning to support the legal conclusion of obviousness .... [H]owever, the analysis need not seek out precise teachings directed to the specific subject matter of the challenged claim, for a court can take account of the inferences and creative steps that a person of ordinary skill in the art would employ. KSR Int'! Co. v. Teleflex Inc., 550 U.S. 398, 418 (2007) (quoting In re Kahn, 441F.3d977, 988 (Fed. Cir. 2006)). The Examiner's findings are reasonable because the skilled artisan would "be able to fit the teachings of multiple patents together like pieces of a puzzle" since the skilled artisan is "a person of ordinary creativity, not an automaton." KSR, 550 U.S. at 420-21. On this record, Appellants do not present sufficient evidence that the combination of the cited references was "uniquely challenging or difficult for one of ordinary skill in the art" or "represented an unobvious step over the prior art." Leapfrog Enters., Inc. v. Fisher-Price, Inc., 485 F.3d 1157, 1162 (Fed. Cir. 2007) (citing KSR, 550 U.S. at 418-19). In view of the above, we sustain the rejection of claim 1, and independent claims 8 and 15 as Appellants rely on the same arguments considered above for claim 1. Br. 13. We sustain the rejection of dependent claims 2-7 and 9-14, and 16-21 as these claims are not argued separately. See 37 C.F.R. § 41.37(c)(l)(iv). 8 Appeal2015-003632 Application 12/565,474 DECISION We affirm the Examiner's decision rejecting claims 1-21. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a). See 37 C.F.R. § 1.136(a)(l )(iv). AFFIRMED 9 Copy with citationCopy as parenthetical citation