Ex Parte Lutas et alDownload PDFPatent Trial and Appeal BoardMay 14, 201814318719 (P.T.A.B. May. 14, 2018) Copy Citation UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE 14/318,719 06/30/2014 23574 7590 05/16/2018 Law Office of Andrei D. Popovici, P.C. 4030 Moorpark Ave., Suite 108 SAN JOSE, CA 95117 FIRST NAMED INVENTOR Andrei V. LUTAS UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. SOF-1406 1502 EXAMINER CAREY, FORREST L ART UNIT PAPER NUMBER 2491 NOTIFICATION DATE DELIVERY MODE 05/16/2018 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): ANDREI@APATENT.COM PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte ANDREI V. LUTAS and SANDOR LUKACS Appeal2017-010521 Application 14/318, 719 Technology Center 2400 Before JEAN R. HOMERE, JOSEPH P. LENTIVECH, and MICHAEL M. BARRY, Administrative Patent Judges. BARRY, Administrative Patent Judge. DECISION ON APPEAL Appellants 1 appeal under 35 U.S.C. § 134(a) from a final rejection of claims 1, 4--12, 15-22, and 24--27, which are all the pending claims. 2 We have jurisdiction under 35 U.S.C. § 6(b ). We AFFIRM. 1 Appellants identify Bitdefender IPR Management Ltd., a subsidiary of Bitdefender Holding BV, as the real party in interest. App. Br. 4. 2 See App. Br. 22-26 (Claims App'x). Claims 2, 3, 13, and 14 were cancelled prior to the Final Rejection and claim 23 was cancelled by an amendment after the Notice of Appeal. Appeal2017-010521 Application 14/318, 719 Introduction According to Appellants, the claimed subject matter relates to "systems and methods for protecting computer systems from malware." Spec. ,r 1. Appellants explain that for applications in which one physical machine hosts multiple virtual machines, with each virtual machine separately running its own operating system and/or software applications, "each such virtual machine potentially requires malware protection, including protection against malicious code injection and data theft." Spec. Independent claim 1 is representative of the claims on appeal: 1. A host system comprising a hardware processor configured to operate: a virtual machine comprising a virtualized processor, the virtual machine configured to employ the virtualized processor to execute a source process and a destination process; and a memory introspection engine executing outside the virtual machine and configured to modify a memory management function of an operating system executing within the virtual machine, the memory management function configured to copy a content of memory from a virtual memory space of the source process to a virtual memory space of the destination process, the modification causing the hardware processor, in response to an attempt to execute the memory management function, to switch from executing the memory management function to executing a code fragment outside the virtual machine, wherein executing the code fragment comprises: identifying the source and destination processes according to the attempt; and in response to identifying the source and destination process, selectively blocking the attempt according to a selection criterion determined according to 2 Appeal2017-010521 Application 14/318, 719 at least one member of a group consisting of an identity of the source process and an identity of the destination process. App. Br. 22 (Claims App'x). Re} ections & References Claims 1, 4--9, 11, 12, 15-20, 22, 26, and 27 stand rejected under 35 U.S.C. § 103 as unpatentable over Sallam (US 2012/0254993 Al; Oct. 4, 2012), Walton et al. (US 2014/0283107 Al; Sept. 18, 2014), and Shevchenko (US 2009/0049550 Al; Feb. 19, 2009). Final Act. 2-8. Claims 10 and 21 stand rejected under § 103 as unpatentable over Sallam, Walton, Shevchenko, and Ghosh et al. (US 2013/0145463 Al; June 6, 2013). Final Act. 9. Claims 24 and 25 stand rejected under § 103 as unpatentable over Sallam, Walton, Shevchenko, and Li et al. (US 2008/0016314 Al; Jan. 17, 2008). Final Act. 10. ANALYSIS Appellants argue the Examiner's articulated motivation to combine Shevchenko with Sallam and Walton is inadequate for two reasons: "[1] the advanced reasons are so broad and generic that they do not support the specific proposed modifications/combination, and [2] the advanced reasons ignore the fact that Sallam already addresses the problem that Shevchenko was brought in to solve." App. Br. 16; see also id. at 15 (contending the combination "is not supported by an adequate prior-art reason with rational underpinnings" ( citing KSR Int 'l. Co. v. Teleflex Inc., 550 U.S. 398, 418 (2007))); Reply Br. 6-7. 3 Appeal2017-010521 Application 14/318, 719 We disagree that the Examiner's articulated reasons for combining the teachings of Shevchenko with the teachings of Sallam and Walton "are so generic as to justify almost any modification of the teachings of Sallam and Walton" that they essentially constitute hindsight reasoning. App. Br. 17 ( contending that "relying on such reasoning would impermissibly transform the obviousness inquiry into one asking whether a skilled artisan could, rather than would, have made the proposed modifications to Sallam and Walton"). "Any judgment on obviousness is in a sense necessarily a reconstruction based upon hindsight reasoning, but so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made and does not include knowledge gleaned only from applicant's disclosure, such a reconstruction is proper." In re McLaughlin, 433 F.2d 1392, 1395 (CCPA 1971). Here, the Examiner's finding for why an ordinarily skilled artisan would have been motivated to combine Walton's teachings with those Sallam are far from generic: in order to prevent the leakage of sensitive information between applications with privileged access to said information and those which operate at a less secure level, as well as to prevent an insecure application instance from extracting or stealing sensitive information from a privileged memory area, thus improving the security environment. Final Act. 4. Similarly, for combining Shevchenko's teachings with those of Sallam and Walton, the Examiner provides a detailed explanation: to combine the memory function hooking teachings of Shevchenko with the memory introspection engine teachings of Sallam in view of Walton, in order to define a set of functions which were vulnerable to being exploited by malicious code, and modify said functions to call a monitoring system when invoked, thereby preventing the use of the function by the 4 Appeal2017-010521 Application 14/318, 719 malicious code and improving the overall security of the system. Final Act. 5. In response to Appellants' argument, the Examiner further supports these stated rationales with more specific findings: Sallam, as an example, teaches hooking NDIS.SYS to monitor for file writes ( e.g. paragraph 46). Shevchenko teaches modifying additional memory modification functions which can inject code into the virtual space of another process ( e.g. paragraph 88). It is well known in the art that such functions are capable of causing significant damage when accessed by malicious agents or code. Therefore, Shevchenko improves the basic hooking method of Sallam by hooking additional functions which were not considered by Sallam, i.e. functions configured to copy content to a virtual memory space of the destination process. Walton additionally teaches that the memory modification functions which are intercepted are capable of copying content from a memory space of a source process to the memory space of the destination process ( e.g. paragraph 65). Ans. 6-7. Appellants also specifically contend the Examiner errs in combining Shevchenko with Sallam and Walton because "the artisan would not have been motivated to incorporate [Shevchenko's] hooking of a memory management function into Sallam's system, since Sallam already describes a substantial repertoire of tools for detecting memory modification attempts." App. Br. 18; see also id. at 19 ( contending Salam already addresses the very problem the Examiner finds provides motivation for adding Shevchenko ). This line of argument is also unpersuasive. As the Examiner responds, and we agree, Shevchenko provides functionality not within the existing toolset of Sallam (and Walton), and specifically: 5 Appeal2017-010521 Application 14/318, 719 Shevchenko ... extends the hooking functionality to functions not disclosed by Sallam, such as functions responsible for injecting code into other processes ( e.g., paragraph 88). A person of ordinary skill would [have] recognize[ d] that the additional teachings with respect to hooking, as taught by Shevchenko, would b[ e] beneficial to incorporate into the basic hooking teachings which are mentioned by Sallam in view of Walton, and would provide the powerful control and monitoring features to cover vulnerable system functions, contributing even further to the toolset already described by Sallam. Ans. 9--10. Appellants do not persuade us that the relatedness and overlap of functionality between Shevchenko and Sallam would have militated against the consideration of modifying Sallam based on Shevchenko. In view of the foregoing, Appellants do not persuade us the Examiner fails to articulate a sufficient rationale for why an ordinarily skilled artisan would have combined the teachings of Sallam, Walton, and Shevchenko. In re Kahn, 441 F.3d 977, 988 (Fed. Cir. 2006). Appellants also argue the Examiner errs in rejecting claim 1 because a hypothetical combination of Sallam, Walton, and Shevchenko "would not have led to a system or method wherein a software component executing outside the VM modifies an OS function executing within the VM." App. Br. 19; see also id. at 20-21; Reply Br. 7-8. This argument is unpersuasive. As the Examiner finds, and we agree: Sallam teaches a system comprising a virtual machine monitor executing at a level below all of the operating systems of an electronic device, along with a security agent which executes at a level below all operating systems of an electronic device (Sallam, abstract). The below-0/S functionality virtualizes resources for the operating systems, which are therefore virtual machines ( e.g., paragraph 48). Sallam refers to 6 Appeal2017-010521 Application 14/318, 719 this virtual machine monitor and below-0/S security agent as a security virtual machine monitor ("SVMM") security agent and SVMM (e.g., paragraphs 40-41). [The] SVMM is configured as a memory scanner ( e.g., paragraph 65). Therefore, the SVMM is a memory scanning system which operates outside of the virtual machines for which it virtualizes resources. * * * The memory scanning system of Shevchenko corresponds to the SVMM of Sallam, which is shown operating outside of the operating system or virtual machine. Any modification of the SVMM of Sallam to incorporate additional function hooking teachings would therefore perform these additional functions outside of the protected VM, and modify functions within the VM. Therefore, since Sallam already shows the corresponding modules functioning outside the VM, the combination can be seen to teach a software component executing outside the VM modifying an OS function executing within the VM, as recited in the present claims. Ans. 12. Accordingly, we sustain the rejection of claim 1. In doing so, we adopt as our own the Examiner's findings and reasons in its rejection as set forth in the Final Rejection and in the Answer. We also, accordingly, sustain the rejections of claims 4--12, 15-22, and 24--27. 3 DECISION For the above reasons, we sustain the Examiner's 35 U.S.C. § 103 rejections of claims 1, 4--12, 15-22, and24-27. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(l )(iv). AFFIRMED 3 Appellants argue the patentability of all claims based on the independent claims 1 and 12. See App. Br. 10-21. We select claim 1 as representative. 37 C.F.R. § 4I.37(c)(l)(iv). 7 Copy with citationCopy as parenthetical citation