14318462 (P.T.A.B. May. 11, 2018)

Ex Parte Maguire

Patent Trial and Appeal BoardMay 11, 2018

14318462 (P.T.A.B. May. 11, 2018)

UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE 14/318,462 06/27/2014 25227 7590 05/15/2018 MORRISON & FOERSTER LLP 1650 TYSONS BOULEVARD SUITE400 MCLEAN, VA 22102 FIRST NAMED INVENTOR John R. Maguire UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. 739642001801 5192 EXAMINER ULLAH, SHARIF E ART UNIT PAPER NUMBER 2495 NOTIFICATION DATE DELIVERY MODE 05/15/2018 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): EOfficeVA@mofo.com PatentDocket@mofo.com pair_mofo@firsttofile.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte JOHN R. MAGUIRE Appeal2017-010724 Application 14/318,462 1 Technology Center 2400 Before MAHSHID D. SADDAT, ALLEN R. MACDONALD and ROBERT E. NAPPI, Administrative Patent Judges. MacDONALD, Administrative Patent Judge. DECISION ON APPEAL 1 According to Appellant, the real party in interest is Noblis, Inc. App. Br. 3. Appeal2017-010724 Application 14/318,462 STATEMENT OF CASE Appellant appeals under 35 U.S.C. Â§ 134(a) from a final rejection of claims 21--46. Appellant has cancelled claims 1-20. App. Br. 23. We have jurisdiction under 35 U.S.C. Â§ 6(b ). We AFFIRM. Representative Claim Representative claim 28 under appeal reads as follows ( emphasis, formatting, and bracketed material added): 28. A computer-implemented method for managing computer security, the method comprising the following operations performed by at least one processor: [A.] receiving scan data from at least two scanners; [B.] correlating the scan data to determine two or more vulnerabilities; [C.] receiving an input indicating that a vulnerability from the two or more vulnerabilities is an excluded vulnerability, the excluded vulnerability being excluded from a report based on a risk rating of the vulnerability; and [D.] generating a report that includes one or more of the two or more vulnerabilities but not the excluded vulnerability. 2 Appeal2017-010724 Application 14/318,462 Rejections The Examiner rejected claims 21-23, 28-30, and 35-37 under 35 U.S.C. Â§ I03(a) as being unpatentable over the combination of Chen et al. (US 2012/0066759 Al; published March 15, 2012) and Schumaker et al. (US 2006/0101520 Al; published May 11, 2006). Final Act. 7-8. 2 The Examiner rejected claims 24--27, 31-34, and 38--46 under 35 U.S.C. Â§ I03(a) as being unpatentable over various combinations of Chen, Schumaker, and other prior art references. 3 The Examiner rejected claims 21, 22, 28, 29, 35, and 36 on the ground of non-statutory obviousness-type double patenting as not being patentably distinct from claims 1, 2, 9, 10, and 17 of Maguire (U.S. Patent Application 12/946,418, filed May 19, 2011; now US 9,432,564 B2, issued August 30, 2016). Final Act. 3. 4 2 Appellant does not argue separate patentability for claims 21-23, 28-30, and 35-37. We select claim 28 as representative. Except for our ultimate decision, we do not discuss this Examiner's rejection of the remaining claims further herein. 3 Appellant does not argue separate patentability for claims 24--27, 31-34, and 38--46. Thus, the rejections of these claims tum on our decision as to claim 28. Except for our ultimate decision, we do not discuss this Examiner's rejection of the remaining claims further herein. 4 Appellant does not appeal this rejection. 37 C.F.R. Â§ 41.3I(c) (An appeal, when taken, is presumed to be taken from the rejection of all claims under rejection ... ). Therefore, we affirm proforma. Except for our ultimate decision, we do not discuss this rejection of these claims further herein. 3 Appeal2017-010724 Application 14/318,462 Issue on Appeal Did the Examiner err in rejecting claim 28 as being obvious? ANALYSIS We have reviewed the Examiner's rejections in light of Appellant's arguments (Appeal Brief and Reply Brief) that the Examiner has erred. We disagree with Appellant's conclusions. A. 1. Appellant contends that the Examiner erred in rejecting claim 28 under 35 U.S.C. Â§ 103(a) because of: the failure of the cited references to disclose or suggest "generat[ing] a report that includes one or more of the two or more vulnerabilities but not the excluded vulnerability[.]" App. Br. 12 (emphases omitted). As to Chen, Appellant particularly contends: [W]hile Chen's telemetry report may contain certain file parameters, nothing in Chen discloses or suggests an "excluded vulnerability." Chen's telemetry report therefore cannot disclose or suggest the claimed feature of "includ[ing] one or more of the two or more vulnerabilities but not the excluded vulnerability.'' App. Br. 13. Further, as to Schumaker, Appellant particularly contends: Furthermore, Schumaker does nothing to cure the deficiencies of Chen, and in fact teaches away from the claimed features .... Schumaker discloses a system that (706) scans for policy violations, (708) reports risks of policy violations, and 4 Appeal2017-010724 Application 14/318,462 thereafter (710) decides whether a violation should be ignored or remediated. See Schumaker Fig. 7 (reproduced at right). In the Schumaker system, there is no disclosure of any step or technique for excluding any detected risks from a report; rather, the clear teaching of Schumaker is that all risks are reported at step 708, before any determination about ignoring any risk is made at step 710. Only after all risks are reported at step 708 is a decision made to remediate some vulnerabilities, but not others, at step 710. Thus, the clear teaching of Schumaker - to report all risks at step 708 - is in direct contravention to the claimed feature of reporting some vulnerabilities "but not the excluded vulnerability." Schumaker therefore discourages the claimed solution of not reporting certain risks, thus teaching away from the claimed solution. Accordingly, Schumaker does not disclose or suggest the claimed features for which is it cited. App. Br. 13-14. 2. As to Appellant's above contention regarding Chen, we disagree. Appellant argues the Examiner erred because Chen does not disclose an "excluded vulnerability." App. Br. 13. However, Examiner did not cite Chen for this limitation. Rather, the Examiner cited Schumaker in combination with Chen. Final Act. 7-8. The Examiner relied on "Paragraph 0047" and "Fig. 7" of Schumaker to show (a) input indicating that vulnerability from the two or more vulnerabilities is an excluded vulnerability, and (b) the excluded vulnerability being excluded from a report based on a risk rating of the vulnerability. Final Act. 7-8. We conclude that Appellant's argument does not address the actual reasoning of the Examiner's rejection. Instead, Appellant attacks the Chen reference singly for lacking teachings that the Examiner relied on a combination of references to show. It is well established that one cannot show nonobviousness by attacking references individually where the 5 Appeal2017-010724 Application 14/318,462 rejections are based on combinations of references. See In re Keller, 642 F.2d 413,425 (CCPA 1981); In re Merck& Co., Inc., 800 F.2d 1091, 1097 (Fed. Cir. 1986). The Examiner did not rely solely on Chen as argued. In other words, Appellant argues findings the Examiner never made. This form of argument is inherently unpersuasive to show Examiner error. Our reviewing court requires that references must be read, not in isolation, but for what they fairly teach in combination with the prior art as a whole. Merck, 800 F .2d at 1097. 3. As to Appellant's above contention regarding Schumaker, we disagree. Appellant acknowledges the "[p ]rior art must be considered in its entirety." App. Br. 13. However, Appellant then proceeds to consider Schumaker only as to the disclosure that differs from Appellant's claim limitations. For, example Appellant asserts "the clear teaching of Schumaker is that all risks are reported at step 708." We agree that Schumaker reports all risks in the first loop through step 708. However, step 708 is performed iteratively and Schumaker explicitly teaches that the selected risks are ignored (i.e., excluded) in a subsequent iteration. Appellant overlooks that Schumaker at paragraph 4 7 explicitly teaches ( emphasis added): If the risk is ignored, the security personnel may wish to change 712 the security policy. If the security policy needs to be changed, for instance, eliminating the IM ban for executive officers, then the security policy can be modified or recreated 702, and the process will begin again. Appellant also overlooks that Figure 7 of Schumaker explicitly shows the process beginning again ("Yes" branch out of step 712) after selecting to 6 Appeal2017-010724 Application 14/318,462 ignore a risk ("Yes" branch out of step 710) and change the policy ( step 712). Appellant further overlooks that Schmnaker's subsequent iteration of steps 702 through 708 results in a report at step 708 where the report excludes any risk previously selected to be ignored. Contrary to Appellant's asserted teaching away by Schumaker, we conclude the Examiner correctly finds Schumaker teaches: receive input indicating that vulnerability from the two or more vulnerabilities is an excluded vulnerability, the excluded vulnerability being excluded from a report based on a risk rating of the vulnerability (Detected vulnerabilities are accepted risks and are ignored; Paragraph 0047; Fig.7). Final Act. 7-8. B. Appellant contends that the Examiner erred in rejecting claim 28 under 35 U.S.C. Â§ 103(a) because: [T]he Examiner's citations to and characterizations of Chen and Schumaker are incorrect and unsupported by the references[.] App. Br. 15 ( emphases omitted). As to Chen, Appellant particularly contends as to the Examiner's findings in the Response to Arguments Section of the Final Office Action and the Advisory Action: [T]here is simply no textual basis to conclude that paragraph [0012], paragraph [0015], or any other portion of Chen teaches or suggests generating reports based on "how high or low the reputation data of a potential event is," or that "reports themselves can exclude certain events/vulnerabilities based on their risk." App. Br. 16 ( emphasis omitted). 7 Appeal2017-010724 Application 14/318,462 Further, as to Schumaker, Appellant particularly contends: [N]othing in Schumaker discloses or suggests excluding any vulnerabilities from a report, whether based on a risk rating or based on any other criteria. Once more, Schumaker in fact teaches away from excluding vulnerabilities from a report, because Schumaker Fig. 7 teaches that all risks are reported, and that ignorable risks are only determined with respect to remediation efforts, once reporting has already occurred. App. Br. 17. 2. As to Appellant's above contention regarding Chen, although we agree with Appellant that Chen paragraphs 12 and 15 do not provide the excluded vulnerabilities pointed to by the Examiner (Response to Arguments section of Final Action), we disagree that this shows the Examiner erred in rejecting claim 28. The rejection of claim 28 does not rely on these paragraphs of Chen. Rather, the Examiner relies on Schumaker for excluding vulnerabilities. 3. As to Appellant's above contention regarding Schumaker, we disagree. Appellant again argues Schumaker teaches away from excluding vulnerabilities from a report. App. Br. 17. As we discuss in section A supra, contrary to Appellant's asserted teaching away by Schumaker, we conclude Schumaker teaches the argued limitation. 8 Appeal2017-010724 Application 14/318,462 C. Appellant contends that the Examiner erred in rejecting claim 28 under 35 U.S.C. Â§ 103(a) because: It certainly cannot be the case that a single sentence from the background section of Schumaker provides a legally sufficient rationale to combine Schumaker with any reference whatsoever, and, as the Examiner has not provided anything more than the single sentence from the background section of Schumaker, it follows that the requisite "articulated reasoning" and "rational underpinning" for the specific combination with Chen has not been set forth. App. Br. 21. As to Appellant's above contention, we disagree. Examiner correctly finds Chen (a network security threat-management system) detects vulnerabilities. The Examiner correctly finds that Schumaker ( also a network security threat-management system) manages a risk (i.e., vulnerability) by ignoring that risk during reporting. Schumaker 47; Fig. 7. The Examiner further finds that Schumaker suggests it is desirable: to provide an advanced computer vulnerability remediation system that can help distributed networks manage their security vulnerabilities, address the complexities of managing the vulnerability data associated with decentralized, hierarchical organizations, and help organizations comply with multiple, often overlapping regulatory requirements. Schumaker 10 (numbered as "[0005]" following "[001 OJ")( emphasis added). Appellant presents a multitude of complaints (not reproduced herein) that this articulated reasoning is insufficient. App. Br. 20-21. We are not persuaded by these arguments. Appellant cites no case law to support their position that a more complex articulated reasoning is always required. Rather, as set forth by the Court in KSR, in some circumstances (e.g., mere 9 Appeal2017-010724 Application 14/318,462 substitution) the required analysis is minimal, while in complex circumstances "this analysis should be made explicit." KSR Int 'l Co. v. Teleflex Inc., 550 U.S. 398,418 (2007). We conclude the Examiner's analysis is sufficient for the simple circumstances before us. We find the Examiner's conclusion (and analysis) well founded. Further, Appellant has not presented evidence sufficient to show that combining the prior art was "uniquely challenging or difficult for one of ordinary skill in the art" or "represented an unobvious step over the prior art." Leapfrog Enters., Inc. v. Fisher-Price, Inc., 485 F.3d 1157, 1162 (Fed. Cir. 2007) (citing KSR, 550 U.S. at 418-19). D. The Examiner and Appellant present extensive discussion of paragraphs 12 and 15 of Chen and other alternative theories of rejection. However, at best these merely supplement the actual rejection on appeal. We review first the appeal of the rejection of claim 28 as set forth in the Final Action at pages 7-8 (and Appellant's arguments directed thereto). Having determined the Examiner did not err in this rejection claim 28, we do not address further any supplemental or alternative theories of rejection nor arguments directed thereto. CONCLUSIONS ( 1) The Examiner has not erred in rejecting claims 21--46 as being unpatentable under 35 U.S.C. Â§ 103(a). (2) Claims 21--46 are not patentable. 10 Appeal2017-010724 Application 14/318,462 DECISION We affirm the Examiner's rejections of claims 21--46 as being unpatentable under 35 U.S.C. Â§ 103(a). We affirm the Examiner's rejection of claim 21, 22, 28, 29, 35, and 36 on the ground of nonstatutory obviousness-type double patenting. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. Â§ 1.136(a)(l)(iv). AFFIRMED 11