10644841 (P.T.A.B. Dec. 29, 2016)

Ex Parte Mayer et al

Patent Trial and Appeal BoardDec 29, 2016

10644841 (P.T.A.B. Dec. 29, 2016)

United States Patent and Trademark Office UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O.Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 10/644,841 08/21/2003 Yaron Mayer P-BBM-7309-US 6146 91924 7590 NAOMI ASSIA 32 Habarzel Street Tel-Aviv, 6971048 ISRAEL EXAMINER LANIER, BENJAMIN E ART UNIT PAPER NUMBER 2437 NOTIFICATION DATE DELIVERY MODE 01/03/2017 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): naomih@computer-law.co.il adi@computer-law.co.il PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte YARON MAYER and ZAK DECHOVICH Appeal 2016-002962 Application 10/644,841 Technology Center 2400 Before ST. JOHN COURTENAY III, THU A. DANG, and ALEX S. YAP, Administrative Patent Judges. COURTENAY, Administrative Patent Judge. DECISION ON APPEAL STATEMENT OF THE CASE This is an appeal under 35 U.S.C. § 134(a) from the Examiner’s Final Rejection of claims 95 and 96. We have jurisdiction under 35 U.S.C. § 6(b). We affirm. Invention The disclosed and claimed invention on appeal “relates to security in computers (including personal computers, servers, or other computerized gadgets, as explained in the definitions) and more specifically to a powerful comprehensive generic Security System and method for computers, based on automatic segregation between programs.” (Spec. 3). Appeal 2016-002962 Application 10/644,841 Representative Claim 95. A protection system for a computerized device having an operating system and at least one peripheral device selected from the group consisting of at least one storage device and at least one communication device, the protection system comprising: [LI] a monitoring and capturing sub-system configured to monitor activities relating to said at least one peripheral device, and to detect and to act against suspicious or dangerous activity; [L2] an encrypted database in operative connection with said operating system, and storing default security rules including default rules, pre distribution rules, additionally-acquired user- defined rules, and statistics of acceptable program behavior continuously learned during system operation, said monitoring and capturing sub-system being constructed and arranged to receive data from said encrypted database, and to block activities of said computerized device in violation of said default rules; and a user interface operatively connected to said operating system, and including means for performing learning acceptable behavior patterns to be added to said database, [L3] warning the user of perceived dangers of performing an action based on said database, and requesting user authorization to perform the action, the perceived dangers being malicious software attacks', wherein access to the encrypted database is tracked by the monitoring and capturing subsystem; wherein violation of the default security rules by unwarranted intrusion results in blocking of the activities of said computerized system and protection of the user against the unwarranted intrusion; and wherein the protection system logs all unauthorized and/or suspect activities in the computer and the user interface interacts 2 Appeal 2016-002962 Application 10/644,841 with the user to learn acceptable behavior patterns and to identify significant deviations from the behavior patterns, warn the user of perceived dangers and ask for user's authorization when needed. (Contested limitations LI, L2, and L3 are emphasized). Rejections A. Claim 95 is rejected under 35 U.S.C. § 103(a) as being unpatentable over the combined teachings and suggestions of Munson et al. (US 6,681,331 Bl, issued Jan. 20, 2004), Homing (US 7,430,670 Bl; issued Sept. 30, 2008), Mattsson (US 2002/0066038 Al; pub. May 30, 2002), Huber (US 2002/0049615 Al; pub. Apr. 25, 2002), and Angelo (US 5,944,821; issued Aug. 31, 1999). (Final Act. 4). B. Claim 96 is rejected under 35 U.S.C. § 103(a) as being unpatentable over the combined teachings and suggestions of Munson, Homing, Mattsson, Huber, Angelo, and Townsend (US 6,374,358 Bl; issued Apr. 16, 2002). (Final Act. 6). ANALYSIS We have considered all of Appellants’ arguments and any evidence presented. We disagree with Appellants’ arguments, and we adopt as our own: (1) the findings and legal conclusions set forth by the Examiner in the action from which this appeal is taken, and (2) the findings, legal conclusions, and explanations set forth in the Answer in response to 3 Appeal 2016-002962 Application 10/644,841 Appellants’ arguments. (Ans. 3—6). However, we highlight and address specific findings and arguments for emphasis in our analysis below. Rejection A of Independent Claim 95 under 35 U.S.C. § 103(a) Limitation LI Appellants contest limitation LI of independent claim 95: [LI] a monitoring and capturing subsystem configured to monitor activities relating to said at least one peripheral device, and to detect and to act against suspicious or dangerous activity; Referring to Munson (col. 7,11. 50-55), Appellants contend, inter alia: “Munson[’s] statement that ‘operations’ can be opening a file and writing to a device is not a teaching of any monitoring as claimed. Nowhere does the text cited by the examiner indicate activities that are monitored, detected, and acted against, which would be necessary to justify the rejection.” (App. Br. 4) (Emphasis added). However, we agree with the Examiner’s responsive explanation (Ans. 3), because we find a preponderance of the evidence supports the Examiner’s finding that Munson teaches or suggests limitation LI. As relied on by the Examiner {id.), see Munson’s description regarding monitoring to detect and respond to anomalies indicative of intrusive behavior: It is important to note that the present invention is broadly applicable to almost any type of software and can monitor activity occurring in any application or operating system to detect anomalies indicative of intrusive behavior. Prior art intrusion detection systems generally monitor events from the outside in and thus, can overlook an intrusion because they do not respond to variations in software internal activity that is not logged. In contrast, the present invention operates in real time, from within the application being monitored, and is able to 4 Appeal 2016-002962 Application 10/644,841 respond to subtle changes that occur as a result of an intrusion. Furthermore, since the present invention can be applied to any type of computational activity, it can be used to monitor almost any type of software system and detect intrusions, for example, in software running a web server, or in database management systems, or operating system shells, or file management systems. Any software that may impacted by deliberate misuse may be instrumented and monitored with the present invention to detect such misuse or intrusion. (Munson, col. 14,1. 54 — col. 15,1. 15; emphasis added). Contrary to Appellants’ arguments (App. Br. 4), we find the aforementioned description in Munson strongly supports the Examiner’s findings and legal conclusion of obviousness regarding contested limitation LI. Moreover, Appellants do not further respond in the Reply Brief to the Examiner’s findings and responsive explanations (Ans. 3-4) regarding limitation LI. Therefore, on this record, and based upon a preponderance of the evidence, Appellants have not persuaded us the Examiner erred regarding contested limitation LI. Limitation L2 Appellants contest limitation L2 of independent claim 95: [L2] an encrypted database in operative connection with said operating system, and storing default security rules including default rules, pre distribution rules, additionally-acquired user-defined rules; The Examiner finds (Final Act. 4) that Munson teaches: The system includes a database that stores profiles of known intrusive behavior along with profiles or normal behavior that is collected by monitoring the behavior of new programs (Col. 2, lines 26-39 & Col. 6, lines 26-40), which meets the limitation of a[n] database in operative connection with said operating system 5 Appeal 2016-002962 Application 10/644,841 Regarding the contested “encrypted database” (claim 95), Appellants (App. Br. 6—7) are attacking Munson in isolation.1 The cited portion of Munson (col. 6,11. 37-40) teaches a database that stores intrusion profiles: “There are two types of intrusion events. First, there are existing or known intrusion events. These have well-known and established intrusion profiles that are stored in intrusion database 805.” (Emphasis added). The Examiner (Final Act. 5—6) looks to the Mattsson reference for teaching the claimed encryption feature: “In order to protect information stored in a database, it is known to store sensitive data encrypted in the database.” (Mattsson 12) (Emphasis added). Appellants fail to address the Examiner’s specific findings regarding Mattsson. Appellants further contend the well-known and established intrusion profdes stored in Munson’s database 805 are not rules, and thus the Examiner’s reliance on such intrusion profiles as teaching the claimed “default security rules” is in error because “[a] ‘profile’ is not a ‘rule.’” (App. Br. 6). However, we find no definition of “default security rule” in Appellants’ claim or Specification that would preclude the Examiner’s broader reading, nor have Appellants argued a specific definition.2 (App. Br. 6).3 Turning to Appellants’ Specification for context, we find the argued 1 See In re Merck & Co., Inc., 800 F.2d 1091, 1097 (Fed. Cir. 1986) (One cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.). 2 Arguments not made are waived. See 37 C.F.R. § 41.37(c)(l)(iv). 3 We give the contested claim limitations the broadest reasonable interpretation consistent with the Specification. See In re Morris, 111 F.3d 6 Appeal 2016-002962 Application 10/644,841 “default security rules” (App. Br. 6) are merely described in terms of exemplary, non-limiting embodiments, (e.g., Spec. 7—9, 17, 51; Figs. 1, 7). In particular, we find Appellants’ list of definitions in the Specification (11— 14) is silent regarding any definition of “default security rules”, “default rules”, or any rule. Therefore, on this record, we are not persuaded the Examiner’s reading of the “default security rules” recited in claim 95 on the well-known and established intrusion profdes stored in Munson’s intrusion database 805 (Munson, col. 6,11. 38-40; Fig. 8) is overly broad, unreasonable, or inconsistent with Appellants’ Specification.* * * 4 See n.3, supra. Accordingly, on this record, and based upon a preponderance of the evidence, Appellants have not persuaded us the Examiner erred regarding contested limitation L2. 1048, 1054 (Fed. Cir. 1997). See Spec. (p. 16) (“All of the descriptions in this and other sections are intended to be illustrative and not limiting.”). Accord Williamson v. Citrix Online, LLC, 792 F.3d 1339, 1346-47 (Fed. Cir. 2015) (“This court has repeatedly ‘cautioned against limiting the claimed invention to preferred embodiments or specific examples in the specification.’”) (Quoting Teleflex, Inc. v. Ficosa N. Am. Corp., 299 F.3d 1313, 1328 (Fed. Cir. 2002)). See also n.3, infra. 4 Because “applicants may amend claims to narrow their scope, a broad construction during prosecution creates no unfairness to the applicant or patentee.” In re ICON Health and Fitness, Inc., 496 F.3d 1374, 1379 (Fed. Cir. 2007) (citation omitted). 7 Appeal 2016-002962 Application 10/644,841 Limitation L3 Appellants contest limitation L3 of independent claim 95: [L3] warning the user of perceived dangers of performing an action based on said database, and requesting user authorization to perform the action, the perceived dangers being malicious software attacks', Regarding contested limitation L3, the Examiner finds (referring to Munson): When the current system activity is determined to be threatening an alarm is triggered (Col. 6, lines 40-44) and displayed to a user (Col. 15, lines 27-30), which meets the limitation of a user interface operatively connected to said operating system and including means for warning the user of perceived dangers based on said database, the perceived dangers being malicious software attacks, warn the user of perceived dangers. The system include[s] password necessary operations (Col. 7, lines 13-17), which meets the limitation of the user interface requesting user authorizations to perform an action, ask for user's authorization when needed. (Final Act. 5). Appellants contend: Munson only discusses adding a new user to a computer system (i.e., authorizing a user to use the system) and says nothing about requesting user authorization to perform an action that may bring malicious software attacks. The Munson recitation "establishing user authorization" refers only to allowing a new user to use the computer system (authorizing the user) as opposed to the user himself/herself authorizing a particular computer action as claimed. (App. Br. 8). We note Munson teaches in response to detecting a level 1 alarm (i.e., a warning) “indicating that new behavior has been observed on the system. 8 Appeal 2016-002962 Application 10/644,841 Typically, the level 1 alarm system would be referred to a system administrator and/or an artificial intelligence (AI) engine for review.” (Col. 6,11. 4A49). We find such referral to a system administrator at least suggests5 the contested “requesting user authorization to perform the action” in response to the warning (alarm) of the software intrusion(s) (i.e., “malicious software attacks” — claim 95). We find a system administrator is an authorized user who would know whether or not to “perform the action” (claim 95), or to take further appropriate action in response to the warning alarms taught by Munson. (Col. 6,11. 37-49). Therefore, on this record, and based upon a preponderance of the evidence, Appellants have not persuaded us the Examiner erred regarding contested limitation L3. Moreover, given the evidence cited by the Examiner (Final Act. 4—6; Ans. 3—6), we find combining the respective teachings of the cited references in the manner proffered by the Examiner would have merely realized a predictable result. See KSR, 550 U.S. 398, 416 (2007). The Supreme Court guides: Invention or discovery is the requirement which constitutes the foundation of the right to obtain a patent . . . unless more ingenuity and skill were required in making or applying the said improvement than are possessed by an ordinary mechanic acquainted with the business, there is an absence of that degree 5 “[T]he question under 35 U.S.C. § 103 is not merely what the references expressly teach but what they would have suggested to one of ordinary skill in the art at the time the invention was made.” Merck & Co., Inc. v. Biocraft Laboratories, Inc., 874 F. 2d 804, 807—808 (Fed. Cir. 1989), cert, denied, 493 U.S. 975 (1989); see also MPEP § 2123. 9 Appeal 2016-002962 Application 10/644,841 of skill and ingenuity which constitute the essential elements of every invention. Dunbar v. Myers, 94 U.S. 187, 197 (1876) (citing Hotchkiss v. Greenwood, 52 U.S. 248, 267 (1850)). We note that Hotchkiss was cited with approval by the Supreme Court in KSR, 550 U.S. at 407, 415, 427. The Supreme Court further guides: Section 103(a) forbids issuance of a patent when “the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.” KSR, 550 U.S. at 406. This reasoning is applicable here. On this record, we find a preponderance of the evidence supports the Examiner’s underlying factual findings and legal conclusion of obviousness. Nor have Appellants pointed to any evidence of record that shows combining the references in the manner proffered by the Examiner would have been “uniquely challenging or difficult for one of ordinary skill in the art” or would have “represented an unobvious step over the prior art.” Leapfrog Enters., Inc. v. Fisher-Price, Inc., 485 F.3d 1157, 1162 (Fed. Cir. 2007) (citing KSR, 550 U.S. at 418). Therefore, Appellants have not persuaded us of error regarding the Examiner’s legal conclusion of obviousness for independent claim 95. Accordingly, we sustain rejection A of independent claim 95. 10 Appeal 2016-002962 Application 10/644,841 Rejection B of Dependent Claim 96 Appellants advance no separate, substantive arguments regarding rejection B of dependent claim 96. (App. Br. 9). Arguments not made are waived. See 37 C.F.R. § 41.37(c)(l)(iv). Therefore, we sustain rejection B of claim 96. Reply Brief To the extent Appellants advance new arguments in the Reply Brief (e.g., Reply Br. 6—7 regarding the combinability of the cited references) not in response to a shift in the Examiner's position in the Answer, we note arguments raised in a Reply Brief that were not raised in the Appeal Brief or are not responsive to arguments raised in the Examiner’s Answer will not be considered except for good cause. See 37 C.F.R. § 41.41(b)(2). DECISION We affirm the Examiner’s rejections of claims 95 and 96 under 35 U.S.C. § 103(a). No time for taking any action connected with this appeal may be extended under 37 C.F.R. § 1.136(a)(1). See 37 C.F.R. § 41.50(f). AFFIRMED 11