Ex Parte ODownload PDFBoard of Patent Appeals and InterferencesJun 29, 201011304167 (B.P.A.I. Jun. 29, 2010) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE BOARD OF PATENT APPEALS AND INTERFERENCES ____________ Ex parte PATRICK CHARLES O’SULLIVAN ____________ Appeal 2009-011190 Application 11/304,167 Technology Center 2400 ____________ Decided: June 29, 2010 ____________ Before JAMES D. THOMAS, JOSEPH F. RUGGIERO, and MAHSHID D. SAADAT, Administrative Patent Judges. SAADAT, Administrative Patent Judge. DECISION ON APPEAL Appeal 2009-011190 Application 11/304,167 2 Appellant appeals under 35 U.S.C. § 134(a) from a non-final rejection of claims 1-35, which are all of the claims pending in this application. An oral hearing was conducted on this appeal on May 6, 2010. We have jurisdiction under 35 U.S.C. § 6(b). We affirm. STATEMENT OF THE CASE Appellant’s invention relates to methods, systems, and computer program products for collecting data processing system status information by monitoring network communications with the data processing system to observe transaction(s) associated with the system. (Spec. ¶ [0018].) Claim 1, which is illustrative of the claimed invention, reads as follows: 1. A method for accessing communication information, comprising: gathering network communications using an intermediate entity, said network communications include a plurality of data units; grouping said data units into multiple groups based on one or more identifiers in said data units, a particular group of said multiple groups includes a first set of data units associated with a particular identifier, said first set of data units include a particular data unit that includes a particular user identification in said particular data unit and another data unit that does not have said particular user identification in said another data unit; binding said particular user identification to data units of said particular group by associating said particular user identification with said particular identifier, said binding includes associating said particular user identification with said another data unit; monitoring service quality for said multiple groups after and based on said grouping, including determining that a quality event occurred for said another data unit; and Appeal 2009-011190 Application 11/304,167 3 reporting about said quality event for said another data unit based on said particular user identification. The Examiner has rejected claims 1-35 under 35 U.S.C. § 102(e) as being anticipated by Campbell (US 6,839,850 B1, issued Jan. 4, 2005, filed Mar. 4, 1999). Rather than repeat the arguments of Appellant or the Examiner, we refer to the Briefs (Appeal Brief filed Nov. 6, 2008, Reply Brief filed Apr. 4, 2009) and the Answer (mailed Mar. 4, 2009) for their respective details. Only those arguments actually made by Appellant have been considered in this decision. Arguments that Appellant did not make in the Briefs have not been considered and are deemed to be waived. See 37 C.F.R. § 41.37(c)(1)(vii). ISSUES With respect to claim 1, Appellant argues (App. Br. 17-20) that Campbell does not teach the step of “gathering network communications” because the messages gathered by the SI&W Engine are sent from the Audit Agent, which makes the Audit Agent the source of the data, not an intermediate entity. Appellant further contends (App. Br. 20-22) that Campbell includes no disclosure of grouping of audit records and binding the user ID to an audit record that does not have the user ID. Finally, Appellant asserts (App. Br. 22) that Campbell collects data on the computers to detect improper intrusions, not for detecting service quality. Regarding claim 2, Appellant contends (App. Br. 23-25) that “grouping said data units into multiple groups comprises grouping said data units into transactions and grouping said transactions into sessions” is not taught in Campbell. Appellant further argues that Campbell includes no Appeal 2009-011190 Application 11/304,167 4 discussion of user log into a system and thus, fails to disclose the claimed “said another data unit is part of a transaction subsequent to said login transaction, but in the same session as said login transaction.” Appellant’s arguments present the following issues: 1. Does Campbell teach the claimed steps of: a. “gathering network communications using an intermediate entity;” b. “binding said particular user identification to data units of said particular group by associating said particular user identification with said particular identifier, said binding includes associating said particular user identification with said another data unit;” and c. “monitoring service quality for said multiple groups,” as recited in claim 1? 2. Does Campbell teach the claimed steps of: a. “grouping said data units into multiple groups comprises grouping said data units into transactions and grouping said transactions into sessions;” and b. “said another data unit is part of a transaction subsequent to said login transaction, but in the same session as said login transaction,” as recited in claim 2? FINDINGS OF FACT The following findings of fact (FF) are relevant to the issues involved in the appeal. Appeal 2009-011190 Application 11/304,167 5 1. Campbell relates to a method and system for detecting intrusion and misuse of data processing systems using a Security Indications and Warning Engine (SI&W Engine) for determining potential security threats by processing tokens of user activity contained in system audits. (Col. 5, ll. 1-15.) 2. The audit preprocessing functions are accomplished by an Audit Agent that supports the SI&W process by collecting system audits produced on various network nodes, reformatting and reducing the volume of the data, and then forwarding the reformatted data or normalized audits as streams of audit records to a central consolidation point in the network, e.g., the Audit Server 114, where the reformatted data are processed by the SI&W Engine. (Col. 10, ll. 32-49.) 3. Campbell discloses that as normalized records are received by the SI&W Engine, the user actions are mapped into one or more applicable SI&W events. As shown in Figure 4, the AUDIT process 306 then increments counter gauges linked to that event in the associated Gauge Sets 400 (i.e., the set associated with that user and the set associated with that machine) to provide a direct measurement of activities being monitored. (Col. 13, ll. 58-65.) 4. As audit records are processed by the SI&W Engine 300, the audit records are collected and associated such that data monitoring and analyzing can be applied at different levels of abstraction. Audit events can be grouped into related sets of events (threads of activity), periods of activity (sessions), or trends of activity (multiple sessions) at the indicator level. For example, all audit records associated with a certain user may be grouped into a thread. Another thread could be all audit records for a certain computer Appeal 2009-011190 Application 11/304,167 6 system or all audit records for a network. Another thread could be all the audit records for two different users grouped together. As can be appreciated, the number of threads is potentially infinite. (Col. 14, l. 59 – col. 15, l. 4.) 5. The weighted value of the user can be offset with a significance offset and, subsequently, can be compared to other users on the system based on the significance of the initial failed superuser (su). Next, if user A logs into system C and receives a boundary violation, the system generates an internal warning based on user A’s activities. (Col. 15, ll. 34-45.) 6. Campbell discloses that the SI&W Engine 300 aggregates information in order to evaluate the potential for a security threat using sets of criteria associated with each monitored user and machine having associated threshold values used to trigger the criterion. (Col. 18, ll. 42-53.) PRINCIPLES OF LAW In rejecting claims under 35 U.S.C. § 102, “[a] single prior art reference that discloses, either expressly or inherently, each limitation of a claim invalidates that claim by anticipation.” Perricone v. Medicis Pharm. Corp., 432 F.3d 1368, 1375-76 (Fed. Cir. 2005) (citing Minn. Mining & Mfg. Co. v. Johnson & Johnson Orthopaedics, Inc., 976 F.2d 1559, 1565 (Fed. Cir. 1992)); see also In re Paulsen, 30 F.3d 1475, 1478-79 (Fed. Cir. 1994). “Anticipation of a patent claim requires a finding that the claim at issue ‘reads on’ a prior art reference.” Atlas Powder Co. v. IRECO, Inc., 190 F.3d 1342, 1346 (Fed. Cir. 1999) (quoting Titanium Metals Corp. of Am. v. Banner, 778 F.2d 775, 781 (Fed. Cir. 1985)). Appeal 2009-011190 Application 11/304,167 7 It is well settled that if a prior art device inherently possesses the capability of functioning in the manner claimed, anticipation exists regardless of whether there was recognition that it could be used to perform the claimed function. See, e.g., In re Schreiber, 128 F.3d 1473, 1477 (Fed. Cir. 1997). ANALYSIS Claims 1, 3-5, 8-12, 15, 16, and 34 Appellant’s argument that the claimed “intermediate entity” is not the same as the Audit Agent in Campbell is not persuasive. Contrary to Appellant’s assertions (App. Br. 17-20), the claimed intermediate entity is not limited to an entity that is physically located in an intermediate position because no specific physical relationship between a source or destination and the recited intermediate entity is required in claim 1. As such, we agree with the Examiner’s position (Ans. 9-10) and conclude that any entity that may even have an intermediate function, with no regard for where it is physically located, meets the claimed intermediate entity. In fact, Campbell, in the portion discussed by Appellant (App. Br. 17-18), discloses that the Audit Agents collect audit information produced on network nodes, group the audits by reformatting them, and send the reformatted data to a central consolidation point such as the Audit Server (FF 2). Alternatively, even if the messages are considered to be sent by the Audit Agents, the intermediate entity still reads on the Audit Agent that gathers network communications because the intruders are the source of the network communications intended for the destination computers. Appeal 2009-011190 Application 11/304,167 8 Appellant further contends (App. Br. 20-22) that the cited portions at columns 13 and 16 of Campbell do not teach the recited step of “binding said particular user identification to data units of said particular group by associating said particular user identification with said particular identifier.” Appellant argues (App. Br. 20) that the claimed feature requires at least two data units within the first set of data units, the “particular data unit” and the “another data unit,” that are grouped by the “particular identifier.” The Examiner responds (Ans. 10) that grouping audit records into related events or threads meets the binding step. While we recognize that the claimed “first set of data units” includes “a particular data unit that includes a particular user identification” and “another data unit” without the user identification (see claim 1), we disagree with Appellant (Reply Br. 4) that the claimed terms are distinguished over the grouping of audit events in Campbell. We generally agree with the Examiner’s analysis of grouping audit events in Campbell (Ans. 10) and add that Campbell uses normalized records that are mapped into events according to Gauge sets associated with a user in order to measure the monitored activities (FF 3). Campbell further groups audit events into related events in the form of threads of activity, periods of activity, or trends of activity for a certain user or computer associated with the user identification or the computer identification (FF 4). We find that, as the number of threads is potentially infinite (id.), these groupings result in at least two sets of data units that may be further grouped by associating the audit records of two users or the audit records of the entire network (id.). Finally, with the respect to Appellant’s contention (App. Br. 22) that Campbell includes no discussion of “service quality,” we agree with the Appeal 2009-011190 Application 11/304,167 9 Examiner (Ans. 10) that detecting intrusion in Campbell constitutes a kind of service quality. We also observe that the term “service quality” merely describes a non-functional attribute of the network communication without imparting any structural constraints in terms of a measured element or resulting signal. As such, because detecting intrusion in Campbell relates to the quality of communication, we conclude that analyzing data from the Audit Agents in order to evaluate the potential for a security threat (FF 6) meets the claimed step of monitoring service quality. The rejection of independent claim 1 for anticipation by Campbell is therefore sustained, as is the anticipation rejection of dependent claims 3-5, 8-12, 15, 16, and 34 because those claims are not separately argued (App. Br. 23). 37 C.F.R. § 41.37(c)(1)(vii) (2007). Claim 2 Appellant contends (App. Br. 23) that Campbell mentions grouping audits, but includes no discussion of grouping into transactions. Appellant further argues (App. Br. 24-25) that Campbell’s grouping of records by computer systems or by users is not the same as grouping into transactions. We disagree. The terms “transaction” and “session” are abstract concepts having functions similar to the term “event,” and represent users’ activities within the monitored computer network environment. See FF 1. Therefore, grouping the events into different threads used for monitoring and analysis at different levels of abstraction (FF 4) meets the claimed requirement. We also disagree with Appellant’s assertion (App. Br. 25) that Campbell’s disclosure includes using the login transaction to provide a user identification for the “another data unit,” which does not have the user Appeal 2009-011190 Application 11/304,167 10 identification. As identified by the Examiner (Ans. 11), we find that Campbell uses a weighted value of the user to compare to other users or events such that, as part of the same set of activities including the log in, the group of events associated with user A’s activities are grouped in one or more threads (FF 4-5). In view of the above discussion, since all of the claimed limitations are present in the disclosure of Campbell, the Examiner’s anticipation rejection of claim 2 is sustained. Claims 6, 7, 13, 14, 17-33, and 35 Appellant mainly relies on similar arguments presented with respect to claims 1 and 2 and asserts that Campbell does not disclose the features recited in these claims (App. Br. 26-33). For the same reasons discussed above regarding claims 1 and 2, we agree with the Examiner that all of the claimed features are taught in Campbell’s disclosure and sustain the anticipation rejection of claims 6, 7, 13, 14, 17-33, and 35. ORDER The decision of the Examiner rejecting claims 1-35 is affirmed. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED Appeal 2009-011190 Application 11/304,167 11 babc Vierra Magen Marcus & DeNiro LLP 575 Market Street, Suite 2500 San Francisco, CA 94105 Copy with citationCopy as parenthetical citation
