11300943 (B.P.A.I. Jun. 29, 2010)

Ex Parte O

Board of Patent Appeals and InterferencesJun 29, 2010

11300943 (B.P.A.I. Jun. 29, 2010)

UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE BOARD OF PATENT APPEALS AND INTERFERENCES ____________ Ex parte PATRICK CHARLES O’SULLIVAN ____________ Appeal 2009-011189 Application 11/300,943 Technology Center 2400 ____________ Decided: June 29, 2010 ____________ Before JAMES D. THOMAS, JOSEPH F. RUGGIERO, and MAHSHID D. SAADAT, Administrative Patent Judges. SAADAT, Administrative Patent Judge. DECISION ON APPEAL Appeal 2009-011189 Application 11/300,943 2 Appellant appeals under 35 U.S.C. § 134(a) from a final rejection of claims 1-11, 13, 14, 16, 19, 20, 23-25, 27, 28, 30-33, and 37-43, which are all of the claims pending in this application as claims 12, 15, 17, 18, 21, 22, 26, 29, and 34-36 have been canceled. An oral hearing was conducted on this appeal on May 6, 2010. We have jurisdiction under 35 U.S.C. § 6(b). We affirm. STATEMENT OF THE CASE Appellant’s invention relates to methods, systems, and computer program products for collecting data processing system status information by monitoring network communications with the system to observe transaction(s) associated with the data processing system. (Spec. ¶ [0018]). Claims 1 and 2, which are illustrative of the claimed invention, read as follows: 1. A method for monitoring, comprising: gathering network communications between a source and a destination using an entity other than said source and said destination, said network communications include a plurality of data units; grouping said data units into transactions; analyzing said transactions; determining that a quality event occurred for a particular transaction based on said analyzing of said transactions; identifying a user identification associated with said particular transaction; identifying a particular weight that is associated with said user identification; assigning said particular weight to said quality event; collecting information relevant to said quality event after and in response to determining that said quality event occurred, timing of Appeal 2009-011189 Application 11/300,943 3 commencement of said collecting is based on said particular weight; and storing said collected information. 2. A method according to claim 1, further comprising: assigning another weight to said quality event based on a transaction identifier associated with said quality event, said timing of commencement of said collecting is based on said particular weight and said another weight. The Examiner has rejected claims 1-11, 13, 14, 16, 19, 20, 23-25, 27, 28, 30-33, and 37-43 under 35 U.S.C. § 103(a) as being unpatentable over Campbell (US 6,839,850 B1, issued Jan. 4, 2005, filed Mar. 4, 1999) in view of Mei (US 6,816,907 B1, issued Nov. 9, 2004, filed Aug. 24, 2000). Rather than repeat the arguments of Appellant or the Examiner, we refer to the Briefs (Appeal Brief filed Nov. 6, 2008, Reply Brief filed Apr. 6, 2009) and the Answer (mailed Apr. 2, 2009) for their respective details. Only those arguments actually made by Appellant have been considered in this decision. Arguments that Appellant did not make in the Briefs have not been considered and are deemed to be waived. See 37 C.F.R. § 41.37(c)(1)(vii). ISSUES With respect to claim 1, Appellant argues (App. Br. 20-22) that Campbell does not teach the steps of “gathering network communications” because the messages gathered by the SI&W Engine are sent from the Audit Agent, which makes the Audit Agent the source of the data, not an “entity other than said source and said destination.” Appellant further contends Appeal 2009-011189 Application 11/300,943 4 (App. Br. 22-23) that Campbell, while disclosing grouping audits, includes no disclosure of grouping into transactions. Finally, Appellant asserts (App. Br. 23-25) that neither Campbell nor Mei collects information at a time based on the weight assigned to the quality event. Regarding claim 2, Appellant contends (App. Br. 26-27) that neither reference discloses assigning another weight to the quality event. Appellant asserts (App. Br. 27) that the relied on portions of Mei merely provide differentiated services based on priority, and not two different priorities, whereas gauges in Campbell are not used to weight anything. Appellant’s arguments present the following issues: 1. Does Campbell teach the claimed steps of: a. “gathering network communications between a source and a destination using an entity other than said source and said destination;” b. “grouping said data units into transactions;” and c. “collecting information relevant to said quality event after and in response to determining that said quality event occurred, timing of commencement of said collecting is based on said particular weight,” as recited in claim 1? 2. Does Campbell teach the claimed step of “assigning another weight to said quality event,” as recited in claim 2? FINDINGS OF FACT The following findings of fact (FF) are relevant to the issues involved in the appeal. Appeal 2009-011189 Application 11/300,943 5 1. Campbell relates to a method and system for detecting intrusion and misuse of data processing systems using a security Indications and Warning Engine (SI&W Engine) for determining potential security threats by processing tokens of user activity contained in system audits. (Col. 5, ll. 1-15.) 2. The audit preprocessing functions are accomplished by an Audit Agent that supports the SI&W process by collecting system audits produced on various network nodes, reformatting and reducing the volume of the data, and then forwarding the reformatted data or normalized audits as streams of audit records to a central consolidation point in the network, e.g., the Audit Server 114, where the reformatted data are processed by the SI&W Engine. (Col. 10, ll. 32-49.) 3. Campbell discloses that as normalized records are received by the SI&W Engine, the user actions are mapped into one or more applicable SI&W events. As shown in Figure 4, the AUDIT process 306 then increments counter gauges linked to that event in the associated Gauge Sets 400 (i.e., the set associated with that user and the set associated with that machine) to provide a direct measurement of activities being monitored. (Col. 13, ll. 58-65.) 4. As audit records are processed by the SI&W Engine 300, the audit records are collected and associated such that monitoring and analysis can be applied at different levels of abstraction. Audit events can be grouped into a related set of events (threads of activity), periods of activity (sessions), or trends of activity (multiple sessions) at the indicator level. For example, all audit records associated with a certain user may be grouped into a thread. Another thread could be all audit records for a certain computer Appeal 2009-011189 Application 11/300,943 6 system or all audit records for a network. Another thread could be all the audit records for two different users grouped together. As can be appreciated, the number of threads is potentially infinite. (Col. 14, l. 59 – col. 15, l. 4.) 5. The weighted value of the user can be offset with a significance offset and, subsequently, can be compared to other users on the system based on the significance of the initial failed superuser (su). Next, if user A logs into system C and receives a boundary violation, the system generates an internal warning based on user A’s activities. (Col. 15, ll. 34-45.) 6. Campbell discloses that the SI&W Engine 300 aggregates information in order to evaluate the potential for a security threat using sets of criteria associated with each monitored user and machine having associated threshold values used to trigger the criterion. (Col. 18, ll. 42-53.) 7. Mei provides differentiated services by a content provider on the Web in the form of faster response times in accessing the content provider’s web site. Mei discloses that a content provider attracts and retains its valuable customers by offering different levels of (average) response time based on different amount of allocated resources. For example, regardless of what load condition an Internet service provider (ISP) is experiencing, differentiated services allows a higher priority request to be serviced sooner than a lower priority request. (Col. 3, ll. 39-53.) PRINCIPLES OF LAW In rejecting claims under 35 U.S.C. § 103, it is incumbent upon the Examiner to establish a factual basis to support the legal conclusion of Appeal 2009-011189 Application 11/300,943 7 obviousness. See In re Fine, 837 F.2d 1071, 1073 (Fed. Cir. 1988). Furthermore, “there must be some articulated reasoning with some rational underpinning to support the legal conclusion of obviousness” . . . . [H]owever, the analysis need not seek out precise teachings directed to the specific subject matter of the challenged claim, for a court can take account of the inferences and creative steps that a person of ordinary skill in the art would employ. KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 418 (2007) (quoting In re Kahn, 441 F.3d 977, 988 (Fed. Cir. 2006)). The test for obviousness is what the combined teachings of the references would have suggested to one of ordinary skill in the art. See Kahn, 441 F.3d at 987-88; In re Young, 927 F.2d 588, 591 (Fed. Cir. 1991); In re Keller, 642 F.2d 413, 425 (CCPA 1981). ANALYSIS Claims 1, 7, 8, 10, 11, and 37-40 Appellant’s argument that the claimed “entity other than said source and said destination” is not the same as the Audit Agent in Campbell is not persuasive. Contrary to Appellant’s arguments (App. Br. 19-22), the claimed entity is not limited to an entity that is physically separate from the source and the destination because only a functional relationship between a source or destination and the recited entity is required in claim 1. We therefore conclude that any entity that may even have a function other than or in addition to a source and a destination meets the claimed requirement of an entity other than said source and said destination. As such, we agree with the Examiner’s position (Ans. 10) that the detected situations are further brought to the attention of ISO that functions as a destination for Appeal 2009-011189 Application 11/300,943 8 communications regarding the threat evaluations (FF 3). Campbell discloses that the Audit Agents collect audit information produced on network nodes, group the audits by reformatting them, and send the reformatted data to a central consolidation point such as the Audit Server (FF 2). Alternatively, even if the messages are considered to be sent by the Audit Agents, the claimed entity still reads on the Audit Agent that gathers network communications because the intruders are the source of the network communications intended for the destination computers. Appellant further contends (App. Br. 22-23) that Campbell’s grouping of audits is not the same as the claimed “grouping said data units into transactions.” Appellant points to the examples of transactions disclosed in page 13 of Appellant’s Specification and asserts that “grouping said data units into transactions” is not the same as Campbell’s grouping of audit record into threads (App. Br. 23). The Examiner responds (Ans. 11) that while the limitations from the Specification cannot be read into the claims, the term “transaction” is defined in Appellant’s Specification as “a series of related network communications that perform a function,” which reads on Campbell’s audit data grouped into related sets of events. We disagree with Appellant and find that Campbell’s threads also include a series of related communications relevant to a particular function (FF 3-5). Campbell specifically groups audit events and uses normalized records that are mapped into events according to Gauge sets associated with a user in order to measure the monitored activities (FF 3). Campbell further groups audit events into related events in the form of threads of activity, periods of activity, or trends of activity for a certain user or computer that associate with the user identification or the computer identification (FF 4). Appeal 2009-011189 Application 11/300,943 9 We observe that the claimed terms “transaction” and “session” refer to abstract concepts having functions similar to the term “event,” which represent users’ activities within the monitored computer network environment. See FF 1. Therefore, grouping the events into different threads used for monitoring and analysis at different levels of abstraction (FF 4) meets the claimed requirement. We also agree with the Examiner (Ans. 11-12) and conclude that these groupings result in a determination that a quality event occurred in the form of detecting intrusion (FF 6). We also observe that the term “quality event” merely describes a non-functional attribute of the network communication without imparting any structural constraints in terms of a measured element or resulting signal. As such, because detecting intrusion in Campbell relates to the quality of communication, we conclude that analyzing data from the Audit Agents in order to evaluate the potential for a security threat (FF 6) meets the claimed step of determining that a quality event occurred. Finally, with respect to Mei, Appellant discusses (App. Br. 24) the claim limitation of “timing of commencement of said collecting is based on said particular weight,” which the Examiner found to be disclosed by Campbell. We agree with the Examiner (Ans. 12-13) that the differentiated services taught in Mei (FF 7) suggests using different weighted priorities in providing services in the audit method of Campbell. The rejection of independent claim 1 as being obvious over Campbell and Mei is therefore sustained, as is the rejection of dependent claims 7, 8, 10, 11, and 37-40 because those claims are not separately argued (App. Br. 26). 37 C.F.R. § 41.37(c)(1)(vii) (2007). Appeal 2009-011189 Application 11/300,943 10 Claims 2-6 and 9 Appellant contends (App. Br. 26-27) that Campbell’s disclosure of audit records does not mention weights while the relied on portion of Mei merely refers to differentiated services based on priority. Appellant further argues (App. Br. 27) that, since claim 2 requires the use of two weights, two different priorities are needed even if the Examiner takes Mei’s priority to be analogous to weight. We disagree. As stated by the Examiner (Ans. 13), Campbell assigns weighted values to the user’s activities, which indicate a quality event or intrusion when complex session activities in multiple sessions are evaluated (FF 7). Additionally, contrary to Appellant’s assertion (App. Br. 27) that gauges are not weights, Campbell refers to gauges as mechanisms used by the SI&W Engine for monitoring the weighted values to identify security violations. Appellant provides similar arguments for claims 3-6 and 9 (App. Br. 27-29) and asserts that combining the weights assigned to the quality event is not taught by Mei. However, as discussed above, Mei discloses assigning multiple weighted values to the activities which provide a combined assessment of the user’s activities in multiple sessions (FF 7). In view of the above discussion, since all of the claimed limitations are taught or suggested by the combination of Campbell and Mei, the Examiner’s rejection of claims 2-6 and 9 is sustained. Claims 13, 14, 16, 19, 20, 23-25, 27, 28, 30-33, and 41-43 Appellant mainly relies on similar arguments made with respect to claim 1 and asserts that the combination of Campbell and Mei does not disclose the features recited in these claims (App. Br. 29-34). For the same Appeal 2009-011189 Application 11/300,943 11 reasons discussed above regarding claim 1, we agree with the Examiner that all of the claimed features are taught or suggested by the applied prior art and sustain the obviousness rejection of claims 13, 14, 16, 19, 20, 23-25, 27, 28, 30-33, and 41-43. ORDER The decision of the Examiner rejecting claims 1-11, 13, 14, 16, 19, 20, 23-25, 27, 28, 30-33, and 37-43 is affirmed. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED babc Vierra Magen Marcus & DeNiro LLP 575 Market Street, Suite 2500 San Francisco, CA 94105