11227763 (P.T.A.B. Feb. 24, 2016)

Ex Parte Reves

Patent Trial and Appeal BoardFeb 24, 2016

11227763 (P.T.A.B. Feb. 24, 2016)

UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE FIRST NAMED INVENTOR 111227,763 09/15/2005 Joseph P. Reves 56436 7590 02/26/2016 Hewlett Packard Enterprise 3404 E. Harmony Road Mail Stop 79 Fort Collins, CO 80528 UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. 82212497 8194 EXAMINER ANSARI, NAJEEBUDDIN ART UNIT PAPER NUMBER 2468 NOTIFICATION DATE DELIVERY MODE 02/26/2016 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address( es): hpe.ip.mail@hpe.com mkraft@hpe.com chris.mania@hpe.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte JOSEPH P. REVES Appeal2014-004002 Application 11/227,763 Technology Center 2400 Before CAROLYN D. THOMAS, JOSEPH P. LENTIVECH, and JOHN R. KENNY, Administrative Patent Judges. LENTIVECH, Administrative Patent Judge. DECISION ON APPEAL Appellant1 seeks our review under 35 U.S.C. Â§ 134(a) of the Examiner's final rejection of claims 1, 3, 5, 6, 8, 10, 13, 25-27, and 29-34. Claims 2, 4, 7, 9, 11, 12, 14--24, 28, and 35 have been canceled. See App. Br. 21-25. We have jurisdiction over the pending claims under 35 U.S.C. Â§ 6(b ). We reverse. 1 According to Appellant, the real party in interest is Hewlett-Packard Development Company, L.P. App. Br. 2. Appeal2014-004002 Application 11/227,763 STATEMENT OF THE CASE Appellant's Invention Appellant's invention generally relates to detecting nodes in a computer network that are infected with aberrant code. Spec., Abstract; 1 :3- 4. Traffic conversation information is obtained and analyzed to identify nodes suspected of being infected with aberrant code. Spec., Abstract. Anomaly analysis is then performed on the traffic conversation information associated with the suspected nodes. Any nodes infected with aberrant code are identified based on the anomaly analysis. Id. Claim 1, which is illustrative, reads as follows: 1. A method, comprising: obtaining a first plurality of values representative of data transported via respective ones of a plurality of traffic conversations within an enterprise network during an analysis period; computing, via a processor, a statistical attribute of the first plurality of values; computing, via the processor, a threshold based on the computed statistical attribute; comparing the first plurality of values to the computed threshold to identify a subset of nodes of the enterprise network suspected of including aberrant code; and identifying from the subset of nodes a first node as including the aberrant code based on a second plurality of values characterizing destinations contacted by respective ones of the subset of nodes. 2 Appeal2014-004002 Application 11/227,763 Rejection Claims 1, 3, 5, 6, 8, 10, 13, 25-27, and 29-34 stand rejected under 35 U.S.C. Â§ 102(b) as being anticipated by Etheridge (US 2004/0054925 Al; published Mar. 18, 2004). Final Act. 2-10. ANALYSIS2 Claim 1 Dispositive Issue: Did the Examiner err by finding Etheridge discloses: comparing the first plurality of values to the computed threshold to identify a subset of nodes of the enterprise network suspected of including aberrant code; and identifying from the subset of nodes a first node as including the aberrant code based on a second plurality of values characterizing destinations contacted by respective ones of the subset of nodes, as recited in claim 1? Appellant contends the Examiner erred in finding Etheridge discloses the disputed limitations because: [T]he system of Etheridge does not (1) identify a subset of nodes suspected of including aberrant code and (2) identify from the subset of nodes suspected of including aberrant code a node as including the aberrant code. While the system of Etheridge identifies certain computers as attackers, the Etheridge systems performs only a single stage analysis to detect the attackers. The identified attackers of Etheridge are not subject to a secondary analysis including consideration of destinations contacted by the identified attackers. Put another way, Etheridge does not identify 2 Our decision refers to Appellant's Appeal Brief filed July 12, 2013 ("App. Br."); Appellant's Reply Brief filed January 22, 2014 ("Reply Br.); the Examiner's Answer mailed November 22, 2013 ("Ans."); the Final Office Action mailed December 20, 2012 ("Final Act."); and the original Specification filed August 31, 2007 ("Spec."). 3 Appeal2014-004002 Application 11/227,763 attacking computers via a primary and a secondary analysis. Instead, Etheridge labels a computer as an attacker based on traffic associated with the computer and moves on to taking countermeasures without subjecting the identified attacker to a secondary analysis (e.g., without analyzing values characterizing destinations contacted by the attacker and other identified attackers). Reply Br. 5. Appellant further contends Etheridge does not disclose collecting the destination IP address to identify a node as including aberrant code but, instead, the destination IP address "is recorded in Etheridge in case the system must resort to cutting off traffic to the corresponding nodes." App. Br. 15. In response, the Examiner finds: If the decision module determines that the ratio of data packets transmitted from computer A to computer B over the data packets transmitted from computer B to computer A exceeds the threshold value, then the method has detected an attack against computer B by computer A. Thus a first node (computer A) is identified as an attacker comprising aberrant code based on a comparison of the amount of destination packets transmitted to another computer or node. Examiner notes since a ratio that is based on the traffic sent to a destination node (i.e. computer B) from a first node (computer A) is determined and is compared to a threshold to determine an attack by computer A, Etheridge inherently teaches and/or implies identifying a first node (i.e. computer A) as including aberrant code by comparing a value based on a comparison of the amount of packets transmitted to a destination contacted from a first node. Ans. 15. Appellant, in response, contends: [T]he cited aspect of Etheridge (determining a ratio of traffic from computer A to computer B versus traffic from computer B to computer A) cannot be reasonably cited against both of the above elements of claim 1. In particular, element (2) of claim 1 4 Appeal2014-004002 Application 11/227,763 sets forth identifying a node from a subset of suspected nodes, where the subset of nodes has already been identified in element (1) of claim 1. Even if the identification of computer A as an attacker in Etheridge is considered an identification of a suspected node (i.e., an attacker), Etheridge's determination of whether computer A is an attacker ends with that determination. That is, Etheridge includes a single identification of an attacker, but does not include two levels of analysis. As such, the same identification of computer A as an attacker cannot be cited against both element (1) and element (2) of claim 1. Instead, computer A and computer B of Etheridge are not suspected nodes when the data packet ratio of FIG. 12 is performed. Reply Br. 7-8. We find Appellant's contentions persuasive. Etheridge discloses observing network traffic and establishing a threshold for abnormal network traffic based on the observations and other considerations. Etheridge i-f 15. Etheridge discloses detecting an attack against computer B by computer A when the ratio of data packets transmitted from computer A to computer B over the data packets transmitted from computer B to computer A exceeds the threshold. Etheridge i-f 103. Although Appellant's Specification provides several examples of "values characterizing destinations," it does not expressly define the phrase. Based on the plain meaning of the terms in the phrase, Etheridge' s collected destination IP addresses are within the broadest reasonable definition of the phrase "values characterizing destinations." As such, we agree with the Examiner (Ans. 15) that Etheridge' s detection of computer A as attacking computer B discloses identifying a first node as including aberrant code based on a plurality of values characterizing destinations contacted by the first node (e.g., computer A). However, we do not find sufficient evidence to support the Examiner's finding (Ans. 15) that Etheridge teaches identifying the first node from a 5 Appeal2014-004002 Application 11/227,763 subset of nodes suspected of including aberrant code. We agree with Appellant (Reply Br. 7-8) that Etheridge discloses performing a single analysis (e.g., the comparison of the ratio to the threshold) to identify an attack by one node (e.g., computer A) on another node (e.g., computer B) (i.e., identifying a subset of nodes) and does not further disclose identifying a first node including aberrant code from the subset of suspected nodes, as required by claim 1. See Etheridge i-fi-199-104. As such, we are persuaded the Examiner erred in rejecting claim 1 and the claims dependent therefrom. Appellant has shown at least one reversible error in the Examiner's rejection and, therefore, we need not reach Appellant's remaining contentions. Independent claims 8 and 25 recite commensurate limitations to those of claim 1 discussed above. Accordingly, we similarly are persuaded the Examiner erred in rejecting claims 8 and 25, and the claims dependent therefrom, for the reasons discussed supra. DECISION As such, we reverse the Examiner's rejection of claims 1, 3, 5, 6, 8, 10, 13, 25-27, and 29-34. REVERSED 6