13598916 (P.T.A.B. May. 10, 2017)

Ex Parte Schaad

Patent Trial and Appeal BoardMay 10, 2017

13598916 (P.T.A.B. May. 10, 2017)

United States Patent and Trademark Office UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O.Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 13/598,916 08/30/2012 Andreas Schaad 13913-0682001 1031 32864 7590 05/12/2017 FISH & RICHARDSON, P.C. (SAP) PO BOX 1022 MINNEAPOLIS, MN 55440-1022 EXAMINER DOAN, HUAN V ART UNIT PAPER NUMBER 2437 NOTIFICATION DATE DELIVERY MODE 05/12/2017 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): PATDOCTC@fr.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte ANDREAS SCHAAD Appeal 2017-003318 Application 13/598,9161 Technology Center 2400 Before MAHSHID D. SAADAT, ALLEN R. MacDONALD, and JOHN P. PINKERTON, Administrative Patent Judges. PINKERTON, Administrative Patent Judge. DECISION ON APPEAL Appellant appeals under 35 U.S.C. § 134(a) from the Examiner’s Final Rejection of claims 1—16, which constitute all the claims pending in this application. We have jurisdiction under 35 U.S.C. § 6(b). We affirm. 1 The real party in interest identified by Appellant is SAP SE. Br. 2. Appeal 2017-003318 Application 13/598,916 STATEMENT OF THE CASE Introduction Appellant’s described and claimed invention relates generally to “methods, systems, and computer-readable storage mediums for risk-based data flow control in a cloud environment.” Abstract.2 Claim 1 is representative and reads as follows (with the disputed limitation emphasized)'. 1. A computer-implemented method for risk-based data flow control in a cloud environment, the method being executed using one or more processors and comprising: intercepting, by the one or more processors, first data transmitted from a first application to a second application before receipt of the first data at the second application, the first application and the second application being hosted within the cloud environment; processing, by the one or more processors, the first data to provide a first risk factor, the first risk factor reflecting a degree of risk if the first data is received by the second application, wherein the first risk factor is determined based on one or more non-intended usages of at least a portion of the first data and based on one or more probabilities, each probability being associated with a respective non-intended usage that is defined based on a usage control policy that is applied to the first application; comparing, by the one or more processors, the first risk factor to an acceptable risk value to determine whether the first risk factor exceeds the acceptable risk value; in response to determining that the first riskfactor exceeds the acceptable risk value, generating, by the one or more 2 Our Decision refers to the Final Office Action mailed Aug. 20, 2015 (“Final Act.”), Appellant’s Appeal Brief filed Jan. 11, 2016 (“Br.”), the Examiner’s Answer mailed July 15, 2016 (“Ans.”), and the original Specification filed Aug. 30, 2012 (“Spec.”). 2 Appeal 2017-003318 Application 13/598,916 processors, first sanitized data based on the first data, the first risk factor and a first access control policy associated with the first data; verifying, by the first application, that the first sanitized data is acceptable for use with the second application by determining that the first sanitized data comprises a data object that is necessary for the second application to perform a service; and based on verifying, transmitting, by the one or more processors, the first sanitized data to the second application. Br. 20 (App’x. of Claims). Rejections on Appeal Claims 1—4, 6—8, 11, and 14—16 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over Latchem et al. (US 2012/0066769 Al; published Mar. 15, 2012) (“Latchem”), in view of Anderson et al. (US 2008/0168529 Al; published July 10, 2008) (Anderson). Claims 5, 9, 10, 12 and 13 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over Latchem, in view of Anderson, and further in view of Aaron et al. (US 2006/0123482 Al; published June 8, 2006) (Aaron). ANALYSIS We have reviewed the Examiner’s rejections in light of Appellant’s arguments in the Appeal Brief (see Br. 12—18) and are not persuaded the Examiner has erred. Unless otherwise noted, we adopt as our own the findings and reasons set forth by the Examiner in the Office Action from which this appeal is taken (Final Act. 2—28) and in the Examiner’s Answer (Ans. 2—8), and we concur with the conclusions reached by the Examiner. For emphasis, we consider and highlight specific arguments as presented in 3 Appeal 2017-003318 Application 13/598,916 the Appeal Brief. Appellant argues the combination of Latchem and Aaron fails to teach or suggest processing ... the first data to provide a first risk factor, the first risk factor reflecting a degree of risk if the first data is received by the second application, wherein the first risk factor is determined based on one or more non-intended usages of at least a portion of the first data and based on one or more probabilities, each probability being associated with a respective non-intended usage that is defined based on a usage control policy that is applied to the first application, and in response to determining that the first risk factor exceeds the acceptable risk value, generating . . . first sanitized data based on the first data, the first risk factor and a first access control policy associated with the first data, as recited in independent claim 1 and similarly recited in independent claims 15 and 16. See Br. 12. For the reasons discussed below, we are not persuaded by Appellant’s argument. In particular, Appellant argues Latchem merely discusses risk in a general sense and fails to teach or suggest risk factors, much less risk factors based on non-intended usages and/or probabilities. See Br. 14—15. Appellant further argues Latchem describes creating obfuscated data by applying a selected security template, which is different than generating sanitized data based on data, a risk factor and an access control policy associated with the data. See Br. 15—17. We do not agree with Appellant’s arguments. Instead, we agree with the Examiner that the claimed “risk factor,” interpreted broadly but reasonably in light of Appellant’s specification, reads on Latchem’s identified security problem (i.e., security 4 Appeal 2017-003318 Application 13/598,916 risk) when confidential or other sensitive data is lost. See Final Act. 5 (citing Latchem || 35, 77); see also Ans. 4—5. We further agree with the Examiner that Latchem’s selection of a security template based on the data itself and one or more parameters associated with the data in response to a detection of a particular event, and application of the selected security template to obfuscate the data teaches or suggests the claimed “generating . . . first sanitized data,” as the claimed “sanitized data,” interpreted broadly but reasonably in light of Appellant’s specification, reads on Latchem’s obfuscated data. See Final Act. 5—6 (citing Latchem || 35—37); see also Ans. 4.3 Appellant also argues Anderson discusses risk factors including sensitivity and clearance levels, categories and need-to-know, which are different from risk factors based on non-intended usages of data and probabilities associated with a respective non-intended usage based on a usage control policy. See Br. 17. Appellant further argues Anderson is silent as to sanitized data, and Anderson instead discloses regulating access to an object based on risk indices and thresholds, which is different than generating sanitized data based on data, a risk factor and an access control policy associated with the data. See Br. 18. We do not agree with Appellant’s arguments. Instead, we agree with the Examiner that the claimed “risk factor . . . based on non-intended usages of at least a portion of the first data and based on one or more probabilities, each probability being associated with a respective non-intended usage that is defined based on a 3 We also agree with the Examiner that Anderson explicitly teaches confidential information is protected by access control policies. See Final Act. 7 (citing Anderson 146); see also Ans. 5. 5 Appeal 2017-003318 Application 13/598,916 usage control policy,” interpreted broadly but reasonably in light of Appellant’s specification, reads on Anderson’s estimated risk of making confidential information known to unauthorized parties based on a value of the confidential information and a probability of unauthorized disclosure. See Final Act. 7 (citing Anderson || 6, 167, 169); see also Ans. 5. Further, the Examiner relied upon Latchem, rather than Anderson, for teaching the claimed “generating . . . first sanitized data” (see Final Act. 5—6) and, as previously discussed above, we agree that Latchem teaches or suggests the aforementioned claim limitation. Thus, we are not persuaded the Examiner erred in finding the combination of Latchem and Anderson teaches or suggests all of the claim elements of claims 1,15, and 16. Accordingly, we sustain the rejection of claims 1, 15, and 16 under 35 U.S.C. § 103(a), as well as dependent claims 2—14, not argued separately. DECISION We affirm the Examiner’s rejection of claims 1—16 under 35 U.S.C. § 103(a). No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(l)(iv). AFFIRMED 6