13866869 (P.T.A.B. Dec. 27, 2017)

Ex Parte Vaidya et al

Patent Trial and Appeal BoardDec 27, 2017

13866869 (P.T.A.B. Dec. 27, 2017)

United States Patent and Trademark Office UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O.Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 13/866,869 04/19/2013 Sachin Mohan Vaidya N093 (B174) (P0184) 1376 109858 7590 VMware, Inc. 3401 Hill view Avenue Palo Alto, CA 94304 12/29/2017 EXAMINER BAYOU, YONAS A ART UNIT PAPER NUMBER 2434 NOTIFICATION DATE DELIVERY MODE 12/29/2017 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): ipadmin@vmware.com ipteam @ vmware. com mail@ adelillp.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte SACHIN MOHAN VAIDYA, AZEEM FEROZ, ANIRBAN SENGUPTA, and JAMES CHRISTOPHER WIESE Appeal 2017-007623 Application 13/866,8691 Technology Center 2400 Before DEBRA K. STEPHENS, DANIEL J. GALLIGAN, and DAVID J. CUTITTAII, Administrative Patent Judges. GALLIGAN, Administrative Patent Judge. DECISION ON APPEAL Introduction Appellants appeal under 35 U.S.C. § 134(a) from a final rejection of claims 1, 2, 5—9, 12—16, and 19—21, which are all of the claims pending in the application. We have jurisdiction under 35 U.S.C. § 6(b). Claims 3, 4, 10, 11, 17, and 18 have been cancelled. We AFFIRM IN PART.2 1 According to Appellants, the real party in interest is Nicira, Inc. App. Br. 2. 2 Our Decision refers to Appellants’ Specification filed April 19, 2013 (“Spec.”); Appellants’ Appeal Brief filed October 26, 2016 (“App. Br.”); Appellants’ Reply Brief filed April 21, 2017 (“Reply Br.”); Examiner’s Appeal 2017-007623 Application 13/866,869 STATEMENT OF THE CASE Claims on Appeal Claims 1, 8, and 15 are independent claims. Claim 1 is reproduced below: 1. A computer-implemented method comprising: through a user interface, receiving data to create a security container and to associate a security service and a tag-based rule with the security container; assigning a virtual machine (VM) to the security container; through the VM’s association with the service container, operating the security service on the VM to identify a security threat associated with the VM and to assign a tag with the VM; using the tag-based rule to process the tag, and in response, to re-assign the VM to a quarantine container until the security threat is resolved, wherein VMs assigned to the quarantine container have restricted network connectivity; after resolution of the security threat, removing the tag from the VM and transferring the VM back to the security container. References Herington US 2007/0250929 A1 Oct. 25, 2007 Cruz US 2011/0258701 A1 Oct. 20,2011 Examiner’s Rejection Claims 1, 2, 5—9, 12—16, and 19-21 stand rejected under 35 U.S.C. § 103 as being unpatentable over Cruz and Herington. Final Act. 3—9. Answer mailed February 21, 2017 (“Ans.”); and Final Office Action mailed April 26, 2016 (“Final Act.”). 2 Appeal 2017-007623 Application 13/866,869 Our review in this appeal is limited only to the above rejection and the issues raised by Appellants. Arguments not made are waived. See MPEP § 1205.02; 37 C.F.R. §§ 41.37(c)(l)(iv) and 41.39(a)(1). ANALYSIS Independent claims 1, 8, and 15 “a security container ” Appellants contend the Examiner erred in finding the combination of Cruz and Herington teaches “through a user interface, receiving data to create a security container and to associate a security service and a tag-based rule with the security container,” as recited in claim 1 and similarly recited in claims 8 and 15. App. Br. 6—7, 10-11, 13—14; Reply Br. 3^4. Specifically, Appellants argue Cruz “does not describe receiving user input to create new hypervisors,” i.e., security containers, “or to associate a security service and a tag-based rule with such a hypervisor.” App. Br. 6. Appellants also argue “Herington describes allowing an administrator to adjust resource rules . . . but it is unclear what is being cited for the data used to create a security container.” App. Br. 6; Reply Br. 4. Further, Appellants argue that “nothing in the cited [Herington] reference describes associating a security service with a security container.” App. Br. 6. We are not persuaded. The Examiner finds (Final Act. 3—4), and we agree, Cruz teaches an “operation zone hypervisor,” i.e., a security container, which “manages one or more virtual machines.” Cruz 14, Fig. 1. The Examiner further finds (Final Act. 4), and we agree, Cruz teaches “[pjlatform agent 62,” i.e., a security service, “manages a hypervisor 54 to facilitate prevention of computer attacks” on the virtual machines. Cruz 3 Appeal 2017-007623 Application 13/866,869 124; see Cruz 132. Additionally, the Examiner finds (Final Act. 4—5), and we agree, Herington teaches that an administrator can provide user input to “adjust the resource rules” established for an executed computer process. Herington 117; see Herington 1 5. The Examiner further finds (Ans. 9), and we agree, Herington “determines a process ... is violating a rule.” Herington 114, Fig. 1. Appellants’ arguments that Cruz does not teach user input to create its security container and that Herington’s user input does not create a security container (App. Br. 6; Reply Br. 4) improperly attack Cruz and Herington individually while the rejection is based on the combination of Cruz and Herington. In re Keller, 642 F.2d 413, 426 (CCPA 1981). Specifically, Appellants’ arguments do not address the Examiner’s combination of Cruz, teaching security containers with associated security services, and Herington, teaching a user interface for administering rules, to teach a user interface for creating a security container and associated security services and rules. Final Act. 5. Further, Appellants’ argument that Herington does not “associate] a security service with a security container” (App. Br. 6) does not address the Examiner’s finding that Cruz teaches a security service associated with a security container (Final Act. 4). Specifically, Cruz’s platform agent is a security service associated with a security container because the platform agent “monitors] the behavior of hypervisor 54 to detect potential attacks.” Cruz 124; see Cruz 132. Accordingly, we are not persuaded the Examiner erred in finding the combination of Cruz and Herington teaches “through a user interface, receiving data to create a security container and to associate a security 4 Appeal 2017-007623 Application 13/866,869 service and a tag-based rule with the security container,” within the meaning of claims 1, 8, and 15. “assign. . . process . . . remov[e] the tag” Appellants contend the Examiner erred in finding the combination of Cruz and Herington teaches “assigning] a tag with the VM; using the tag- based rule to process the tag, and in response, to re-assign the VM to a quarantine container . . [and] removing the tag from the VM,” as recited in claim 1 and similarly recited in claims 8 and 15. App. Br. 7, 11, 15; Reply Br. 2—3. Specifically, Appellants argue that Cruz sends “a report to a platform manager” but that the claimed tags “are not sent to a manager for processing, but rather are assigned to a VM.” App. Br. 7. Further, Appellants argue the “rules in Herington [are] associated with a set of processes, not a container.” Reply Br. 3. Additionally, Appellants argue that Herington teaches “an action-based rule that looks at the actions of the process and determines whether to move a process to quarantine or not” but that Herington’s rule “is not equivalent to a tag-based rule used to process a tag assigned by a first security service to decide whether to re-assign a VM to a quarantine container.” Reply Br. 2—3; App. Br. 7. We are not persuaded. The Examiner finds (Final Act. 4), and we agree, Cruz teaches “platform agent 62 detects a potential threat,” e.g., an attack on a virtual machine, and “report[s] the behavior to platform manager 40.” Cruz 124; see Cruz 132. The Examiner further finds (Final Act. 4), and we agree, the report causes “platform manager 40 [to] move a virtual machine 56” to a quarantine container (hypervisor). (Cruz 112; see Cruz 1125, 28). Additionally, the Examiner finds, and we agree, Herington 5 Appeal 2017-007623 Application 13/866,869 “determine[s]/indicate[s]/tag[s]” a process fault and then “move[s] the process to a quarantined section because there appears to be some kind of indicator or tag that indicates each process is acting contrary to the rules or [is] misbehaving.” Ans. 9 (emphases omitted) (citing Herington | 5, Fig. 1); see Herington Claim 1. The Examiner further finds, and we agree, Herington returns the process from quarantine after the process fault has been addressed. Final Act. 4—5 (citing Herington |17); see Herington claim 4. Appellants’ argument that Cruz’s tags are not “assigned to a VM” because Cruz’s tags are “sent to a manager” (App. Br. 7) is not commensurate with the scope of the claim. The claim does not specify how tags are associated with VMs and, in particular, does not preclude a tag that is separate from its VM. Indeed, the Specification teaches a VM’s tag is “retriev[ed] . . . from a tag database” (Spec. |31), i.e., the VM and its assigned tag are separate. Even further, the Specification teaches “retrieving tag data stored in one or more memory locations via a tag communication layer” {id.), where the tag communication layer is separate from the VM (see id. 123, Fig. 3). Accordingly, Cruz’s separate tag, i.e., the VM threat report (Cruz || 24, 32), teaches “assigning] a tag with the VM” within the scope of the claims. Further, Appellants’ argument that the “rules in Herington [are] associated with a set of processes, not a container” (Reply Br. 3) improperly attacks Herington individually when the rejection is based on the combination of Cruz and Herington. Keller, 642 F.2d at 426. In particular, Appellants’ argument does not address the Examiner’s combination of Cruz, teaching security containers (Cruz 14, Fig. 1), with Herington, teaching 6 Appeal 2017-007623 Application 13/866,869 rules causing processes to be moved to quarantine (Herington || 5, 14, Fig. 1), to teach a security container associated with rules. Final Act. 5. Additionally, we are not persuaded by Appellants’ argument that Herington teaches “an action-based rule that looks at the actions of the process and determines whether to move a process to quarantine,” instead of a “tag-based rule used to process a tag” in order to determine that the process should be quarantined. Reply Br. 3; App. Br. 7. As an initial matter, we disagree with Appellants’ argument that Herington’s rules “prevent an already-quarantined process from executing.” App. Br. 7. Herington’s processes are being executed when Herington “determines a process ... is violating a rule.” Herington | 14; see Herington 15. Furthermore, quarantining Herington’s computer process, i.e., the rule which “re-assign[s] the VM to a quarantine container,” is based on the “determin[ation]/indicat[ion]/tag” of a rule violation. Ans. 9; see Herington 114 (“determines a process ... is violating a rule, then misbehaving . . . process 3 is moved” to quarantine), claim 1 (“determining that a possible fault condition exists” to place a process in quarantine), claim 4 (“removing said particular process from within said quarantine when said analyzing has determined that a possible fault condition no longer exists with respect to said particular process”). That is, the Examiner finds Herington’s determination of a rule violation is a tag of a violating process; that violating process is then moved into quarantine based on that rule violation determination. Ans. 9—10. Moreover, Appellants’ arguments do not address the Examiner’s finding (Final Act. 4) that Cruz’s platform manager receives a VM threat report — i.e., a tag — and based on that report, determines that a VM should be moved to a quarantine container. Cruz || 12, 25, 28. 7 Appeal 2017-007623 Application 13/866,869 Accordingly, we are not persuaded the Examiner erred in finding the combination of Cruz and Herington teaches “assigning] a tag with the VM; using the tag-based rule to process the tag, and in response, to re-assign the VM to a quarantine container . . [and] removing the tag from the VM,” within the meaning of claims 1,8, and 15. Therefore, we sustain the rejection of claims 1,8, and 15 under 35 U.S.C. § 103 as being unpatentable over Cruz and Herington. Dependent claims 6, 13, and 20 Appellants contend the Examiner erred in finding Cruz teaches “detecting a user membership group in response to a login event of the VM” and “selecting the security container based on the user membership group,” as recited in claim 6 and similarly recited in claims 13 and 20. App. Br. 8, 11—12, 15—16; Reply Br. 4—5. Specifically, Appellants argue that “Cruz describe[s] detecting a potential attack” and notes that the Examiner finds “that one skilled in the art would know that this attack is coming from some group or user.” App. Br. 8. Appellants argue the Examiner “misinterprets the language of claim 6,” which “is not directed to identifying a source for an attack, but rather to the assignment of a VM to a security container based on a user membership group.” App. Br. 8. We are persuaded. The Examiner finds one of skill in the art would know that a “detected] potential attack ... is coming from some group/user/s.” Final Act. 6 (citing Cruz || 18, 32—33). However, those findings are directed to the source of attacks rather than to the assignment of VMs to security containers based on a user membership group, as required by the claims. 8 Appeal 2017-007623 Application 13/866,869 Accordingly, we are persuaded the Examiner erred in finding Cruz teaches the disputed limitations recited in claims 6, 13, and 20. Therefore, we do not sustain the rejection of claims 6, 13, and 20 under 35 U.S.C. § 103 as being unpatentable over Cruz and Herington. Dependent claims 7 and 14 Appellants contend the Examiner erred in finding Cruz teaches “operating the security service on a second VM through the second VM’s association with a second security container to identify a second security threat associated with the second VM and to assign a second tag for the second security threat to the second VM” and “a second quarantine container from the plurality of quarantine containers to transfer the second VM based on the second tag,” as recited in claim 7 and similarly recited in claim 14. App. Br. 8—9, 12—13; Reply Br. 5. Specifically, Appellants argue Cruz “describes different platform agents that operate on different hypervisors, but does not describe a security service that operates on VMs in both a first and second security container.” App. Br. 9. We are not persuaded. The Examiner finds (Final Act. 6—7), and we agree, Cruz teaches that “a potential attack is detected on at least one virtual machine” by a platform manager. Cruz 132; see Cruz 124, Fig. 1. Thus, Cruz teaches, or at least suggests, multiple attacks on multiple VMs can be detected. Because Cruz teaches its platform manager detects multiple attacks on multiple VMs, we are not persuaded it would have been “uniquely challenging or difficult for one of ordinary skill in the art,” or would have “represented an unobvious step over the prior art,” for Cruz’s platform manager to detect attacks on multiple VMs corresponding to respective 9 Appeal 2017-007623 Application 13/866,869 hypervisors. Leapfrog Enters., Inc. v. Fisher-Price, Inc., 485 F.3d 1157, 1162 (Fed. Cir. 2007) (citations omitted). Indeed, Cruz teaches that a platform manager is able to communicate across and interact with multiple hypervisors. Cruz || 23, 28—29, 33, 35, Fig. 1. Accordingly, we are not persuaded the Examiner erred in concluding the subject matter of dependent claims 7 and 14 would have been obvious. Therefore, we sustain the rejection of claims 7 and 14 under 35 U.S.C. § 103 as being unpatentable over Cruz and Herington. Dependent claim 21 Appellants contend the Examiner erred in finding Herington teaches “a second security service is associated with the security container, wherein the second security service identifies a different security threat and assigns a different tag to the VM,” as recited in claim 21. App. Br. 16; Reply Br. 5—6. Specifically, Appellants argue that “Herington describe[s] checking a process against a list of rules to determine if the process is violating any of the rules” but that the rules “do not disclose or suggest a method that provides first and second security services to identity different security threats and to assign different tags to a VM.” App. Br. 16. Appellants further argue Herington does not “assign[] any tag to a VM” or “assign[] a different tag to a VM.” Reply Br. 6. We are not persuaded. The Examiner finds, and we agree, Herington teaches a list of rules. Final Act. 7 (citing Herington 112, Fig. 1). In particular, Herington teaches that an executed computer process is checked for violating different rules. Herington 112, Fig. 1. 10 Appeal 2017-007623 Application 13/866,869 Appellants’ arguments (App. Br. 16; Reply Br. 6) do not persuade us that it would have been nonobvious to the skilled artisan to combine Cruz and Herington to teach the disputed limitations. As discussed supra, we agree with the Examiner’s finding that Cruz tags an identified security threat with a report (Final Act. 4) and Herington’s determination of a rule violation tags the rule violation (Ans. 9—10)—i.e., both Cruz and Herington teach assigning tags when threats are detected. Further, Herington teaches a list of rules violations, i.e., multiple security threats. Herington 112, Fig. 1. We are not persuaded that it would have been “uniquely challenging or difficult for one of ordinary skill in the art,” or would have “represented an unobvious step over the prior art,” for Cruz to include multiple security services respectively identifying and tagging respective security threats in light of Herington teaching multiple security threats. Leapfrog, 485 F.3d at 1162 (citations omitted). Accordingly, we are not persuaded the Examiner erred in concluding the subject matter of dependent claim 21 would have been obvious. Therefore, we sustain the rejection of claim 21 under 35 U.S.C. § 103 as being unpatentable over Cruz and Herington. Remaining claims 2, 5, 9, 12, 16, and 19 Appellants do not argue separate patentability for dependent claims 2, 5, 9, 12, 16, and 19, which depend directly or indirectly from claims 1,8, and 15. See App. Br. 6—17. Accordingly, for the reasons set forth above, we sustain the Examiner’s decision to reject claims 2, 5, 9, 12, 16, and 19. 11 Appeal 2017-007623 Application 13/866,869 DECISION We reverse the Examiner’s decision rejecting claims 6, 13, and 20 under 35 U.S.C. § 103 as being unpatentable over Cruz and Herington. We affirm the Examiner’s decision rejecting claims 1, 2, 5, 7—9, 12, 14—16, 19, and 21 under 35 U.S.C. § 103 as being unpatentable over Cruz and Herington. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a). See 37 C.F.R. § 41.50(f). AFFIRMED-IN-PART 12