12868475 (P.T.A.B. May. 27, 2016)

Ex Parte Westerfeld

Patent Trial and Appeal BoardMay 27, 2016

12868475 (P.T.A.B. May. 27, 2016)

UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE FIRST NAMED INVENTOR 12/868,475 08/25/2010 Kurt Andrew Westerfeld 45838 7590 06/01/2016 SCHWEGMAN LUNDBERG & WOESSNER/NOVELL POBOX2938 MINNEAPOLIS, MN 55402 UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. 062070-0387040 5948 EXAMINER CHOUDHURY, AZIZUL Q ART UNIT PAPER NUMBER 2453 NOTIFICATION DATE DELIVERY MODE 06/01/2016 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address( es): uspto@slwip.com SLW@blackhillsip.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte KURT ANDREW WESTERFELD Appeal2014-005332 Application 12/868,475 1 Technology Center 2400 Before DEBRA K. STEPHENS, KARA L. SZPONDOWSKI, and SHARON PENICK, Administrative Patent Judges. PENICK, Administrative Patent Judge. DECISION ON APPEAL This is an appeal under 35 U.S.C. Â§ 134(a) from the Examiner's Final Rejection of claims 1-9 and 11-19. Claims 10 and 20 are cancelled. (Appeal Br. 2.) We have jurisdiction under 35 U.S.C. Â§ 6(b )(1 ). We affirm. Invention Appellant's invention relates to a configuration management database describing all known service endpoints in a network datacenter. Network conversations are then detected in network traffic in real-time, and correlated with the information in the configuration management database. In response 1 According to Appellant, the real party in interest is Samsung Electronics Co., Ltd. (Appeal Br. 2.) Appeal2014-005332 Application 12/868,475 to network activity which does not correlate with the known service endpoints in the database, a security alert is generated. (Spec. Abstract, iii! 16, 17.) Illustrative Claims Claims 1 and 3 ~ reproduced below with key limitations emphasized, are illustrative: 1. A system for detecting real-time security threats in a network datacenter, comprising: a configuration management database containing information describing every known service endpoint in an information technology datacenter, wherein the information in the configuration management database describing every known service endpoint represents a steady state for the information technology datacenter; one or more listeners configured to observe traffic between resources that represent one or more service endpoints in the information technology datacenter in realtime, wherein the one or more listeners detect a network conversation between the resources, the network conversation initiating new activity in the information technology datacenter in real-time from the real-time traffic observed in the information technology datacenter; and a correlation engine comprising one or more processors configured to analyze the network conversation between the resources and detected with the one or more listeners in real-time, wherein the one or more processors cause the correlation engine to: correlate the new activity initiated by the conversation between the resources in the information technology datacenter with the information in the configuration management database representing the steady state for information technology datacenter, wherein the correlation engine correlates the new activity with 2 Appeal2014-005332 Application 12/868,475 the information in the configuration management database in real-time; and generate a real-time security alert in response to determining that the new activity initiated by the conversation between the resources in the information technology datacenter fails to correlate with any of the known service endpoints described in the configuration management database, wherein the real-time security alert indicates that the detected network conversation initiating the new activity falls out-of-scope from the steady state for the information technology data center. 3. The system of claim 1, wherein the correlation engine determines that the new activity fails to correlate with the known service endpoints described in the configuration management database in response to correlating the new activity with one of the known service endpoints, and further in response to determining that the known service endpoint correlated with the new activity has not initiated any previous network conversations involving the new activity. Rejections The Examiner rejects claims 1-9 and 11-19 under 35 U.S.C. Â§ 103(a) as unpatentable over Chesla (US 2006/0137009 Al; June 22, 2006) and Cesa Klein (US 7,543,052 Bl; June 2, 2009). (Final Action 2-7.) Issue Did the Examiner err in finding the combination of Chesla and Cesa Klein teaches (i) "a configuration management database containing information describing every known service endpoint in an information technology datacenter, wherein the information in the configuration 3 Appeal2014-005332 Application 12/868,475 management database describing every known service endpoint represents a steady state for the information technology datacenter" and (ii) correlation of "new activity ... with the information in the configuration management database," and (iii) generation of "a real-time security alert in response to determining that the new activity ... fails to correlate with any of the known service endpoints described in the configuration management database" as recited in claim 1? Did the Examiner err in finding the combination of Chesla and Cesa Klein teaches a determination "the known service endpoint correlated with the new activity has not initiated any previous network conversations involving the new activity," as recited in claim 3? ANALYSIS Claim 1 Appellant contends that the Examiner fails to show the combination of Chesla and Cesa Klein teaches or suggests (i) the claimed configuration management database, (ii) the claimed correlation of new activity with information with information in the configuration management database, and (iii) the generation of a real-time security alert in response to a determination that the new activity fails to correlate with known service endpoints described in the configuration management database. (Appeal Br. 7-11; Reply Br. 2-6.) (i) configuration management database Appellant contends that Chesla does not disclose the configuration management database containing information describing every known service endpoint in an information technology datacenter. (Appeal Br. 7-10; Reply Br. 4--5.) Specifically, Appellant argues that, "the Examiner's 4 Appeal2014-005332 Application 12/868,475 rejection is predicated upon an erroneous interpretation of a threshold (or baseline) number of connections for states in Chesla" to teach or suggest the information in the disputed configuration management database. (Appeal Br. 9.) The disputed limitation requires both that (a) the configuration management database "contain information describing every known service endpoint" in the datacenter and (b) that such information in the database "represents a steady state" for the datacenter. Appellant focuses on an alleged lack of a teaching or suggestion for the first of these requirements, in arguing that Chesla only teaches the number of connections of a state with a threshold number of connections, and does not describe every known endpoint. (Appeal Br. 4.) However, the Examiner finds the first requirement that the database contain "information describing every known service endpoint in an information technology datacenter" to be taught or suggested in Chesla's stateful inspection module, "which tracks all connections between protected elements ... of [the] protected network" (Chesla i-f 102) and the management system in Chesla which includes a "display of network topology" (id. i-fi-1 185-6.) (Final Action 2-3; Answer 4--5.) Appellant does not address the Examiner's findings regarding the disputed limitation, that Chesla's discussion of tracking network topology teaches or suggests a description of every known endpoint in the datacenter. Thus, Appellant's arguments are not persuasive of Examiner error. (ii) correlation of new activity with the information in the configuration management database and (iii) generation of 5 Appeal2014-005332 Application 12/868,475 "a real-time security alert in response to determining that the new activity ... fails to correlate with any of the known service endpoints" The Examiner finds the comparison of new activity with baseline information regarding the network in Chesla, teaches or suggests the correlation of new activity initiated in the datacenter with information in the configuration management database. (Final Action 3.) We find this baseline information in Chesla corresponds to the second claimed description of information in the database, that the information in the database "represents a steady state" for the datacenter. (Id., citing Chesla i-fi-126, 28, 139.) Appellant argues that new activity is correlated "without regard to whether the connections of the individual states are new or old connections." (Appeal Br. 10-11.) However, this argument does not relate to the limitation which the Examiner is addressing in the discussion of Chesla Appellant references, but rather to the limitation (iii) that generation of "a real-time security alert in response to determining that the new activity ... fails to correlate with any of the known service endpoints described in the configuration management database." For this limitation, the Examiner cites the teachings of Cesa Klein: While Chesla teaches real-time network security monitoring and real-time presentation of attack information, Chesla does not explicitly cite alerting of the new activity. In the same field of endeavor, Cesa Klein also teaches a network traffic monitoring system; see column 8, lines 12-13, Cesa Klein. Within Cesa Klein's disclosure, it is taught how when new traffic is detected, an alert can be sent; see column 24, lines 38- 4 7, Chesla. By sending alerts, the system can better inform about network traffic deviations. Therefore it would have been obvious to one skilled in the art, during the time of the invention, to have combined the teachings of Chesla with those of Cesa Klein to allow administrators to determine the relative 6 Appeal2014-005332 Application 12/868,475 significance of newly discovered traffic; see column 8, lines 26- 2 7, Cesa Klein (Final Action 4, emphasis added.) Cesa Klein and the combination with Chesla is not addressed by the Appellant except in a conclusory fashion. (Appeal Br. 7, 11; Reply Br. 3, 6.) Thus, we find Appellant's arguments are not persuasive of Examiner error. Accordingly, we sustain the Examiner's 35 U.S.C. Â§ 103(a) rejection of claim 1, and the rejection of independent claim 11, argued on the same basis, and the rejection of dependent claims 2, 4--9, 12, and 14--19, not separately argued with specificity. Claim 3 Appellant additionally contends that the Examiner fails to show the combination of Chesla and Cesa Klein teaches or suggests a determination that a known service endpoint correlated with new activity has not initiated any previous network conversations involving the new activity. (Appeal Br. 11-12; Reply Br. 7.) Appellant argues that, because in Chesla, activity may be detected as an attack only when it exceeds a threshold number of connections, any detection of an attack would necessarily involve both the detected connection and prior connections. (Reply Br. 7.) However, we agree with the Examiner that new activity in Chesla is evaluated on an aggregate basis to determine ifthere has been an attack. (Answer 6-7.) While Appellant's argument requires that "new activity" be a single connection, new activity per the claim is initiated upon detection of "network conversation between the resources." (Claim 1.) Appellant's Specification does not explicitly define "conversation," but instead describes "conversation" in a non-limiting 7 Appeal2014-005332 Application 12/868,475 way as generally including two flows (between an ongmating resource and a destination, and back in the other direction.) (Spec. i-f 10.) Additionally, nothing in Chesla limits the threshold number of connections for detection of attack to a number larger than one. Chesla's thresholds may be set based on the rate of ordinary new connections (Chesla i-f 139), which could be zero to indicate that "the known service endpoint correlated with the new activity has not initiated any previous network conversations involving the new activity." While there may be a greater number of connections triggering a detection of an attack in Chesla, there is no requirement in Chesla that one connection not trigger an attack. Therefore we agree with the Examiner that Chesla teaches or suggests the disputed limitation from claim 3, and we sustain the Examiner's 35 U.S.C. Â§ 103(a) rejection of claim 3, and of claim 13, argued on the same grounds. DECISION We affirm the Examiner's decision rejecting claims 1-9 and 11-19. Pursuant to 37 C.F.R. Â§ 1.136(a)(l )(iv), no time period for taking any subsequent action in connection with this appeal may be extended. AFFIRMED 8