Ex Parte WorthDownload PDFPatent Trial and Appeal BoardJun 17, 201613197402 (P.T.A.B. Jun. 17, 2016) Copy Citation UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE FIRST NAMED INVENTOR 13/197,402 08/03/2011 Kevin M. Worth 56436 7590 06/21/2016 Hewlett Packard Enterprise 3404 E. Harmony Road Mail Stop 79 Fort Collins, CO 80528 UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. 82693700 5701 EXAMINER TRAN, TONGOC ART UNIT PAPER NUMBER 2434 NOTIFICATION DATE DELIVERY MODE 06/21/2016 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address( es): hpe.ip.mail@hpe.com mkraft@hpe.com chris.mania@hpe.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte KEVIN M. WORTH Appeal2014-009436 Application 13/197,402 Technology Center 2400 Before CARL W. WHITEHEAD JR, JON M. JURGOV AN and JOHN F. HORVATH, Administrative Patent Judges. Opinion for the Board filed by Administrative Patent Judge WHITEHEAD JR. Opinion Dissenting filed by Administrative Patent Judge HORVATH. WHITEHEAD JR., Administrative Patent Judge. DECISION ON APPEAL STATEMENT OF THE CASE Appellants are appealing the Final Rejection of claims 1-15 under 35 U.S.C. § 134(a). Appeal Brief 3. We have jurisdiction under 35 U.S.C. § 6(b) (2012). We reverse. Appeal2014-009436 Application 13/197,402 Introduction The invention is directed to network security. Specification [0008]. Representative Claim (disputed limitations emphasized) 1. A method for network security, comprising: receiving flow sampled network traffic from a plurality of network devices with a network monitoring computing device for network traffic among a plurality of computing devices; comparing source ports and destination ports in the flow sampled network traffic to a list of approved ports with the network monitoring computing device; and detecting suspicious network activity for flow sampled network traffic having a source port and a destination port exceptional to the list of approved ports with the network monitoring computing device. Rejection on Appeal Claims 1-15 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over Copeland (US Patent Application Publication Number 2002/0144156 Al; published October 3, 2002). Final Rejection 5-8. ANALYSIS Rather than reiterate the arguments of Appellants and the Examiner, we refer to the Appeal Brief (filed February 10, 2014), the Reply Brief (filed August 29, 2014), the Answer (mailed July 3, 2014) and the Final Rejection (mailed October 11, 2013) for the respective details. We have considered in this decision only those arguments Appellants actually raised in the Briefs. Appellants argue that Copeland teaches away from utilizing flow samples and therefore one of ordinary skill in the art would not be motivated to modify Copeland's teaching to include flow samples. Appeal Brief 9-10. 2 Appeal2014-009436 Application 13/197,402 1A .. ppellants argue that Copeland "appears to teach that the monitoring system inspects all inbound and outbound activity (e.g. as opposed to flow sampling)." Appeal Brief 10. The Examiner finds: Copeland does not disclose sampling the network traffic. However, sampling traffic flow is old and well known. It would have been obvious to one of ordinary skill in the art at the time the invention was made to do the sample of the traffic flow to reduce cost and delay associate with monitoring data traffic of larger networks. Final Rejection 6. Appellants further argue that Copeland discloses, "[t]he present invention provides a more accurate and reliable method for detecting unauthorized network usage based upon port profiling" because "the monitoring system inspects all inbound and outbound activity." Appeal Brief 9 (citing Copeland, paragraph 17). Copeland's disclosure of monitoring and inspecting all inbound and outbound activity to ensure network integrity discourages an artisan from following the path taken by Appellants' invention. 1 Therefore, we find Appellants' arguments persuasive and do not agree with the Examiner's findings. We reverse the Examiner's obviousness rejection of claims 1-15. 1 "A reference may be said to teach away when a person of ordinary skill, upon reading the reference, would be discouraged from following the path set out in the reference, or would be led in a direction divergent from the path that was taken by the applicant." In re Kahn, 441F.3d977, 990 (Fed. Cir. 2006) (citations and internal quotation marks omitted). See also In re Fulton, 391 F.3d 1195, 1201 (Fed. Cir. 2004) (noting that merely disclosing more than one alternative does not teach away from any of these alternatives if the disclosure does not criticize, discredit, or otherwise discourage the alternatives). 3 Appeal2014-009436 Application 13/197,402 DECISION The Examiner's obviousness rejection of claims 1-15 is reversed. REVERSED 4 UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte KEVIN M. WORTH Appeal2014-009436 Application 13/197,402 Technology Center 2400 Before CARL W. WHITEHEAD JR, JON M. JURGOV AN and JOHN F. HORVATH, Administrative Patent Judges. HORVATH, Administrative Patent Judge, Dissenting. I respectfully dissent from the Majority's decision to reverse the Examiner's rejection of claims 1-15. To "teach away," a prior art reference disclosing an alternative design must "criticize, discredit, or otherwise discourage the solution claimed." See In re Fulton, 391 F.3d 1195, 1201 (Fed. Cir. 2004). Nothing in Coleman's disclosure of inspecting "all" network traffic criticizes, discredits, or otherwise discourages inspecting "sampled" network traffic as claimed by Appellant. Indeed, nothing in Appellant's Specification prohibits "sampled" network traffic from comprising "all" network traffic as disclosed by Coleman. See, e.g., Spec. i-f 16 (describing sampled network traffic as "e.g., a certain percentage of the number of packets flowing therethrough," but failing to limit the percentage to less than "all" or 100% of the packets flowing through the network). Appeal2014-009436 Application 13/197,402 !vforeover, assuming arguendo that 1A:\.ppellant's Specification did limit sampled network traffic to less than "all" network traffic, I agree with the Examiner that a person of ordinary skill in the art reading Coleman would have understood that as the amount of monitored network traffic increases: [T]here is a limit in [the] capacity of handling the traffic now and inspecting all inbound and outbound network traffic is costly and time consuming when [the] volume of the traffic flow reach[ es] a certain threshold, Therefore the use of flow sampling would have been obvious to reduce [the] cost and delay associate[ d] with monitoring all data traffic of larger net\vorks and a cost effective way to test the health of the network. Ans. 6; see also Final Act. 6. Coleman's disclosure of inspecting "all" network traffic teaches a simple network traffic monitoring device that can effectively monitor the traffic in smaller networks that do not carry large amounts of traffic. However, the "simplicity of the prior art is rarely a characteristic that weighs against obviousness of a more complicated device with added function." In re Dance, 160 F.3d 1339, 1344 (Fed. Cir. 1998). Although there are both advantages and disadvantages to modifying Coleman to monitor "sampled" network traffic rather than "all" network traffic (e.g., the advantage of being able to monitoring larger traffic flows vs. the disadvantage of potentially failing to detect suspicious activity in an undersampled traffic flow), such comparative advantages and disadvantages do not obviate the Examiner's finding that a person of ordinary skill in the art would have been motivated to make the modification. See Medichem, S.A. v. Rolabo, S.L., 437 F.3d 1157, 1165 (Fed. Cir. 2006) (finding "a given course of action often has simultaneous advantages and disadvantages, and this does not necessarily obviate [the] motivation to combine."). 2 Appeal2014-009436 Application 13/197,402 ii .. ccordingly, because 1A .. ppellant's "teaching av,ray" and other arguments do not persuade me of Examiner error, I would sustain the Examiner's rejection of claims 1-15 for the reasons stated in the Final Action and the Examiner's Answer. 3 Copy with citationCopy as parenthetical citation