Fortinet, Inc.Download PDFPatent Trials and Appeals BoardDec 2, 20212020005516 (P.T.A.B. Dec. 2, 2021) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 15/257,935 09/07/2016 Udi YAVO FORT-034910 5059 176502 7590 12/02/2021 Douglas M. Hamilton HDC Fortinet 224 S. Main Street, 114 Springville, UT 84663 EXAMINER WICKRAMASURIYA, SAMEERA ART UNIT PAPER NUMBER 2494 NOTIFICATION DATE DELIVERY MODE 12/02/2021 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): dhamilton@hdciplaw.com miquelchamilton@hamiltonshome.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte UDI YAVO Appeal 2020-005516 Application 15/257,935 Technology center 2400 Before MARC S. HOFF, ELENI MANTIS MERCADER, and JENNIFER L. McKEOWN, Administrative Patent Judges. McKEOWN, Administrative Patent Judge. DECISION ON APPEAL STATEMENT OF THE CASE Pursuant to 35 U.S.C. § 134(a), Appellant1 appeals from the Examiner’s decision to reject claims 1–20. We have jurisdiction under 35 U.S.C. § 6(b). We AFFIRM. 1 We use the word Appellant to refer to “applicant” as defined in 37 C.F.R. § 1.42(a). Appellant identifies the real party in interest as Fortinet, Inc. Appeal Br. 3. Appeal 2020-005516 Application 15/257,935 2 CLAIMED SUBJECT MATTER The claims are directed to a “method for detection of malicious code within runtime generated code executing within a computer.” Abstract. Claim 1, reproduced below, is illustrative of the claimed subject matter: 1. A method for detection of malicious code within runtime generated code executing within a computer, comprising executing on a processor of the computer the acts of: receiving an indication of at least one of the creation and the execution of runtime generated code in a memory of the computer; identifying a match between signature data of static non- hashed data associated with the runtime generated code and a template signature of static non-hashed data of a plurality of templates representing authorized source creation modules that created the runtime generated code, the templates stored in a repository on a storage device; and triggering a security process to handle malicious code in the runtime generated code when no match is found. REFERENCE(S) The prior art relied upon by the Examiner is: Name Reference Date Nachenberg US 7,478,431 B1 Jan. 13, 2009 Kennedy US 8,176,554 B1 May 8, 2012 Bob Gilbert et al., DYMO: Tracking Dynamic Code Identity, 14th Int’l Symposium (2011). REJECTION(S) The Examiner rejects claims 1–6, 8–14, and 16–20 under 35 U.S.C. § 103 as unpatentable over Gilbert and Kennedy. Final Act. 6–19. Appeal 2020-005516 Application 15/257,935 3 The Examiner rejects claims 7 and 15 under 35 U.S.C. § 103 as unpatentable over Gilbert, Kennedy, and Nachenberg. Final Act. 20–21. OPINION THE OBVIOUSNESS REJECTION BASED ON GILBERT AND KENNEDY Claims 1–6, 8–14, and 16–20 Appellant argues that Gilbert and Kennedy fail to teach or suggest identifying a match between signature data of static non-hashed data associated with the runtime generated code and a template signature of static non-hashed data of a plurality of templates representing authorized source creation modules that created the runtime generated code, the templates stored in a repository on a storage device. Appeal Br. 12 (emphasis omitted). In particular, Appellant argues that Kennedy’s executable file and/or Dynamic Link Library (DLL) are not runtime generated code. Appeal Br. 12–13. Appellant explains runtime generated code is “dynamically generated/created at runtime, for example, by a Just-In-Time (JIT) compiler” and a skilled artisan would understand “that neither an executable file nor a DLL file that is loaded and linked at program runtime are properly equated with ‘runtime generated code.’” Id. The Examiner responds that the rejection relies on the combination of Gilbert with Kennedy as teaching the disputed limitation including runtime generated code. Ans. 4–5. The Examiner points out that Gilbert’s DYMO system supports dynamically generated code. Final Act. 6. For Example, Gilbert describes, “whenever there are dynamically created, executable memory regions, we add information to the label that reflects the generated Appeal 2020-005516 Application 15/257,935 4 code and the library responsible for it, [Page 6, Section 3.1, Para. 2].” Id. The Examiner further explains It is apparent to one of ordinary skilled in the art that Gilbert discloses signature data, runtime generated code, and plurality of stored templates where the process is identified as legitimate when the labels are identical. On the other hand, Kennedy teaches comparing the stored symbols in a repository (i.e. symbols of legitimate files) with the signature of static non- hashed data (i.e. symbols that comprise section names generated by compilers) where symbols are in an executable file loaded and linked at runtime. Therefore, a person of ordinary skill in the art would have understood Gilbert in view of Kennedy to disclose the features Appellant has argued were missing in the prior art. Ans. 6. We are not persuaded of error in the Examiner’s rejection. Appellant asserts that Kennedy does not teach the runtime generated code, but fails to consider Kennedy combined with Gilbert. As the Examiner points out, Gilbert teaches adding information to the label that reflects the runtime generated code. Ans. 5. One cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 426 (CCPA 1981); In re Merck & Co., Inc., 800 F.2d 1091, 1097 (Fed. Cir. 1986). With respect to claim 4, Appellant argues that Kennedy fails to teach or suggest “‘signature data’ comprising a ‘predefined size of an area in memory storing the runtime generated code.’” Appeal Br. 14 (emphasis omitted). According to Appellant, an example of the use of a predefined size of an area in memory that is used as a characteristic for signature data [in the Specification] is discussed with reference to a particular JIT compiler using code chunks of size 0xl0000 (i.e., 65,536 bytes). So, in this example, when the area in memory storing the runtime Appeal 2020-005516 Application 15/257,935 5 generated code is of a predefined size (e.g., a multiple of 65,536 bytes), this characteristic is consistent with the runtime generated code having been created by the particular JIT compiler. Appeal Br. 14. Appellant’s argument, however, is not commensurate with the scope of the claim. For example, the claimed invention merely recites identifying a match between signature data, which comprise a predefined size of an area in memory storing the runtime generated code (claim 4), and a template signature representing authorized source creation modules. The Examiner points out that “a person of ordinary skill in the art reading Kennedy would understand that the symbols include the section names generated by compilers and each section has a size (i.e. sections length in bytes). . . .” Ans. 7. In other words, Kennedy’s symbol, i.e. signature data, comprises a section name representing a section with a predefined size of an area in memory. See, e.g., Kennedy col. 5, ll. 12–13 (describing that each section has a length in bytes and a byte location where the section begins); see also Final Act. 11. Kennedy then teaches matching the symbol comprising section name (e.g. section with a predefined size of an area in memory) with the symbol repository, which represents authorized source creation modules. Final Act. 11. As discussed above, the Examiner relies on Gilbert for teaching the claimed storing of generated code and Gilbert, similar to Kennedy, teaches that the identity label reflects a memory region. Ans. 7. According to the Examiner, then, Gilbert and Kennedy combined teach the claimed signature data comprising a static non-hashed predefined size of an area in the memory storing the runtime generated code. Based on the record before us, Appellant’s general assertions that Kennedy fails to teach the Appeal 2020-005516 Application 15/257,935 6 claimed signature data, without more, does not persuasively identify error in the rejection. Similarly, with respect to claim 5, Appellant contends Gilbert does not teach or suggest “signature data” comprising a designation of a memory region. Appeal Br. 15. The Examiner, though, points out that Gilbert’s identity label includes memory regions and those memory regions have may have page protections. Ans. 8. As such, a skilled artisan would understand Gilbert to teach labels, i.e. signature data, with the claimed memory region designation. Id. Again, Appellant’s general assertions are unavailing. With respect to claim 8, Appellant argues that Gilbert fails to teach or suggest the claimed signature data comprising control structures at least one of a start and end region of the runtime generated code. Appeal Br. 15–16. The Examiner, though, points out that Gilbert’s identity label, i.e. signature data, reflects executable memory regions of running applications, such as a JIT compiler. Final Act. 12. The Examiner explains that a skilled artisan would understand the executable memory regions, such as Gilbert’s JIT code regions and Gilbert’s identity labels reflecting these regions, include the claimed predefined control structures. Ans. 8–9. As such, we are not persuaded by Appellant’s general assertions. With respect to claims 9–10, Appellant argues Gilbert does not teach or suggest the claimed signature data comprising predefined control structures including at least one of a linked list at each different memory region and fields defining the size and address of the respective memory region located after the respective linked list. Appeal Br. 16. According to Appellant, “[t]he undersigned can find no discernable relationship between the portions of Gilbert cited by the Examiner and the claim language at Appeal 2020-005516 Application 15/257,935 7 issue. Meanwhile, the undersigned respectfully notes there is no reference to a ‘linked list’ in the relied upon portions of Gilbert or elsewhere in Gilbert.” Appeal Br. 16. However, there is no ipsissimis verbis test for determining whether a reference discloses a claim element, i.e., identity of terminology is not required. In re Bond, 910 F.2d 831, 832 (Fed. Cir. 1990). The Examiner explains Gilbert discloses that a label is a set of hashes. Specifically, there is one hash for each executable memory region so “a plurality of executable regions are grouped in a label.” Ans. 10. The Examiner further explains Gilbert’s DYMO creates a (meta) region hash by concatenating the image hashes of the allocator, writer, and caller of the region and hashing the result[] (Gilbert: [Page 9, Para. 2]). Therefore, A PHOSITA would have understood that the created meta region contains a concatenated allocator, writer and caller, where memory regions can be tracked by traversing the stack to locate the address of the code that is requested. Ans. 10. In other words, the Examiner interprets Gilbert’s concatenated image hashes as satisfying the claimed linked list. Appellant’s general assertion that Gilbert fails to reference a “linked list,” without more, is therefore unpersuasive. Accordingly, based on the record before us, we sustain the rejection of claims 1–6, 8–14, and 16–20 as unpatentable over Gilbert and Kennedy. Appeal 2020-005516 Application 15/257,935 8 THE OBVIOUSNESS REJECTION BASED ON GILBERT, KENNEDY, AND NACHENBERG Claims 7 and 15 Appellant does not present separate arguments for the patentability of claims 7 and 15, but instead relies on the arguments presented for claim 1. See, e.g., Appeal Br. 17. As discussed above, we are not persuaded of error in the rejection of claim 1. As such, we are also not persuaded of error in the rejection of claims 7 and 15 and sustain the rejection. CONCLUSION The Examiner’s rejections of claims 1–20 are sustained. DECISION SUMMARY In summary: Claims Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1–6, 8–14, 16–20 103 Gilbert, Kennedy 1–6, 8–14, 16–20 7, 15 103 Gilbert, Kennedy, Nachenberg 7, 15 Overall Outcome 1–20 TIME PERIOD FOR RESPONSE No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a). See 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED Copy with citationCopy as parenthetical citation
