International Business Machines CorporationDownload PDFPatent Trials and Appeals BoardOct 25, 20212020005578 (P.T.A.B. Oct. 25, 2021) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 15/433,098 02/15/2017 Caio E. Briski CA920160143US1 6449 30400 7590 10/25/2021 IBM Endicott (0827 & 4648) HESLIN ROTHENBERG FARLEY & MESITI P.C. 5 COLUMBIA CIRCLE ALBANY, NY 12203 EXAMINER TSANG, HENRY ART UNIT PAPER NUMBER 2495 MAIL DATE DELIVERY MODE 10/25/2021 PAPER Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________ Ex parte CAIO E. BRISKI, RODRIGO A. CREMASCO, SERGIO AUGUSTO S. DANIN, DANIEL K. LIMA, LUIZ G. NASCIMENTO, MARCOS V.I. PARAISO, KLATER de ABREU SANTO, and EMANNUEL SILVA ____________ Appeal 2020-005578 Application 15/433,0981 Technology Center 2400 _______________ Before JEREMY J. CURCURI, JAMES B. ARPIN, and HUNG H. BUI, Administrative Patent Judges. BUI, Administrative Patent Judge. DECISION ON APPEAL Appellant seeks our review under 35 U.S.C. § 134(a) from the Examiner’s final rejection of claims 1–19, all of the pending claims. Appeal Br. 13–18 (Claims App.). We have jurisdiction under 35 U.S.C. § 6(b). We affirm.2 1 “Appellant” refers to “applicant” as defined in 37 C.F.R. § 1.42. According to Appellant, International Business Machines Corporation is identified as the real party in interest. Appeal Br. 2. 2 We refer to the Appellant’s Appeal Brief filed April 15, 2020 (“Appeal Br.”); Reply Brief filed July 24, 2020 (“Reply Br.”); Examiner’s Answer mailed June 2, 2020 (“Ans.”); Final Office Action mailed November 4, 2019 (“Final Act.”); and Specification filed February 15, 2017 (“Spec.”). Appeal 2020-005578 Application 15/433,098 2 STATEMENT OF THE CASE According to Appellant, known techniques for managing security policies are static, performed manually, and fail to account “the business needs of the company” and “potential high security exposures.” Spec. ¶ 6. As such, Appellant’s claimed methods, systems, and products seek to provide “an autonomous method for [dynamically] providing a security policy” and updating such a security policy based on security threats. Spec. ¶ 7. Figure 1, depicting autonomous security policy system 10, is reproduced below: In Figure 1, autonomous security system 10 has autonomous security policy engine (server) 22 to analyze data from different sources, including to dynamically generate security policy 24 based on business rules 20 for Appeal 2020-005578 Application 15/433,098 3 implementation via security automation tool 30. Spec. ¶¶ 19–23, Fig. 1. Security policy 24 can be updated based on relevant Internet-based security exposures/issues or updated business rules. Id., Fig. 2B. Claims 1, 9, and 12 are independent. Representative claim 1 is reproduced below with disputed limitations emphasized: 1. An autonomous method for dynamically providing a security policy, comprising: creating an initial security policy based on a set of business rules by: selecting one of a plurality of security policy templates stored in a standard policy repository, the selected security policy template providing a best fit to the set of business rules; and modifying the selected security policy template based on the business rules to provide the initial security policy; creating the security policy by updating the initial security policy using at least one security update stored in a security update repository; determining an existence of a new Internet-based security threat; proposing a first security update to the security policy in response to the existence of the new Internet-based security threat; determining a change in the set of business rules; proposing a second security update to the security policy in response to the change in the set of business rules; combining the first security update and the second security update into a consolidated security policy update; and updating the security policy based on the consolidated security update. Appeal Br. 13 (Claims App.). REJECTION AND REFERENCES Claims 1–19 stand rejected under 35 U.S.C. § 103 as obvious over the combined teachings of Proctor (US 6,530,024 B1; issued Mar. 4, 2003), Appeal 2020-005578 Application 15/433,098 4 Belgodere et al. (US 2016/0080422 A1; published Mar. 17, 2016; “Belgodere”), DiGiambattista et al. (US 2017/0237778 A1; published Aug. 17, 2017). Final Act. 3–7. ANALYSIS In support of the obviousness rejection, the Examiner finds the combination of Proctor, Belgodere, and DiGiambattista teaches all of the limitations of Appellant’s claims 1, 9, and 12. Final Act. 3–7. In particular, the Examiner finds Proctor teaches most limitations of Appellant’s claimed “autonomous method for dynamically providing a security policy, ” including (1) “creating the security policy”; (2) “determining an existence of a new Internet-based security threat”; and (3) “proposing [] security update to the security policy in response to the existence of the new Internet-based security threat.” Id. at 3–4 (citing Proctor 2:20–30; 2:45–3:3; 5:45–50, 6:50–65; 7:12–17, 11:49–55; 12:28–50, Fig. 8). Instead of Proctor, the Examiner relies upon (1) Belgodere to teach “creating an initial security policy based on a set of business rules” and “proposing [] security update to security policy in response to the change in the set of business rules” (id. at 4 (citing Belgodere ¶¶ 66–71)) and (2) DiGiambattista to teach “selecting one of a plurality of security policy templates stored in a standard policy repository” and “modifying the selected security policy template to provide the initial security policy” in order to support the conclusion of obviousness (id. at 4–5 (citing DiGiambattista ¶¶ 105, 107, 110–112, 125, 137, 154)). Appellant does not challenge the Examiner’s rationale for combining the references. Instead, Appellant disputes the Examiner’s factual findings regarding Proctor’s and Belgodere’s teachings. In particular, Appellant Appeal 2020-005578 Application 15/433,098 5 contends the cited references, including Proctor and Belgodere, do not teach or suggest (1) “determining a change in the set of business rules;” and (2) “proposing a second security update to the security policy in response to the change in the set of business rules” as recited in claims 1, 9, and 12. Appeal Br. 7–9; Reply Br. 3–4. According to Appellant, “Belgodere teaches the opposite cause-and-effect relationship, where the rules are updated in response to a change in the policies, and not the policy being updated in response to a change in the rules.” Appeal Br. 7. In other words, Belgodere does not determine a change in the set of business rules and propose security update based on the change in the set of business rules “because the output of Belgodere is the changed business rule.” Reply Br. 2. Appellant also contends the cited references, including DiGiambattista, do not teach or suggest (3) “modifying the selected security policy template based on the business rules to provide the initial security policy” as recited in claims 1, 9, and 12. Appeal Br. 9–11; Reply Br. 3–4. According to Appellant, “DiGiambattisa . . . teaches that a human being still does all the creation and modification of the policies,” and “[t]his manual/static management system is distinctly different than the claimed ‘autonomous method for [dynamically] providing a security policy.” Appeal Br. 9–10. Appellant’s contentions are not persuasive of Examiner error. Instead, we find the Examiner’s findings and reasons, including the Examiner’s response to Appellant’s contentions, are supported by a preponderance of the evidence on this record. Ans. 3–7. As such, we adopt the Examiner’s findings and reasons provided therein. Id. For additional emphasis, we note that one cannot show nonobviousness by attacking Appeal 2020-005578 Application 15/433,098 6 references individually where the rejection is based on a combinations of references. In re Keller, 642 F.2d 413, 425 (CCPA 1981). For example, DiGiambattista is not cited for the purpose of using a human administrator to select and modify a security policy, as argued by Appellant. Instead, DiGiambattista is cited by the Examiner for teaching “selecting a policy template and modifying the selected policy template to provide an initial security policy.” Ans. 5 (citing DiGiambattista ¶¶ 105, 112, 125, 137). The test for obviousness is not whether the claimed invention is expressly disclosed in the references, but whether the claimed subject matter would have been obvious to those of ordinary skill in the art in light of the combined teachings of those references. Id. at 425. In an obviousness analysis, it is not necessary to find precise disclosure directed to the specific subject matter claimed because inferences and creative steps that a person of ordinary skill in the art would employ can be taken into account. See KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 418 (2007). In this regard, “[a] person of ordinary skill is also a person of ordinary creativity, not an automaton.” Id. at 421. As the U.S. Supreme Court has stated, obviousness requires an “expansive and flexible” approach that asks whether the claimed improvement is more than a “predictable variation” of “prior art elements according to their established functions.” Id. at 415, 417. Here, in contrast, Appellant’s contentions rigidly focus on a narrow reading of individual references, including Belgodere and DiGiambattista, without considering a skilled artisan’s “creatively[] and common sense.” Randall Mfg. v. Rea, 733 F.3d 1355, 1362 (Fed. Cir. 2013). As recognized by the Examiner, Proctor teaches the basic “autonomous method for dynamically providing a security Appeal 2020-005578 Application 15/433,098 7 policy” that includes updating one or more security policies based on security threats. Final Act. 3–4 (citing Proctor 5:45–50, 11:49–55). As also recognized by the Examiner, “Belgodere teaches defining business goals, translating the goals into business policies, generating operational policies and IT security policies based on the business policies, and deploying the policies.” Ans. 4 (citing Belgodere ¶¶ 67–70). In other words, Belgodere teaches modifying or updating a security policy based on business rules. Belgodere ¶¶ 66–71. The claim term “business rules,” however, is not defined by Appellant’s Specification, but is broadly described in the context of business related events. Spec. ¶ 33. Consequently, we agree with the Examiner that (1) Belgodere’s “business goals are synonymous with business rules,” (2) “[s]ince business goals are redefined [by Belgoder],” “redefining the business goals implies determining changes in the business goals” and, as such, (3) “Belgodere teaches determining a change in the business rules and proposing security policy updates in response to the change in the business rules.” Ans. 4. Likewise, DiGiambattista is cited for selecting a security policy template and modifying the selected template. DiGiambattista ¶¶ 105, 112, 154. As such, we agree with the Examiner that the combined teachings of Proctor, Belgodere, and DiGiambattista would suggest to a person of ordinary skill in the art to create a security policy based on business rules and update the same based on either Internet-based security threats or updated business rules in the manner recited in Appellant’s claims 1, 9, and 12. Ans. 3–6. For these reasons, Appellant does not persuade us of Examiner error. Accordingly, we sustain the Examiner’s obviousness rejection of Appeal 2020-005578 Application 15/433,098 8 independent claims 1, 9, and 12, and of the rejections of their respective dependent claims 2–8, 10, 11, and 13–19, which are not argued separately. CONCLUSION On this record, Appellant does not show the Examiner errs in rejecting claims 1–19 as obvious over the combined teachings of Proctor, Belgodere, and DiGiambattista. DECISION SUMMARY In summary: Claim(s) Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1–19 103 Proctor, Belgodere, DiGiambattista 1–19 No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED Copy with citationCopy as parenthetical citation