LEVEL 3 COMMUNICATIONS, LLCDownload PDFPatent Trials and Appeals BoardMay 7, 202014852519 - (D) (P.T.A.B. May. 7, 2020) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 14/852,519 09/12/2015 Robert Smith 0546-US-U1 4016 83579 7590 05/07/2020 LEVEL 3 COMMUNICATIONS, LLC Attn: Patent Docketing 1025 Eldorado Blvd. Broomfield, CO 80021 EXAMINER NGUY, CHI D ART UNIT PAPER NUMBER 2435 NOTIFICATION DATE DELIVERY MODE 05/07/2020 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): patent.docketing@centurylink.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________ Ex parte ROBERT SMITH and SHAWN MARCK ____________ Appeal 2018-007570 Application 14/852,519 Technology Center 2400 ____________ Before ERIC B. CHEN, JAMES B. ARPIN, and MICHAEL J. ENGLE, Administrative Patent Judges. ARPIN, Administrative Patent Judge. DECISION ON APPEAL Appellant1 appeals under 35 U.S.C. § 134(a), the rejections of claims 1–12 and 14. Final Act. 2.2 Claim 13 is cancelled. Appeal Br. 2. 1 “Appellant” here refers to “applicant” as defined in 37 C.F.R. § 1.42. Appellant identifies the real party-in-interest as Level 3 Communications, LLC. Appeal Br. 2. 2 In this Decision, we refer to Appellant’s Appeal Brief (“Appeal Br.,” filed December 5, 2017), Supplemental Appeal Brief (“Supp. Appeal Br.,” filed February 5, 2018), and Reply Brief (“Reply Br.,” filed July 16, 2018); the Final Office Action (“Final Act.,” mailed September 22, 2017) and the Examiner’s Answer (“Ans.,” mailed May 16, 2018); and the Specification (“Spec.,” filed September 12, 2015). Rather than repeat the Examiner’s findings and determinations and Appellant’s contentions in their entirety, we refer to these documents. A hearing was held on April 17, 2020, and a transcript (“Tr.”) of that hearing is included in the record. Appeal 2018-007570 Application 14/852,519 2 We have jurisdiction under 35 U.S.C. § 6(b). We affirm. STATEMENT OF THE CASE Appellant’s claimed methods and systems relate to techniques for mitigating distributed denial of service (DDoS) attacks on a network. Spec. ¶ 5. An address may be blocked temporarily if a request is classified as originating from an attacker performing a DDoS attack, but analysis of subsequent requests may result in unblocking the address. Id.; see id. at Fig. 7 (flow chart depicting addition and removal of addresses from blacklist based on classification of requests). As noted above, claims 1–12 and 14 stand rejected. Claims 1 and 14 are independent, and claims 2–12 depend directly or indirectly from claim 1. Supp. Appeal Br. 2–4 (Claims App.). Claim 1 recites “[a] method,” and claim 14 recites “[a] system comprising: at least one processor; memory, operatively connected to the at least one processor and storing instructions that, when executed by the at least one processor, cause the system to perform” the method, as recited in claim 1. Id. at 2, 4. Claim 1, reproduced below with disputed limitations emphasized, is representative. 1. A method comprising: receiving, at a mitigation system, a plurality of requests for one or more network resources to which the mitigation system is providing a mitigation service; identifying a first request of the plurality of requests as occurring within a first observation cycle; classifying the first request as a bad request based on one or more properties of the first request; Appeal 2018-007570 Application 14/852,519 3 adding a first address associated with the first request to a block list for blocking requests from the first address for a specified time period; identifying a second request of the plurality of requests as being transmitted from the first address and as occurring within a second observation cycle, the second request occurring within the specified time period; classifying the second request as a good request based on one or more properties of the second request; and removing, based on classifying the second request as a good request, the first address from the block list prior to the expiration of the specified time period, thereby allowing a future request from the first address to be transmitted to the one or more network resources. Id. at 2 (emphasis added). REFERENCES AND REJECTION The Examiner relies upon the following references in rejecting the claims: Name3 Number Issued/Publ’d Filed Saurel US 8,621,065 B1 Dec. 31, 2013 Oct. 23, 2008 Chebolu US 2005/0060412 A1 Mar. 17, 2005 Dec. 19, 2003 Afek US 2006/0212572 A1 Sept. 21, 2006 July 14, 2005 Weiser US 2013/0152153 A1 June 13, 2013 Dec. 7, 2011 Specifically, claims 1–3, 5, 6, 9, 11, and 14 are rejected as obvious over the combined teachings of Saurel and Afek (Final Act. 3–8); claims 4, 7, 8, and 10 are rejected as obvious over the combined teachings of Saurel, Afek, and 3 All reference citations are to the first named inventor only. Appeal 2018-007570 Application 14/852,519 4 Chebolu (id. at 8–10); and claim 12 is rejected as obvious over the combined teachings of Saurel, Afek, and Weiser (id. at 10–11). Appellant contests the obviousness rejection of independent claims 1 and 14 and relies on the alleged deficiencies in the rejection of the independent claims to overcome the rejections of dependent claims 2–12.4 Appeal Br. 4–11; Reply Br. 2–5. As noted above, the limitations of claim 14 mirror those of claim 1, and Appellant relies on the same contentions and evidence in challenging the rejection of both independent claims. Appeal Br. 4–9. Because we determine that affirmance of the rejection of independent claim 1 is dispositive, except for our ultimate decision, we do not discuss the merits of the rejection of claims 2–12 and 14 further herein. We review the appealed rejection of independent claim 1 for error based upon the issues identified by Appellant, and in light of the contentions and evidence produced thereon. Ex parte Frye, 94 USPQ2d 1072, 1075 (BPAI 2010) (precedential). Arguments not made are waived. See 37 C.F.R. § 41.37(c)(1)(iv). Unless otherwise indicated, we adopt the Examiner’s findings in the Final Office Action and the Answer as our own and add any additional findings of fact for emphasis. We address the rejection of claim 1 below. 4 Appellant presents no contentions or evidence challenging the Examiner’s rejection of claim 12. See Appeal Br. 4; Tr., 3:13–22. Claim 12 depends from independent claim 1 via intervening claims 9–11. Appellant states that claims 9–11 stand or fall with their base claim. Id. at 10–11. Thus, we also treat claim 12 as standing or falling with its base claim. Appeal 2018-007570 Application 14/852,519 5 ANALYSIS 1. Obviousness of Claim 1 Over Saurel and Afek As noted above, the Examiner rejects independent claim 1 as obvious over the combined teachings of Saurel and Afek. Final Act. 3–5. The Examiner finds that Saurel teaches or suggests almost all of the limitations, as recited in claim 1. Id. at 3–4. However, the Examiner acknowledges that Saurel “does not explicitly disclose removing based on classifying the second request as a good request, the first address from the block list prior to expiration of the specified time period.” Id. at 4. Nevertheless, the Examiner finds Afek discloses removing based on classifying the second request as a good request, the first address from the block list prior to expiration of the specified time period (¶ [0006]; i.e. blocking the source for a period of time; [0089]; but if the packet contents are found to be legitimate, removing the source from the blacklist which is interpreted as removing the source from the blacklist prior the period of time expired). Id. Appeal 2018-007570 Application 14/852,519 6 Saurel’s Figure 4, including our annotations, is reproduced below. Figure 4 depicts steps of a process for dynamically blocking requests, including unblocking certain requests. Saurel, 1:61–63; see Final Act. 4 (citing Saurel, Fig. 4, to teach “removing the first address from the block list, thereby allowing a future request from the first address to be transmitted to the one or more network resources”); see also Saurel, 7:4–11 (“Systems and Appeal 2018-007570 Application 14/852,519 7 methods in accordance with other embodiments use dynamic blocking and unblocking on a per-host basis for relatively short periods of time, or monitoring periods of configurable length . . . .”). Afek discloses, “[t]ypically, the guard device simply discards the blocked packet, but alternatively, the guard device may analyze the packet contents (and may even take action to deliver the packet or remove it from the blacklist if the packet contents are found to be legitimate).” Afek ¶ 89 (emphasis added). Further, Afek discloses, [i]f malicious traffic has not subsided, the guard device leaves the source address on the blacklist, at a leave on blacklist step 80. On the other hand, if the traffic has subsided for a sufficient period of time, the guard device removes the source address from the blacklist, at a remove from blacklist step 82. Id. ¶ 90 (emphasis added), Fig. 4 (steps 78, 80, and 82). The Examiner finds that a person of ordinary skill in the relevant art would have had reason to combine the teachings of Saurel and Afek to achieve the method of claim 1 “in order to allow legitimate network packets to be processed while preventing malicious traffic.” Final Act. 5 (citing Afek ¶¶ 4, 5, 89). Appellant contends that the Examiner erred in rejecting claim 1 as obvious over the combined teachings of Saurel and Afek for at least three reasons. Appeal Br. 4–7; Reply Br. 2–5. For the reasons given below, we are not persuaded of dispositive Examiner error. First, Appellant contends that the Examiner acknowledges Saurel does not teach or suggest removing based on classifying the second request as a good request, the first address from the block list prior to expiration of the specified time period. Reply Br. 2 (citing Final Act. 4). Appeal 2018-007570 Application 14/852,519 8 However, as noted above with respect to Saurel’s Figure 4, Saurel discloses: Systems and methods in accordance with other embodiments use dynamic blocking and unblocking on a per- host basis for relatively short periods of time, or monitoring periods of configurable length, which can be effective in preventing most attacks while not significantly affecting the user experience for any genuine user that might inadvertently, unintentionally, or innocently exceed a threshold for one of the specified dimensions. Saurel, 7:4–11 (emphasis added); see Tr., 10:2–13:22. Appellant contends that Afek discloses removing the packet received from the same source and does not teach or suggest removing the source, i.e., the address from the blacklist. Appeal Br. 5; Reply Br. 3. In particular, Appellant contends that the “it” in Afek’s paragraph 89 refers to unblocking the packet, not the address. Appeal Br. 5; Reply Br. 3. The Examiner finds, however, that Afek discloses, “[o]n the other hand, if the address of the packet is found on the blacklist, guard device 28 blocks the further transmission of the packet at the block step 70.” Ans. 12– 13 (quoting Afek ¶ 89 (emphasis added)); see Afek, Abstract (“A determination is made, by analyzing the first data packet, that the first data packet was generated by a worm. In response to the determination, a second data packet sent over the network from the source address is blocked.” (emphasis added)), ¶ 90 (“the guard device removes the source address from the blacklist” (emphasis added)). Consequently, we are persuaded, given Saurel’s teaching of dynamic blocking and unblocking of addresses and Afek’s teaching that the address can be the basis for blocking and unblocking the packet, that Saurel and Afek together teach or suggest Appeal 2018-007570 Application 14/852,519 9 blocking an address by adding the address to a “block list” or unblocking or removing the address from the “block list.” Second, even if Afek teaches or suggests removing the source address, Appellant contends that Afek does not teach or suggest removing the source address “prior to expiration of the specified time period.” Appeal Br. 7; Reply Br. 2–3. The Examiner finds, however, that Afek discloses, “[o]nce the guard system detects a suspicious packet or traffic pattern, it may block all or a portion of the packets from the same source for a period of time or take other preventive action.” Ans. 13–14 (quoting Afek ¶ 6 (italics and underlining added)). Thus, the Examiner finds that Afek is not limited to waiting out a time period, but broadly discloses “other preventive actions.” Id.; see Afek ¶ 90 (“The guard device typically determines that an attack has concluded by detecting whether traffic from the source has subsided for a certain period of time, at a traffic subsidence check step 78. If malicious traffic has not subsided, the guard device leaves the source address on the blacklist, at a leave on blacklist step 80. On the other hand, if the traffic has subsided for a sufficient period of time, the guard device removes the source address from the blacklist, at a remove from blacklist step 82.” (emphases added)). Saurel teaches that the source of requests can be blocked for a period of time if a threshold is exceeded. Saurel, 2:13–26, 2:31–34, 2:49– 57, 2:65–3:1, 8:25–28. However, as noted above, Saurel also teaches “dynamic blocking and unblocking on a per-host basis for relatively short periods of time, or monitoring periods of configurable length.” Id. at 7:5–7. Such dynamic blocking and unblocking can limit the effect of DDoS attacks on the genuine user experience caused by an inadvertent, unintentional, or Appeal 2018-007570 Application 14/852,519 10 innocent violation of a threshold for one of the specified dimensions. Id. at 7:7–11; see Tr., 19:5–20:4. Further, Saurel explains: An administrator or other authorized person or process also specifies or otherwise selects the length of a monitoring period to be used to dynamically monitor and/or block requests 404. As discussed above, an appropriate period such as two minutes can be specified that allows for sufficient data collection while substantially preventing damage due to excessive requests. This period can vary by system, environment, process, and other such dimensions, and can be determined before receiving requests and/or adjusted or set after a period of receiving requests and monitoring data. Saurel, 7:59–8:2 (emphases added). Thus, we understand Saurel to teach that dynamic blocking and unblocking allows the duration of blocking to be optimized, e.g., minimized, to limit the effects of blocking on the genuine user.5 See id. at 7:8–9; Tr., 16:7–18. Given Afek’s teaching that the guard device may unblock a source address upon determining when an attack has subsided “for a certain period of time” or “for a sufficient period of time,” we are persuaded that the Examiner has shown that Saurel and Afek together teach or suggest removing the address from the blocking list “prior to the expiration of the specified time.” Ans. 11–14; see Saurel, 7:4–11; Afek ¶¶ 6, 89, 90. In particular, if malicious traffic is detected and an address is added to the blacklist, the combination of Saurel and Afek would unblock the address when either (A) a certain amount of time has passed since the beginning of the attack, as in Saurel (i.e., the claimed “specified time 5 For example, a relevant definition of the adjective “dynamic” is “[o]ccurring immediately and concurrently. The term is used in describing both hardware and software; in both cases it describes some action or event that occurs when and as needed.” MICROSOFT COMPUTER DICTIONARY, 181 (5th ed. 2002) (emphasis added). Appeal 2018-007570 Application 14/852,519 11 period”) or (B) a shorter amount of time has passed since the end of the attack, as in Afek (i.e., the claimed “prior to the expiration of the specified time period”). Third, Appellant contends Saurel teaches away from its combination with Afek. Appeal Br. 7; Reply Br. 3–5. In particular, Appellant contends Saurel relies on the frequency of requests, not their content, but Afek relies on content. Appeal Br. 7; Reply Br. 3–5; see Saurel, 8:35–46 (frequency); Afek ¶ 70 (content). A reference may be said to teach away when a person of ordinary skill, upon reading the reference, would be discouraged from following the path set out in the reference, or would be led in a direction divergent from the path that was taken by the applicant. In re Gurley, 27 F.3d 551, 553 (Fed. Cir. 1994). “The fact that the motivating benefit comes at the expense of another benefit, however, should not nullify its use as a basis to modify the disclosure of one reference with the teachings of another. Instead, the benefits, both lost and gained, should be weighed against one another.” Winner Int’l Royalty Corp. v. Wang, 202 F.3d 1340, 1349 n.8 (Fed. Cir. 2000). However, “[a] reference does not teach away . . . if it merely expresses a general preference for an alternative invention[.]” DePuy Spine, Inc. v. Medtronic Sofamor Danek, Inc., 567 F.3d 1314, 1327 (Fed. Cir. 2009). We are not persuaded that Saurel teaches away from its combination with Afek for two reasons. First, Afek discloses, “[t]he guard device may determine that the traffic from a given source address is suspicious, based on the content or statistical properties of the traffic, for example.” Afek ¶ 7 (italics and underlining added). Thus, Afek is not limited to identifying Appeal 2018-007570 Application 14/852,519 12 suspicious traffic based on content. Specifically, Afek explains, “[i]n a ‘conventional’ massive-bandwidth attack, the source of the attack may be traced with the help of statistical analysis of the source Internet Protocol (IP) addresses of incoming packets.” Id. ¶ 3 (emphasis added). Second, claim 1 recites that the nature of the requests is determined from their “properties.” Supp. Appeal Br. 2 (Claims App.). The Specification explains that such properties may reflect either the content or the source of the request. See Spec. ¶ 22 (“The analysis of a request includes determining a network resource being requested. Other examples of a property of the request are the user agent string of a browser that one or more requests came from.”). Nevertheless, neither the claim language nor the Specification strictly limits what those “properties” are. See Spec. ¶ 52 (“[T]he first request is classified as a bad request based on one or more properties of the first request. The classification can be based on various criteria, e.g., as described herein and in U.S. Patent Application No. 13/458,1296.” (emphasis added)). Consequently, we do not find Appellant’s contention persuasive of dispositive error. We are not persuaded that the Examiner erred in rejecting claim 1 as obvious over the combined teachings of Saurel and Afek. For the same reasons, we are not persuaded that the Examiner erred in rejecting claim 14 6 Although Appellant does not incorporate the disclosure of U.S. Patent Application No. 13/458,586 by reference, this application was published as Patent Application Publication No. US 2013/0291107 A1, on October 31, 2013, before the filing date of the instant application. However, Appellant does not specify the portion of the application, upon which Appellant relies to teach the “criteria.” Appeal 2018-007570 Application 14/852,519 13 as obvious over the combined teachings of Saurel and Afek. Consequently, we sustain the obviousness rejection of claims 1 and 14. 2. Dependent Claims 2–12 Each of claims 2–12 depends directly or indirectly from independent claim 1. Supp. Appeal Br. 2–4 (Claims App.). As noted above, Appellant challenges the rejections of dependent claims 2–12 for the same reasons as their base claim. See id. at 10–11. Because we are not persuaded the Examiner erred with respect to the obviousness rejection of claim 1, we also are not persuaded the Examiner erred with respect to the obviousness rejections of claims 2–12. For this reason, we sustain the rejections of those claims. DECISIONS 1. The Examiner did not err in rejecting claims 1–3, 5, 6, 9, 11, and 14 as obvious over the combined teachings of Saurel and Afek. 2. The Examiner did not err in rejecting claims 4, 7, 8, and 10 as obvious over the combined teachings of Saurel, Afek, and Chebolu. 3. The Examiner did not err in rejecting claim 12 as obvious over the combined teachings of Saurel, Afek, and Weiser. 4. Thus, on this record, claims 1–12 and 14 are unpatentable. CONCLUSION For the above reasons, we affirm the Examiner’s decision rejecting claims 1–12 and 14. Appeal 2018-007570 Application 14/852,519 14 In summary: Claims Rejected 35 U.S.C. § References Affirmed Reversed 1–3, 5, 6, 9, 11, 14 103 Saurel, Afek 1–3, 5, 6, 9, 11, 14 4, 7, 8, 10 103 Saurel, Afek, Chebolu 4, 7, 8, 10 12 103 Saurel, Afek, Weiser 12 Overall Outcome 1–12, 14 No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED Copy with citationCopy as parenthetical citation