Microsoft Technology Licensing, LLC.Download PDFPatent Trials and Appeals BoardMay 26, 202015006695 - (D) (P.T.A.B. May. 26, 2020) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 15/006,695 01/26/2016 Yonatan Most ADLM P0455 358779-US-NP 6050 69316 7590 05/26/2020 MICROSOFT CORPORATION ONE MICROSOFT WAY REDMOND, WA 98052 EXAMINER VU, PHY ANH TRAN ART UNIT PAPER NUMBER 2438 NOTIFICATION DATE DELIVERY MODE 05/26/2020 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): chriochs@microsoft.com usdocket@microsoft.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte YONATAN MOST, YINON COSTICA, and AMI LUTTWAK Appeal 2019-001564 Application 15/006,695 Technology Center 2400 Before MAHSHID D. SAADAT, ROBERT E. NAPPI, and KRISTEN L. DROESCH, Administrative Patent Judges. DROESCH, Administrative Patent Judge. DECISION ON APPEAL STATEMENT OF THE CASE Pursuant to 35 U.S.C. § 134(a), Appellant1 appeals from the Examiner’s decision rejecting claims 1, 2, 4–15, and 17–25. We have jurisdiction under 35 U.S.C. § 6(b). We AFFIRM. 1 We use the word “Appellant” to refer to “applicant” as defined in 37 C.F.R. § 1.42 (2017). Appellant indicates the real party-in-interest is Microsoft Technology Licensing LLC. Appeal Br. 3. Appeal 2019-001564 Application 15/006,695 2 BACKGROUND The disclosed invention relates to a method and device for detecting threats against cloud-based computer applications. Spec. Abstract ¶ 2. CLAIMED SUBJECT MATTER Claim 1, which is representative of the subject matter of the appeal and is reproduced from the Claims Appendix of the Appeal Brief, reads as follows: 1. A method for detecting cyber threats against a cloud-based application, comprising: receiving a request from a client device, the request directed to a cloud-based application computing platform, wherein the client device is associated with a user attempting to access the cloud-based application; determining whether the received request belongs to a current session of the client device, associated with the user, accessing the cloud-based application; extracting, from the received request, at least one application-layer parameter of the current session; comparing the at least one extracted application-layer parameter to application-layer parameters extracted from previous sessions, gathered across a plurality of cloud based applications accessed by the user, to determine at least one risk factor; and computing a risk score for the current session based on the determined at least one risk factor, wherein the risk score is indicative of a potential cyber threat. Appeal 2019-001564 Application 15/006,695 3 REFERENCE The prior art relied upon by the Examiner is: Name Reference Date Kirti et al. (“Kirti”) US 2015/0319185 A1 Nov. 5, 2013 REJECTION ON APPEAL Claims 1, 2, 4–15, and 17–25 stand rejected under 35 U.S.C. § 102(a)(2) as anticipated by Kirti. Final Act. 4–9. ANALYSIS Appellant argues claims 1, 2, 4, 5, 7–15, 17, and 19–25 together as a group. See Appeal Br. 6–10, 12–13. Appellant presents additional separate arguments addressing together dependent claims 6 and 18. See id. at 10–11, 13. We choose claim 1 as representative of the first group and claim 6 as representative of the second group. See 37 C.F.R. § 41.37(c)(1)(iv). We have reviewed the Examiner’s rejections in light of Appellant’s arguments in the Brief and the Reply Brief, as well as the Examiner’s Answer. We are not persuaded by Appellant’s arguments. We highlight and address specific findings and arguments below for emphasis. Claims 1, 2, 4, 5, 7–15, 17, and 19–25 The Examiner finds that Kirti discloses “receiving a request from a client device . . . attempting to access the cloud-based application,” as recited in claim 1, based on Kirti’s disclosure of a user activity such as a request to download a file. See Final Act. 5 (citing Spec. ¶¶ 58, 68, 69, 71, 92, 117). The Examiner finds that Kirti discloses “extracting, from the received request, at least one application-layer parameter of the current session,” as recited in claim 1, based on Kirti’s disclosure of extracting information, such as, IP address, date, time, and type of activity. See Final Appeal 2019-001564 Application 15/006,695 4 Act. 5 (citing Spec. ¶¶ 88, 92). The Examiner further finds that Kirti discloses “comparing the at least one extracted application-layer parameter to application-layer parameters extracted from previous sessions, gathered across a plurality of cloud based applications accessed by the user, to determine at least one risk factor,” as recited in claim 1, based on Kirti’s disclosure of comparing user activity with stored baselines of user behavior. See id. (citing Kirti ¶¶ 35, 40, 42, 67, 68, 87, 88). The Examiner explains: when a user requests to log in to a cloud application to perform certain activity (current session), the user’s information such as, network IP address (application-layer parameter) will be logged/extracted []. The network IP address extracted will be compared to IP addresses in the baseline and the contextual information (application-layer parameters from previous sessions) to determine if the IP address being used by the user to perform the activity is IP address to watch or block. Final Act. 3 (citing Kirti ¶¶ 8, 42, 44, 69, 89, 92, 139); see Ans. 4–5 (similar finding). The Examiner further finds “in Kirti, the IP address (application- layer parameter) extracted is contained/encapsulated in the request and not retrieved from an external source.” Id. at 3–4. Finally, the Examiner finds that Kirti discloses “computing a risk score for the current session based on the determined at least one risk factor,” as recited in claim 1, based on Kirti’s disclosure of a risk score being generated. See id. at 5 (citing Kirti ¶¶ 100–104, 120). The Examiner explains that “a risk score is calculated for the IP address used by the user for a period of time, such as [the] past 24 hours, this inherently includes the IP address used in the current session.” Id. at 3 (citing Kirti ¶¶ 100–104). Appellant argues that Kirti does not disclose the limitations of claim 1 because Kirti discloses a contextual detection method which is based on contextual data received from external sources that are outside the monitored Appeal 2019-001564 Application 15/006,695 5 cloud application. See Appeal Br. 6–7 (quoting Kirti code (57); citing Kirti ¶¶ 16–17); Reply Br. 4 (quoting Kirti code (57); citing Kirti ¶¶ 16–17). According to Appellant, the external contextual data is a key feature of Kirti’s detection method, and may be correlated or compared to internal activity data that is associated with the user’s account within a cloud application. See Appeal Br. 7 (citing Kirti ¶¶ 16–17); Reply Br. 4. Appellant points out that Kirti discloses that the likelihood of a threat may be influenced by expectations about a user in the real-world, such as, but not limited to, a user’s location or activity at a particular time. See Appeal Br. 7 (citing Kirti ¶¶ 86–87); Reply Br. 4 (citing Kirti ¶¶ 86–87). Appellant further argues that Kirti discloses that data from an external source is required to perform threat detection. See Appeal Br. 7–8 (quoting Kirti code (57)). Appellant argues the claimed application-layer parameters cannot be equated to external contextual data because application-layer parameters are encapsulated in the requests to the cloud-based applications and are not retrieved from external sources. See Appeal Br. 8; Reply Br. 2. Appellant’s arguments are not persuasive because they overlook the Examiner’s findings based on Kirti’s disclosures of internal user activity, namely user logins to cloud applications, and the extraction of IP addresses from the user logins. See Final Act. 3. To the extent that Appellant argues that Kirti cannot teach the limitations of claim 1 because Kirti discloses the baseline includes user activity and external data, we are not persuaded. The scope of claim 1 is open-ended because it utilizes the transitional phrase “comprising.” As such, contrary to Appellant’s suggestion, the scope of claim 1 does not exclude the use of data from external sources. Appellant also argues that Kirti does not disclose extracting application-layer parameters from a request directed to a cloud-based Appeal 2019-001564 Application 15/006,695 6 application because, in Kirti, the internal contextual data is gathered from stored activity logs associated with a tenant account as users associated with the tenant perform various business related activities. See Appeal Br. 9. Appellant contends that such event activities can be logged with event details, but such event details are not extracted from the request sent from a client device, but rather extracted from stored logs. See id. (citing Kirti ¶ 92). Appellant’s arguments are not persuasive of Examiner error because they overlook the Examiner’s findings based on paragraph 88 of Kirti. See Final Act. 5. Kirti discloses that contextual data may be collected when an end user of a cloud application performs activities. See Kirti ¶ 88. Appellant also argues that an IP address is not an application-layer parameter, as defined by the OSI model. See Appeal Br. 9, 10 (citing https://en.wikipedia.org/wiki/Internet_Protocol). In response, the Examiner asserts that “‘[a]pplication-layer parameter’ does not have a specific meaning in the art, and there is nothing in the claim that clearly defines what is or is not equated to the application-layer parameter.” Ans. 4. According to the Examiner, “it would not be unreasonable to equate the contextual data in Kirti to the recited ‘application-layer parameter,’ as the contextual data in Kirti is information that associates with an application that the user used to make a request to log in to a cloud application in order to perform certain activity . . . i.e., contextual data such as IP address, type of device, and connectivity.” Id. (citing Kirti ¶¶ 68, 87, 89, 90). The Examiner points out (see id.) that Appellant’s Specification discloses “[s]uch application layer parameters may include, but are not limited to, a device type of a client device 130, an operating system type and version, an agent type, and so on.” Spec. ¶ 33. Appeal 2019-001564 Application 15/006,695 7 In reply to the Answer, Appellant argues that one of ordinary skill in the art “would be familiar with the meaning of ‘application-layer parameter” and, particularly, with the meaning of ‘application layer.’” See Reply Br. 3. Appellant contends that an application layer is an abstraction layer specifying the shared communication protocols and interface methods used by hosts in a communications network and is used by both the Internet Protocol Suite (TCP/IP) and the OSI model. See id. (citing Wikipedia entry for “Application layer”). Appellant further contends that communication between hosts is through data encapsulated in the application layer, and such data may include parameters. See id. (citing RFC 1123). Appellant further contends that RFC 1123 provides examples of application layer parameters utilized in different application layer protocols. See id. (citing RFC 1123 Section 5.2) We are not persuaded by Appellant’s arguments that application-layer parameter carries a narrow meaning, excluding IP addresses based on descriptions of an application layer, because these arguments are based on evidence besides Appellant’s Specification. “[T]he PTO applies to the verbiage of the proposed claims the broadest reasonable meaning of the words in their ordinary usage as they would be understood by one of ordinary skill in the art, taking into account whatever enlightenment by way of definitions or otherwise that may be afforded by the written description contained in the applicant's specification.” In re Morris, 127 F.3d 1048, 1054 (Fed. Cir. 1997). “[T]he specification ‘is always highly relevant to the claim construction analysis. Usually, it is dispositive; it is the single best guide to the meaning of a disputed term.’” Phillips v. AWH Corp., 415 F.3d 1303, 1315 (en banc) (quoting Vitrionics Corp. v. Conceptronic, Inc., 90 F.3d 1576, 1582 (1996)). Extrinsic evidence may be useful, but it is unlikely Appeal 2019-001564 Application 15/006,695 8 to result in a reliable interpretation of patent claim scope unless considered in the context of the intrinsic evidence. Id. at 1319. Appellant’s Specification broadly discloses “application-layer parameters may include, but are not limited to, a device type of a client device 130, an operating system type and version, and agent type, and so on.” Spec. ¶ 33 (emphasis added). The Specification provides additional examples of application layer parameters––“lists of users, devices, locations, etc.” and “application layer parameters including, for example, a type of client device used by the attacker, the location of the client device, the actions requested by the attacker, the identity associated with the credentials (e.g., credentials of a legit user), and the time access was required.” Spec. ¶¶ 27, 51 (emphasis added). Furthermore, Appellant’s claims 1 and 9, when read together supports a broad interpretation of “application-layer parameters” that does not exclude IP addresses. Specifically, claim 1 recites “comparing the at least one extracted application-layer parameter to application-layer parameters extracted from previous sessions . . . to determine at least one risk factor,” and claim 9 dependent therefrom recites “the at least one risk factor includes any one of: . . . use of an anomalous proxy or internet protocol (IP) address to access the cloud-based application.” Claims 1 and 9, when read together, disclose that IP addresses are the extracted application-layer parameters that are compared to determine an anomalous IP address as the at least one risk factor. For all of these reasons, we find that the broadest reasonable interpretation in light of Appellant Specification for “application-layer parameters” includes IP addresses. Accordingly, we are not persuaded that the Examiner erred in finding that Kirti’s IP addresses disclose application-layer parameters. Appeal 2019-001564 Application 15/006,695 9 Appellant also argues that the Examiner does not demonstrate that Kirti’s “baseline is generated using applica[tion]-layer parameters extracted from previous sessions, across a plurality of cloud-based applications accessed by the user.” Appeal Br. 9. According to Appellant, Kirti’s baseline includes one or more IP addresses, as the deviation is [with] respect to IP addresses previously logged. For example, Kirti teaches that the activity data includes a count of the number of unique internet protocol (IP) addresses used by a user account per day; the activity data includes one or more time differences between the use of different IP addresses by a user account. Id. (citing Kirti ¶¶ 8–9). Appellant’s argument is not persuasive because it is premised on a requirement of one extracted application-layer parameter from a single request, or a single request for the current session or each previous session. Claim 1 recites “receiving a request from a client device,” “extracting, from the received request, at least one application-layer parameter of the current session” and “comparing the at least one extracted application-layer parameter to application-layer parameters extracted from previous sessions across a plurality of cloud based applications accessed by a user to determine at least one risk factor.” Appeal Br. 15, Claim App. (emphasis added). “[A]n indefinite article ‘a’ or ‘an’ in patent parlance carries the meaning of ‘one or more’ in open-ended claims containing the transitional phrase ‘comprising.’” KCJ Corp. v. Kinetic Concepts, Inc., 223 F.3d 1351, 1356 (Fed. Cir. 2000). Thus, the full scope of claim 1 includes receiving one or more requests from a client device, and extracting from the one or more received requests, at least one application parameter for the current session. In other words, the current session and any previous session, as claimed, may include at least one application parameter for each of the one Appeal 2019-001564 Application 15/006,695 10 or more requests. Accordingly, we are not persuaded that Kirti’s disclosure of counts of unique IP addresses or time differences between uses of different IP addresses fails to disclose application layer parameters extracted from previous sessions, across a plurality of cloud-based applications accessed by the user. For all of the foregoing reasons, we are not persuaded the Examiner erred in rejecting claims 1, 2, 4, 5, 7–15, 17, and 19–25 under 35 U.S.C. § 102(a)(2) as anticipated by Kirti. Claims 6 and 18 Claim 6, dependent from claim 1, recites “the current session is a sequence of cloud-based application actions performed by the user during an uninterrupted period of activity by the user.” The Examiner finds that Kirti discloses the limitations of claim 6 based on Kirti’s disclosure at paragraph 136. See Final Act. 6. The Examiner explains that Kirti discloses that when no activity is detected in a session for a certain period of time, the session will be interrupted, logged out, or timed out. See id. at 4. The Examiner further explains that the period in which user activities start until no activity is detected corresponds to the “current session,” as recited in claim 6. See id. Appellant contends that Kirti does not disclose computing a risk score for the current session because Kirti discloses the score is computed over different time periods such as the past 24 hours or the past one, four, or eight weeks. Appeal Br. 10 (citing Kirti ¶ 100); see Reply Br. 6. Appellant contends that a session is a sequence of cloud-based application actions performed by the user during an uninterrupted period of activity by the user. Appeal 2019-001564 Application 15/006,695 11 See Appeal Br. 10 (citing dependent claim 6); see also id. at 8 (similar argument). In the Answer, the Examiner explains that a “risk score is calculated for the IP address used by the user for a period of time, i.e., within 24 hours, which encompasses the current session of the claim.” Ans. 5 (emphasis omitted). The Examiner points out that Kirti discloses when no activity is detected in a session for a certain period of time, the session will be interrupted, logged out, or timed out. See id. (citing Kirti ¶ 136; Final Act. 4). The Examiner explains that “when the user requests to log in to the cloud application (current session[])[,] all continuous activities by the user during that period prior to being interrupted and timed/logged out are considered as a sequence of cloud-based application actions performed by the user.” Id. at 5–6. Appellant’s arguments are not persuasive of error in the Examiner’s finding that Kirti’s calculating a risk score for a period of time, such as 24 hours (see Final Act. 3 (citing Kirti ¶¶ 100–104), 5 (citing Kirti ¶¶ 100–104, 120)) discloses calculating a risk score for the current session. Appellant’s Specification supports the Examiner’s findings that Kirti’s period of time discloses a current session. Similar to the Examiner’s explanation based on Kirti’s disclosure at paragraph 136, Appellant’s Specification discloses: A session may be, for example, a sequence of actions performed by a single user during an uninterrupted period of activity by that user. A sequence of actions may be identified as a session when, for example, the sequence of actions is performed within a particular time period, the sequence of actions occurs between two designated events (such as, but not limited to, logging in to and logging out of a user account), when a specific number of actions occurs, and so on. In an embodiment, the security gateway 210 is further configured to identify individual sessions in which a client device 130 Appeal 2019-001564 Application 15/006,695 12 accesses the cloud based application 115. For example, each login attempt and any other actions performed by a user within a predetermined time period may be identified as an individual session. Spec. ¶ 25 (emphasis added). For these reasons, in addition to the reasons explained above with respect to the Appellant’s arguments addressing claims 1, 2, 4, 5, 7–15, 17, and 19–25, we are not persuaded the Examiner erred in rejecting dependent claims 6 and 18 under 35 U.S.C. § 102(a)(2) as anticipated by Kirti. CONCLUSION We affirm the Examiner’s rejection of claims 1, 2, 4–15, and 17–25 under 35 U.S.C. § 102(a)(2). In summary: Claims Rejected 35 U.S.C. § Reference/ Basis Affirmed Reversed 1, 2, 4–15, 17–25 102(a)(2) Kirti 1, 2, 4–15, 17–25 TIME PERIOD FOR RESPONSE No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED Copy with citationCopy as parenthetical citation