Splunk Inc.Download PDFPatent Trials and Appeals BoardJan 1, 20212019005462 (P.T.A.B. Jan. 1, 2021) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 14/928,503 10/30/2015 Sudhakar Muddu SP0139.23US (8032.US01) 1215 134200 7590 01/01/2021 Perkins Coie LLP - Splunk Inc. P.O. Box 1247 Seattle, WA 98111-1247 EXAMINER JOHNSON, CARLTON ART UNIT PAPER NUMBER 2436 NOTIFICATION DATE DELIVERY MODE 01/01/2021 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): patentofficecorrespondence@splunk.com patentprocurement@perkinscoie.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________ Ex parte SUDHAKAR MUDDU and CHRISTOS TRYFONAS _____________ Appeal 2019-005462 Application 14/928,503 Technology Center 2400 ____________ Before ST. JOHN COURTENAY III, LARRY J. HUME, and PHILLIP A. BENNETT, Administrative Patent Judges. COURTENAY, Administrative Patent Judge. DECISION ON APPEAL Appellant1 appeals under 35 U.S.C. § 134(a) from a Final rejection of claims 1–30. We have jurisdiction over the pending claims under 35 U.S.C. § 6(b). We affirm. 1 We use the word “Appellant” to refer to “applicant” as defined in 37 C.F.R. § 1.42(a). According to Appellant, the real party in interest is Splunk, Inc. See Appeal Br. 1. Appeal 2019-005462 Application 14/928,503 2 STATEMENT OF THE CASE 2 Introduction Appellant’s claimed invention relates generally to “distributed data processing systems, and more particularly, to intelligence generation and activity discovery from events in a distributed data processing system.” (Spec. ¶ 3). Representative Independent Claim 1 1. A computerized method comprising: receiving event data from a plurality of sources, wherein the event data is associated with network activities by entities that interact with a computer network, and the types of entities include at least one of devices, applications, and/or network users; using machine learning models to identify anomalies from the event data, wherein anomalies are associated with at least one entity; automatically determining a score for each anomaly, wherein the score represents a quantification of a degree to which the event data is associated with anomalous activity on the network; automatically determining threats based on identified anomalies, wherein the determinations of threats are based at least in part on the scores determined for the anomalies; and causing display, in a graphical user interface, of an indication of the score for a plurality of the identified anomalies, wherein the display additionally identifies entities associated with each respective anomaly. 2 We herein refer to the Final Office Action, mailed Jan. 3, 2018 (“Final Act.”); Appeal Brief, filed Oct. 30, 2018 (“Appeal Br.”); the Examiner’s Answer, mailed May 6, 2019 (“Ans.”), and the Reply Brief, filed July 8, 2019 (“Reply Br.”). Appeal 2019-005462 Application 14/928,503 3 Appeal Br. 14, “CLAIMS APPENDIX.” (disputed limitations emphasized). Prior Art Evidence The prior art relied upon by the Examiner as evidence is: Name Reference Date Osborn et al. Linn et al. Andres et al. Eggert et al. Eberhardt, III et al. US 2007/0239495 A1 US 8,181,264 B2 US 8,201,257 B1 US 2013/0041796 A1 US 2013/0198119 A1 Oct. 11, 2007 May 15, 2012 June 12, 2012 Feb. 14, 2013 Aug. 1, 2013 Rejections A. Claims 1–5, 7–9, 11, 16–23, and 25–30 are rejected as being unpatentable under 35 U.S.C. § 103 over Andres and Eberhardt. B. Claims 6, 10, and 24 are rejected as being unpatentable under 35 U.S.C. § 103 over Andres, Eberhardt, and Osborn. C. Claim 12–14 is rejected as being unpatentable under 35 U.S.C. § 103 over Andres, Eberhardt, and Eggert. D. Claim 15 is rejected as being unpatentable under 35 U.S.C. § 103 over Andres, Eberhardt, and Linn. ANALYSIS We have considered all of Appellant’s arguments and any evidence presented. In our analysis below, we highlight and address specific findings and arguments for emphasis. Appeal 2019-005462 Application 14/928,503 4 Rejection A of Independent Claim 1 under § 103 Issues: Under 35 U.S.C. § 103, we focus our analysis on the following argued limitations that we find are dispositive regarding Rejection A of claim 1: Did the Examiner err by finding that the cited references teach or suggest the disputed limitations: automatically determining threats based on identified anomalies, wherein the determinations of threats are based at least in part on the scores determined for the anomalies; and causing display, in a graphical user interface, of an indication of the score for a plurality of the identified anomalies, wherein the display additionally identifies entities associated with each respective anomaly [,] within the meaning of representative claim 1?3 (emphasis added). See Final Act. 5–8. Appellant contends Andres does not teach that “the ‘determinations of threats are based at least in part on the scores.’” Appeal Br. 7. Appellant notes the Examiner cites to various paragraphs in Andres. However, Appellant urges that none of the cited paragraphs disclose the “threats are determined based at least in part on the determined scores.” Id. Although Appellant acknowledges that “Andres teaches correlating threats to vulnerabilities,” Appellant urges that Andres “does not teach or suggest 3 Throughout this opinion, we give the contested claim limitations the broadest reasonable interpretation (BRI) consistent with the Specification. See In re Morris, 127 F.3d 1048, 1054 (Fed. Cir. 1997). Appeal 2019-005462 Application 14/928,503 5 that threats are determined based at least in part on the determined scores.” Id. We are not persuaded by Appellant’s argument. We find a preponderance of the evidence supports the Examiner’s underlying factual findings. We find: (1) Andres’s risk score associated with each asset, in which the risk score is the level of risk an asset is exposed to, and (2) Andres’ usage of the risk score to determine the vulnerability severity of the threat, teach or at least suggest the disputed limitation: “determinations of threats are based at least in part on the scores.” See Andres col. 15, ll. 37– 40, col. 2, 22–28; Ans. 4–5. Appellant further contends that Andres “fails to disclose features of the ‘causing display’ element recited in the three independent claims.” Appeal Br. 7. In particular, Appellant avers that Andres “fails to teach or suggest an ‘indication of the score for a plurality of the identified anomalies’ and ‘display[ing] additionally identified entities associated with each respective anomaly.’” Appeal Br. 8. We are not persuaded by Appellant’s argument, because we find Andres’ descriptions of displaying the correlation results, displaying a list of assets susceptible to a threat, and displaying information about each of the susceptible assets, including their risk score, and listing the highest-risk- scoring assets at the top of a displayed list, teach or at least suggest the disputed limitations. See Andres col. 21, ll. 51–60, col. 1, ll. 53–58; Ans. 6. Appellant also argues: “Andres teaches that the list of susceptible assets and the corresponding asset risk scores (as shown in FIG. 2) relate to only a single ‘selected threat.’ See Andres at col. 2, lines 14–17. Thus, Andres does not teach or suggest that the score is indicated for ‘a plurality of Appeal 2019-005462 Application 14/928,503 6 identified anomalies.’” Appeal Br. 8. Appellant urges: “[f]inally, for all three independent claims, the Office’s citation to [a] ‘threat intelligence alert’ does not teach or suggest the claimed ‘receiving event data from a plurality of sources.’” Appeal Br. 9, (emphasis omitted). We are not persuaded by Appellant’s arguments because we are of the view that receiving event data from a plurality of sources would have merely been a “predictable use of prior art elements according to their established functions.” KSR Int'l Co. v. Teleflex Inc., 550 U.S. 398, 417 (2007).4 Thus, claiming the display “of an indication of a score for a plurality of the identified anomalies” (claim 1) is not an unobvious distinction over the prior art of record, because using plural elements would have produced a predictable result under § 103. (emphasis added). Therefore, we find an artisan would have known how to apply Andres’s list of assets as depicted in Figure 2 (as identified by IP addresses 218) and corresponding asset risk scores (asset risk scores 214) to multiple threats, such as the multiple threats associated with risk levels 206 (e.g., A, B, or C). Such implementation would merely have realized a predictable result, and as such, would have been obvious under § 103. See KSR, 550 U.S. at 416-17. We conclude the claim is broader (under BRI) than the interpretation imputed by Appellant’s argument, given that the Specification does not contain limiting definitions for the disputed claim terms and Appellant has 4 “The combination of familiar elements according to known methods is likely to be obvious when it does no more than yield predictable results.” KSR, 550 U.S. at 416. “If a person of ordinary skill can implement a predictable variation, § 103 likely bars its patentability.” Id. at 417. Appeal 2019-005462 Application 14/928,503 7 not pointed to any such definitions. We emphasize that, because “applicants may amend claims to narrow their scope, a broad construction during prosecution creates no unfairness to the applicant or patentee.” In re ICON Health and Fitness, Inc., 496 F.3d 1374, 1379 (Fed. Cir. 2007) (citation omitted). On this record, and based upon a preponderance of the evidence, we are not persuaded of error regarding the Examiner’s underlying factual findings and ultimate legal conclusion of obviousness regarding Rejection A of independent representative claim 1. Therefore, we sustain the Examiner’s Rejection A of representative independent claim 1, and also Rejection A of independent claims 19 and 27, which recite similar limitations of commensurate scope. The remaining grouped dependent claims also rejected under Rejection A (and not argued separately) fall with representative independent claim 1. See 37 C.F.R. § 41.37(c)(1)(iv). We note that claims 2, 7, 20, 25, and 28 are argued separately and are addressed infra. Rejection A of Dependent Claims 2, 20, and 28 Regarding dependent claims 2, 20, and 28, Appellant contends that “Andres in view of Eberhardt fails to teach or suggest that ‘each entity ... includes a link which, upon selection by a user, causes the graphical user interface to generate a detailed view comprising additional data about the selected entity.’” Appeal Br. 10–11. We are not persuaded by Appellant’s argument and agree with the Examiner because we find Andres’ description of allowing a user to select a particular asset and request additional details about the asset teaches or at Appeal 2019-005462 Application 14/928,503 8 least suggests the disputed limitation. See Andres, col. 18, ll. 38–42; Ans. 10. Furthermore, we find an artisan would have understood the cited teachings in Andres at col. 18, ll. 38–42, to inherently teach a link/hyperlink.5 Therefore, on this record, we are not persuaded of error regarding the Examiner’s ultimate legal conclusion of obviousness for Rejection A of dependent claims 2, 20, and 28, and we sustain the rejection. Rejection A of Dependent Claims 7 and 25 Regarding dependent claims 7 and 25, Appellant contends: “Andres in view of Eberhardt fails to teach or suggest that the ‘entities view comprises a listing of users in a computer network of an organization.’” Appeal Br. 12. Appellant specifically urges that “specifying or selecting assets in Andres is not the same as the claimed ‘listing of users.’ Thus, the Office fails to show that Andres teaches an ‘entities view’ that comprises ‘a listing of users in a computer network of an organization.’” Id. We are not persuaded by Appellant’s arguments because we find Andres’ description of allowing a user to select a particular asset from a 5 “The inherent teaching of a prior art reference, a question of fact, arises both in the context of anticipation and obviousness.” In re Napier, 55 F.3d 610, 613 (Fed. Cir. 1995) (affirmed 35 U.S.C. § 103 rejection based in part on inherent disclosure in one of the references). The question of obviousness is “based on underlying factual determinations including . . . what th[e] prior art teaches explicitly and inherently.” In re Zurko, 258 F.3d 1379, 1383 (Fed. Cir. 2001) (citations omitted). Our reviewing court has also “recognized that inherency may supply a missing claim limitation in an obviousness analysis.” PAR Pharmaceutical, Inc. v TWI Pharmaceuticals, Inc. 773 F.3d 1186, 1194–95 (Fed Cir. 2014). Appeal 2019-005462 Application 14/928,503 9 displayed list and requesting additional details about the asset teaches or at least suggests the disputed limitation. See Andres, col. 18, ll. 38–42; Ans. 11–12. Therefore, on this record, and based upon a preponderance of the evidence, we are not persuaded of error regarding the Examiner’s underlying factual findings and ultimate legal conclusion of obviousness regarding Rejection A of dependent claims 7 and 25. Accordingly, we sustain the Examiner’s obviousness Rejection A of claims 1–5, 7–9, 11, 16–23, and 25–30. Rejections B, C, and D of Dependent Claims 6, 10, 12–15, and 24 Appellant does not advance separate, substantive arguments traversing the Examiner’s Rejections B, C, and D of the remaining dependent claims. Arguments not made are forfeited. See 37 C.F.R. § 41.37(c)(1)(iv). Accordingly, we sustain the Examiner’s Rejections B, C, and D of remaining dependent claims 6, 10, 12–15, and 24. CONCLUSION The Examiner did not err with respect to obviousness Rejections A, B, C, and D of claims 1–30 over the cited prior art of record, and we sustain the rejections. Appeal 2019-005462 Application 14/928,503 10 DECISION SUMMARY Claims Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1–5, 7–9, 11, 16–23, 25–30 103 Andres, Eberhardt 1–5, 7–9, 11, 16–23, 25–30 6, 10, 24 103 Andres, Eberhardt, Osborn 6, 10, 24 12–14 103 Andres, Eberhardt, Eggert 12–14 15 103 Andres, Eberhardt, Linn 15 Overall Outcome 1–30 FINALITY AND RESPONSE No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv). See 37 C.F.R. § 41.50(f). AFFIRMED Copy with citationCopy as parenthetical citation
