VMware, Inc.Download PDFPatent Trials and Appeals BoardFeb 28, 20222021000327 (P.T.A.B. Feb. 28, 2022) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 15/653,269 07/18/2017 Ashot Nshan Harutyunyan D323 8728 152606 7590 02/28/2022 Olympic Patent Works PLLC 4979 Admiral Street Gig Harbor, WA 98332 EXAMINER SHEPPERD, ERIC W ART UNIT PAPER NUMBER 2492 MAIL DATE DELIVERY MODE 02/28/2022 PAPER Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________ Ex parte ASHOT NSHAN HARUTYUNYAN, ARNAK POGHOSYAN, NARA MOVSES GRIGORYAN, and VARDAN MOVSISYAN ________________ Appeal 2021-000327 Application 15/653,269 Technology Center 2400 ____________ Before JAMES R. HUGHES, JOYCE CRAIG, and MATTHEW J. McNEILL, Administrative Patent Judges. McNEILL, Administrative Patent Judge. DECISION ON APPEAL Appellant1 appeals under 35 U.S.C. § 134(a) from the Examiner’s rejection of claims 1-6, 8-14, 16-22, and 24. The Examiner has determined claims 7, 15, and 23 contain allowable subject matter. Final Act. 25. We have jurisdiction under 35 U.S.C. § 6(b). We affirm. 1 We use the word “Appellant” to refer to “applicant” as defined in 37 C.F.R. § 1.42. Appellant identifies VMWARE, INC. as the real party in interest. Appeal Br. 1. Appeal 2021-000327 Application 15/653,269 2 STATEMENT OF THE CASE Introduction Appellant’s application relates to “analyzing event sources and detecting anomalies in the behavior of event sources from event messages.” Spec. ¶ 1. Specifically, the application observes that computing systems output large numbers of “status, informational, and error messages that are collectively referred to . . . as ‘event messages.’” Id. ¶ 3. The log management servers that typically analyze events recorded in event messages, however, “currently lack the ability to detect anomalous behavior of an event source from the many thousands, if not millions, of event messages generated by the event source.” Id. Accordingly, the application describes “computational methods and systems to analyze the behavior of event sources, detect anomalies in the behavior of the event source, and generate recommendations to correct the detected anomalies.” Id. ¶ 41. Claim 1 is illustrative of the appealed subject matter and reads as follows: 1. An automated method stored in one or more data-storage devices and executed using one or more processors of a management server computer of a distributed computing system to detect anomalous behavior of an event source from event messages generated by the event source, the method comprising: quantifying the event messages to generate property time series data, the property time series data representing a property of the event source; computing a threshold from the property time series data generated over time, the threshold representing a normalcy bound for normal operation of the event source; detecting an abnormal state of the event source when on [sic] one or more property data points of the property time series data violate the threshold, the abnormal state indicating anomalous behavior by the event source; Appeal 2021-000327 Application 15/653,269 3 displaying a property digression alert on a system console in response to detecting the abnormal state, the property digression alert indicating anomalous behavior of the event source; and generating a recommendation to correct the anomalous behavior of the event source. Appeal Br. 20 (Claims App.). The Examiner’s Rejections Claims 1-5, 9-13, and 17-21 stand rejected under 35 U.S.C. § 103 as unpatentable over Marvasti (US 2010/0036857 A1; Feb. 11, 2010) and Nicodemus (US 2007/0143827 A1; Jun. 21, 2007). Final Act. 13-21. Claims 6, 14, and 22 stand rejected under 35 U.S.C. § 103 as unpatentable over Marvasti, Nicodemus, and Perng (US 2007/0263550 A1; Nov. 15, 2007). Final Act. 21-23. Claims 8, 16, and 24 stand rejected under 35 U.S.C. § 103 as unpatentable over Marvasti, Nicodemus, and de Vries (“Density-preserving projections for large-scale local anomaly detection,” Jun. 17, 2011). Final Act. 23-25. ANALYSIS Appellant presents arguments with respect to the preamble and each of the steps in the method of claim 1. See Appeal Br. 4-18. We address each step in turn, but begin with the claim 1 element of “event messages,” introduced in the preamble. Appellant asserts the claimed “[e]vent messages record events in terms of natural-language words and/or phrases, text strings that represent file names, path names, and perhaps alphanumeric parameters.” Appeal Br. 5. Appellant argues that Marvasti does not teach Appeal 2021-000327 Application 15/653,269 4 “event messages” (id. at 5-6), and that although “Nicodemus teaches generating log messages when a policy is violated,” [t]he Examiner has not explained why someone skilled in the art would be motivated to combine the teachings of Nicodemus with the teachings [of] Marvasti to detect anomalous behavior of an event source from the event messages generated by the event source when the event message already describe policy violations that correspond to anomalous behavior.” Id. at 8. Appellant has not persuaded us of Examiner error. Nicodemus relates to “fine tuning access control by remote, endpoint systems to host systems.” Nicodemus, Abstract. In an embodiment, “[p]olicy management system 106 provides rules and policies concerning the connection of remote endpoint systems 104 to host system 102.” Id. ¶ 95. An endpoint system 104 includes conventional computer components as well as agents that monitor conditions in the endpoint system 104. Id. ¶ 98. Data collected by the agents can be communicated to policy management system 106, where it can be processed by compliance analysis engine 106C, which is “the central and primary destination for all collected or received condition state information collected by the local endpoint system 104.” Id. ¶¶ 638, 643. Nicodemus broadly discloses that “the universe of monitorable conditions, sources of state information, will expand and evolve over time,” and provides a plethora of examples of state information. See id. ¶¶ 112-357. As an example, “configuration data elements such as antivirus heuristics scanning status, and state data elements such as ‘is antivirus currently operating’, can be obtained by establishing an interface to an agent specifically designed to collect and report that piece of information.” Id. ¶ 109. Based on the above disclosure, we agree with the Examiner’s finding that Nicodemus’s collected state Appeal 2021-000327 Application 15/653,269 5 information meets the claim 1 limitation of “event messages.” Final Act. 14- 15; Ans. 6-7. Appellant’s focus on Nicodemus’s log messages is unpersuasive (see Appeal Br. 8; Reply Br. 3, 5), because this feature of Nicodemus is not relied upon by the Examiner, as discussed below with respect to the combination of Marvasti and Nicodemus. Appellant’s argument that “[t]here is no evidence in Nicodemus that ‘state information’ is the same as an event message as defined in the application” (Appeal Br. 10; see also Reply Br. 6), is also unavailing. The Specification describes computing systems that output “status, informational, and error messages that are collectively referred to, in the current document, as ‘event messages.’” Spec. ¶ 3. Accordingly, the Specification supports a broad reading of the claimed “event messages” as encompassing any informational messages normally outputted by computing systems. The Specification also provides that “event messages are relatively cryptic, including generally only one or two natural-language words and/or phrases as well as various types of text strings that represent file names, path names, and perhaps various alphanumeric parameters.” Spec. ¶ 75. But this is a statement about “event messages” “generally,” and does not limit the claimed “event messages” to any specific format or content. See id. In an embodiment of the Specification, event message 1602 includes a time stamp, an IP address, and text strings of a log write instruction, among other things. Id. ¶ 77. This is simply one example, however, and does not by itself narrow the scope of the claimed “event messages,” especially where the Specification otherwise defines event messages broadly as “status, informational, and error messages,” as noted above. Spec. ¶ 3. Even if Appeal 2021-000327 Application 15/653,269 6 “event messages” were to be limited to alphanumerical parameters, Nicodemus suggests this by disclosing, for example, state information that includes, with respect to antivirus information, “Vendor,” “Version,” “Signature files version,” and “Antivirus-specific configuration settings, (e.g., scan whole system, specific folders, specific files, [etc.] . . . ).” Nicodemus ¶¶ 239-244. The preamble also introduces the claim element “event source,” which is what generates the “event messages.” Appellant contends there is no mention of an “event source,” as claimed, in the Examiner’s cited portions of Marvasti. Appeal Br. 10-11. We disagree. Marvasti relates to determining cycles and patterns in time-series data, and describes an embodiment involving “hypothetical network usage time-series data for an exemplary stock trading business.” Marvasti, Abstract, ¶ 25. The Examiner finds “Marvasti [0024] shows ‘the source of data’ and [0029] shows that the data that is received is based on real-time data observations . . . .” Ans. 13. Based on this finding, we agree that Marvasti teaches an “event source,” because the time-series data is based on observations of real events, such as network usage by employees of the stock trading business. See Marvasti ¶ 25. In the Reply Brief, Appellant asks “[h]ow can Marvasti teach or suggest an event source, which generates event messages, when the Examiner has explicitly acknowledged above that Marvasti does not teach or suggest event messages[?]” Reply Br. 4. But the Examiner has already provided a persuasive answer: the “Examiner relied upon Marvasti for the ‘event source’ and ‘events’”; “Marvasti is silent with regards to the delivery method of the event data.” Ans. 6-7. And in any case, we find Nicodemus also teaches an “event source,” based on the agents that collect the state Appeal 2021-000327 Application 15/653,269 7 information that the Examiner relies upon for teaching the claimed “event messages,” as discussed above. See Nicodemus ¶¶ 98, 638, 643. Or, as put by the Examiner with respect to Nicodemus, “[t]he condition state information is the data from the data source that is delivered as a result of a detected event, as such it is clearly related to event data being delivered by message.” Ans. 12. Appellant contends the Examiner fails to explain how the elements of the claim 1 limitation of “quantifying the event messages to generate property time series data, the property time series data representing a property of the event source” map to teachings in Marvasti and Nicodemus. Appeal Br. 9. In particular, Appellant notes that Nicodemus teaches “[t]he analysis engine performs a calculation of the difference between the two sampled values . . . to obtain a rate, e.g. emails per second, change in CPU temperature per second, number of HTTP request to a given DNS domain per minute, change in antivirus compliance score per minute, authentication failures per minute, etc.” Id. (quoting Nicodemus ¶ 922). Appellant argues that this disclosure “does not teach, suggest, or mention quantifying the state information” because although “Nicodemus mentions various types of information in paragraphs [0114] - [0357], some if which is identified as ‘state information,’ [] Nicodemus does not teach or suggest performing the operations described in paragraph [0922] on the various types of information described in paragraphs [0114] - [0357].” Id. at 10; see also Reply Br. 6. Put another way, Appellant asserts that “[t]here is no evidence that paragraph [0922] teaches, suggests, or mentions determining quantifying state information.” Appeal Br. 10. Appeal 2021-000327 Application 15/653,269 8 We disagree. Nicodemus describes, for example, calculating a rate for the “number of HTTP requests” (Nicodemus ¶ 922), which is exactly one of the pieces of information Nicodemus identifies as state information (see id. ¶ 173 (“HTTP requests sent”)). In addition, the Examiner relies on Marvasti for teaching generating “property time series data.” Final Act. 13; Ans. 4. Accordingly, we find the combination of Nicodemus with Marvasti teaches the “quantifying the event messages to generate property time series data” limitation of claim 1. Appellant contends Marvasti does not teach the claim 1 limitation of “computing a threshold from the property time series data generated over time, the threshold representing a normalcy bound for normal operation of the event source.” Appeal Br. 15. In particular, Appellant argues that Marvasti’s description of determining thresholds “is referring to the source of the time-series data,” not “the source of event messages.” Appeal Br. 15 (citing Marvasti ¶ 24). We are not persuaded by this argument because, as mentioned above, Marvasti’s time-series data is based on observations from real events occurring in a network, i.e., an “event source.” See Marvasti ¶ 25. Moreover, as discussed above, Nicodemus also teaches the claimed “event source,” and the Examiner relies on Nicodemus, not Marvasti, for teaching “event messages” generated by an “event source.” See Ans. 6-7. Accordingly, Appellant’s argument against Marvasti alone (see Appeal Br. 15) is not persuasive of Examiner error with respect to the “computing a threshold” limitation in claim 1. Appellant contends Marvasti does not teach the claim 1 limitation of “detecting an abnormal state of the event source when on [sic] one or more property data points of the property time series data violate the threshold, the Appeal 2021-000327 Application 15/653,269 9 abnormal state indicating anomalous behavior by the event source.” Appeal Br. 16. In particular, Appellant argues Marvasti “does not describe using a threshold to generate alerts when time-series data points violate a threshold,” but rather “describes a problem with setting a threshold for real-time data.” Id. at 16. This argument is not persuasive. Marvasti notes that when setting thresholds for real-time data observations that have certain variations in the data, “such variations prove troublesome because spikes and other data that appear to be outside of the average have the potential to trigger alarms.” Marvasti ¶ 29. Here, Marvasti merely notes a challenge in determining a threshold, and provides a solution by “creating a threshold ‘exception’ for expected variation in the network usage data that would otherwise trigger alarm states.” Id. ¶ 32. This way, “the thresholds for those days [with large variation] may be more accurately predicted and set, thereby alerting potential problem states more accurately.” Id. Accordingly, we find Marvasti teaches the “detecting an abnormal state of the event source” limitation in claim 1. Appellant contends Nicodemus does not teach the claim 1 limitation of “displaying a property digression alert on a system console in response to detecting the abnormal state, the property digression alert indicating anomalous behavior of the event source.” Appeal Br. 16-17. Specifically, Appellant argues Nicodemus teaches “messages may be used to trigger the display of a message to a user on the local endpoint system 104 user interface,” but that claim 1, in contrast, requires that “when the property time-series data violates a threshold, an abnormal state of the event source is detected followed by displaying a property digression alert.” Id. at 17 (quoting Nicodemus ¶ 646). To the extent Appellant here argues that Appeal 2021-000327 Application 15/653,269 10 Nicodemus alone does not teach “displaying a property digression alert . . . in response to detecting the abnormal state,” where the abnormal state is based on violation of a threshold, we are not persuaded of Examiner error. The Examiner relies on Marvasti for teaching a threshold used in “detecting an abnormal state of the event source.” Ans. 23-24. The Examiner relies on Nicodemus for teaching a “property digression alert.” In particular, Nicodemus describes “the display of a message to a user on the local endpoint system 104 user interface, the display of a message on the policy management system 106.” Nicodemus ¶ 646. Moreover, Nicodemus describes that analysis engine 106C determines what actions to take after comparing existing conditions to required conditions, including “notifications or alerts being displayed to the end user, and/or uploaded to a central management reporting console.” Id. ¶ 1067. Accordingly, we find the combination of Marvasti and Nicodemus teaches “displaying a property digression alert on a system console in response to detecting the abnormal state,” as recited in claim 1. Appellant also contends Nicodemus does not teach “generating a recommendation to correct the anomalous behavior of the event source.” Appeal Br. 17-18. In particular, Appellant argues that “none of the actions listed in the paragraphs following paragraph [0734] [in Nicodemus] corrects anomalous behavior at an event source of event messages.” Id. at 17. Appellant argues that “[c]ontracting a help desk so that a person can come to resolve an issue using the person’s expertise is not the same thing as an automated method that generates a recommendations to correct the anomalous behavior.” Id. at 18. We disagree with Appellant. Nicodemus describes “[p]rovid[ing] a user notification of the security state of the Appeal 2021-000327 Application 15/653,269 11 endpoint and instruct[ing] them to contact their help desk to resolve the issue.” Nicodemus ¶ 737. We find that instructing a user to contact a help desk to resolve an issue with an endpoint meets the limitation of “generating a recommendation.” Moreover, we find the intention to resolve an issue with an endoint relates to “anomalous behavior of the event source,” because Nicodemus’s endpoint 104 includes agents for collecting state information, which, as discussed above, teaches an “event source.” See id. ¶¶ 98, 638, 643. Notably, nothing in claim 1 requires the actual correction of anomalous behavior at the event source, only “a recommendation to correct” such behavior. Appellant makes several combination arguments against the references. Appellant’s argument that there is no reason to combine Nicodemus’s log messages with Marvasti to detect anomalous behavior because the log messages themselves report already detected anomalous behavior (see Appeal Br. 7-8) is not persuasive because it is not responsive to the Examiner’s rejection (see Ans. 10 (“Appellant is illustrating an embodiment of Nicodemus, as being required to be combined with Marvasti, that was not relied upon by the Examiner.”)). As discussed above, the Examiner points to Nicomedus’s state information for teaching the claimed “event messages” (Ans. 6-7), and does not propose combining Nicodemus’s policy violation log messages (see Nicodemus ¶ 1060) with Marvasti for detecting anomalous behavior. Appellant further argues that there would have been no motivation with a reasonable expectation of success to combine Nicodemus with Marvasti with respect to “quantifying the event messages to generate property time series data, the property time series data representing a Appeal 2021-000327 Application 15/653,269 12 property of the event source,” as recited in claim 1. Appeal Br. 11, 13-15. We disagree. As discussed above, Nicodemus teaches quantifying event messages by describing the calculation of a rate of occurrence of certain events, such as HTTP requests, based on state information collected by agents of an endpoint device 104. See Nicodemus ¶¶ 109, 114, 173, 922. As mentioned above, Marvasti describes generating property time series data, for example, “network usage time-series data for an exemplary stock trading business.” Marvasti ¶ 25. We find one of ordinary skill in the art would have had a reasonable expectation of success in generating property time series data, as taught by Marvasti, from the quantified state information taught by Nicodemus. Specifically, Nicodemus’s “rate-based statistical analysis method” already includes performing a system query for particular state information “two times at a policy-defined sampling interval.” Nicodemus ¶ 922. Accordingly, Nicodemus’s method lends itself to generating a property time series because Nicodemus obtains the necessary data to do so, such as the number of events that occurred at periodic intervals. Moreover, as the Examiner explains, it would have been obvious to combine Nicodemus with Marvasti to “help detect and deter unauthorized access, fraud and data theft.” Final Act. 15 (citing Nicodemus ¶ 6). That is, the state information collected and analyzed in Nicodemus may relate to antivirus information. See Nicodemus ¶ 109. So, where Marvasti relates to using time series data to determine thresholds for alerting one to problem states with network usage (see Marvasti ¶¶ 24-32), combining Nicodemus with Marvasti would provide the benefit of alerting one to the particular problem state of an antivirus issue with the network, thus protecting against “unauthorized access, fraud and data theft.” Final Act. 15. Appeal 2021-000327 Application 15/653,269 13 Appellant also argues that there would have been no motivation with a reasonable expectation of success to combine Nicodemus with Marvasti with respect to the “detecting an abnormal state of the event source” and “displaying a property digression alert” limitations of claim 1. Appeal Br. 17. We find the Examiner provides a sufficient motivation to combine the references, as discussed above. Moreover, Appellant provides no evidence that including Nicodemus’s “notifications or alerts being displayed to the end user, and/or uploaded to a central management reporting console” in the combined system of Marvasti and Nicodemus would yield unpredictable results. KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 416 (2007) (“The combination of familiar elements according to known methods is likely to be obvious when it does no more than yield predictable results.”). Rather, we find one of ordinary skill in the art would have reasonably expected success in adding to Marvasti a display to alert a user. For these reasons, we sustain the obviousness rejection of claim 1. We also sustain the obviousness rejection of independent claims 9 and 17, as well as dependent claims 2-6, 8, 10-14, 16, 18-22, and 24, for which Appellant does not provide separate specific arguments. See Appeal Br. CONCLUSION In summary: Claims Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1-5, 9-13, 17-21 103 Marvasti, Nicodemus 1-5, 9-13, 17-21 6, 14, 22 103 Marvasti, Nicodemus, Perng 6, 14, 22 Appeal 2021-000327 Application 15/653,269 14 8, 16, 24 103 Marvasti, Nicodemus, de Vries 8, 16, 24 Overall Outcome 1-6, 8-14, 16-22, 24 No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv). See 37 C.F.R. § 41.50(f) (2019). AFFIRMED Copy with citationCopy as parenthetical citation
