ENTIT SOFTWARE LLCDownload PDFPatent Trials and Appeals BoardOct 5, 20212020003716 (P.T.A.B. Oct. 5, 2021) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 15/561,564 09/26/2017 Ofer Bachner 92001762 4194 146568 7590 10/05/2021 MICRO FOCUS LLC 500 Westover Drive #12603 Sanford, NC 27330 EXAMINER CHANG, LIN ART UNIT PAPER NUMBER 2438 NOTIFICATION DATE DELIVERY MODE 10/05/2021 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): software.ip.mail@microfocus.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte OFER BACHNER, MEYTAL MAOR, and ELAD COHEN Appeal 2020-003716 Application 15/561,564 Technology Center 2400 Before MICHAEL J. STRAUSS, NABEEL U. KHAN, and DAVID J. CUTITTA II, Administrative Patent Judges. CUTITTA, Administrative Patent Judge. DECISION ON APPEAL STATEMENT OF THE CASE Pursuant to 35 U.S.C. § 134(a), Appellant1 appeals from the Examiner’s decision to reject claims 1–15, all the claims under consideration. We have jurisdiction under 35 U.S.C. § 6(b). We AFFIRM IN PART. 1 “Appellant” refers to “applicant” as defined in 37 C.F.R. § 1.42(a). Appellant identifies the real party in interest as MICRO FOCUS LLC. Appeal Brief filed November 20, 2019 (“Appeal Br.”) at 3. Appeal 2020-003716 Application 15/561,564 2 CLAIMED SUBJECT MATTER Summary Appellant’s application generally relates to “sharing platform share security indicators, security alerts, and/or other security-related information (e.g., mitigations strategies, attackers, attack campaigns and trends, threat intelligence information, etc.) with other users in an effort to advise the other users of any security threats, or to gain information related to security threats from other users.” Spec.¶ 1.2 According to Appellant, the invention provides a specific way to determine an indicator score that is associated with a security indicator” and presents the security indicator score “via a user’ interface, ‘to a community of users.’” Appeal Br. 9. The Security indicator score is based on sightings of observables that “indicate that the observable has been observed by [a] source entity.” Spec.¶ 23. Exemplary Claims Claims 1, 8, and 13 are independent. Claims 1, 5, 11, and 13 reproduced below with limitations at issue italicized, exemplify the claimed subject matter: 1. A method for determining security indicator scores, the method comprising: obtaining a security indicator created by a first user, the security indicator comprising a first observable and containing information identifying a security threat and 2 In addition to the Appeal Brief noted above, we refer to: (1) the originally filed Specification filed September 26, 2017 (“Spec.”); (2) the Final Office Action mailed May 23, 2019 (“Final Act.”); (3) the Examiner’s Answer mailed February 18, 2020 (“Ans.”); and (4) the Reply Brief filed April 16, 2020 (“Reply Br.”). Appeal 2020-003716 Application 15/561,564 3 associating the first observable with the identified security threat; obtaining, from a first source entity, a first sighting of the first observable, the first sighting of the first observable indicating that the first observable has been observed by the first source entity, wherein the first source entity is associated with a first level of source reliability; determining a number of sightings of the first observable, the sightings of the first observable including the first sighting of the first observable; determining a first observable score based on the number of sightings of the first observable and the first level of source reliability; determining an indicator score associated with the security indicator based on the first observable score; and presenting, via a user interface, the indicator score to a community of users. 5. The method of claim 1, further comprising: obtaining a set of votes associated with the security indicator from the community of users, individual votes of the set of votes indicating whether the security indicator is malicious; and determining the indicator score associated with the security indicator based on the set of votes obtained from the community of users. 11. The non-transitory machine-readable storage medium of claim 8, further comprising: instructions to determine a set of security indicators created by a particular user, the set of security indicators including at least the first security indicator; Appeal 2020-003716 Application 15/561,564 4 instructions to determine a number of votes associated with the set of security indicators; instructions to determine a third level of source reliability associated with the particular user based on the number of votes; and instructions to determine the first indicator score associated with the first security indicator based on the third level of source reliability. 13. A system comprising: a processor; and a memory to store instructions that, when executed by the processor, cause the processor to: present, via a user interface, a security indicator created by a user to a community of users, the security indicator comprising an observable, wherein the security indicator comprises information identifying a security threat and associating the observable with the identified security threat; obtain a set of votes associated with the security indicator from the community of users, individual votes of the set of votes indicating whether the security indicator is malicious; obtain, from a source entity, a sighting of the observable, the sighting of the observable indicating that the observable has been observed by the source entity, wherein the source entity is associated with a level of source reliability; determine an observable score based on a plurality of sightings of the observable and the level of source reliability, wherein the plurality of sightings comprise the sighting of the observable obtained from the source entity; and determine an indicator score associated with the security indicator based on the observable score. Appeal Br. 20, 21, 24, 25 (Claims Appendix). Appeal 2020-003716 Application 15/561,564 5 REFERENCES The Examiner relies on the following prior art references as evidence:3 Name Reference Date Basavapatna US 2013/0191919 A1 July 25, 2013 Visbal US 8,832,832 B1 Sept. 9, 2014 Chavez US 2015/0128020 A1 May 7, 2015 Waldman US 2015/0143245 A1 May 21, 2015 Allen US 2015/0220928 A1 Aug. 6, 2015 Thomson US 9,118,714 B1 Aug. 25, 2015 Wang US 2015/0373043 A1 Dec. 24, 2015 DiValentin US 2016/0269434 A1 Sept. 15, 2016 REJECTIONS The Examiner rejects the claims as follows: Claim(s) Rejected 35 U.S.C. § References Final Act. 1–3, 6, 8, 9 103 Visbal, DiValentin 4 4, 7 103 Visbal, DiValentin, Basavapatna 11 5, 10, 13 103 Visbal, DiValentin, Thomson 13 11 103 Visbal, DiValentin, Basavapatna, Chavez 18 12 103 Visbal, DiValentin, Wang 20 14 103 Visbal, Thomson, DiValentin, Waldman 21 15 103 Visbal, Thomson, DiValentin, Allen 21 3 All citations to the references use the first-named inventor or author only. Appeal 2020-003716 Application 15/561,564 6 OPINION We review the appealed rejections for error based upon the issues identified by Appellant and in light of Appellant’s arguments and evidence. Ex parte Frye, 94 USPQ2d 1072, 1075 (BPAI 2010) (precedential). Arguments not made are waived. See 37 C.F.R. § 41.37(c)(1)(iv) (2019). We disagree with Appellant that the Examiner errs in rejecting claims 1–4, 6–9, 11–15 and we adopt as our own the findings set forth by the Examiner for these claims to the extent consistent with our analysis herein. Final Act. 2– 18; Ans. 18–23. Rejection of Claim 1 over Visbal and DiValentin The Examiner finds claim 1 is obvious over the combined teachings of Visbal and DiValentin; and in particular finds DiValentin teaches or suggests “determining an indicator score associated with the security indicator based on the first observable score,” as recited in claim 1. Final Act. 5–6 (citing DiValentin ¶¶ 3, 4, 16, 17). Appellant argues that DiValentin fails to teach the limitation at issue because “DiValentin’s composite credibility score is an internal score used for actions taken by the computer system” and “DiValentin does not contemplate communicating the composite credibility score to the threat intelligence server 202 or to any entity outside of its computer system.” Appeal Br. 11; Reply Br.2–3. The Examiner disagrees, pointing out that “DiValentin was introduced to teach [the] limitation of determin[ing] an indicator score associated with the security indicator based on the first observable score.” The Examiner adds that in DiValentin, an “[a]ction is an observable, [and] credibility Appeal 2020-003716 Application 15/561,564 7 scores for the action can be read on the first observable score. Communicating the score to any entity outside of its computing system is not claimed in this limitation of claim 1.” Ans. 4 (citing DiValentin ¶ 3). We agree with the Examiner. The limitation at issue is silent about communicating the indicator score. Although claim 1 separately recites “presenting, via a user interface, the indicator score to a community of users,” the Examiner relies on the teachings of Visbal rather than DiValentine to teach this limitation. Appellant’s argument, directed to DiValentin alone, is not responsive to the Examiner’s findings. See Nat’l Steel Car, Ltd. v. Canadian Pac. Ry., Ltd., 357 F.3d 1319, 1336–37 (Fed. Cir. 2004) (rejecting argument directed at the wrong reference). Next, Appellant argues “DiValentin fails to disclose or render obvious the use of the composite credibility score to rank or evaluate the underlying security threat. In other words, DiValentin fails to disclose or render obvious scoring a security indicator, i.e., an indicator that identifies a security threat, as set forth in claim 1.” Appeal Br. 11. The Examiner disagrees, finding that DiValentin teaches determining an indicator score: DiValentin discloses scoring a security indicator, i.e., an indicator that identifies a security threat (DiValentin: Para. 003: “determining a composite credibility score for the indicator of compromise”). DiValentin also discloses that each indicator of compromise is a potential threat indicator (Claim 1: “for each potential indicator of compromise that is a potential threat indicator”). Therefore, DiValentin teaches scoring a security indicator, i.e., an indicator that identifies a security threat as set forth in claim 1. Ans. 4–5. Appeal 2020-003716 Application 15/561,564 8 Appellant fails to show reversible error in the Examiner’s factual findings. As an initial matter, Appellant’s first argument is unpersuasive because claim 1 does not recite “the use of the composite credibility score to rank or evaluate the underlying security threat”; therefore this argument is based on a limitation not found in the claim. Appeal Br. 11. Limitations not appearing in the claim cannot be relied upon for patentability. In re Self, 671 F.2d 1344, 1348 (CCPA 1982). Appellant further argues that “DiValentin fails to disclose or render obvious scoring a security indicator.” Appeal Br. 11; Reply Br. 1–2. This argument is unpersuasive for the same reason, because claim 1 does not recite “scoring a security indicator.” Next, Appellant argues the Examiner’s cited motivation is based solely on impermissible hindsight: [T]he Final Office Action fails to show why one of ordinary skill in the art would have derived, based on this combination, determining an indicator score associated with a security indicator, as set forth in claim 1, absent impermissible hindsight gleaned solely from the present application. In other words, claim 1 recites a way to derive an indicator score associated with a security indicator based on sightings, whereas DiValentin discusses an internal scoring process for identifying indicators of compromise associated with a particular security threat. Appeal Br 11; see also Reply Br. 2. We are not persuaded. Rather than using hindsight, the Examiner points to specific disclosures in the prior art that describe all of the limitations of claim 1. Final Act. 3–6. In addition, as a rationale to combine Visbal and DiValentin, the Examiner determines: [I]t would have been obvious to one of ordinary skill, in the art at the time, to modify the system disclosed by Visbal to include obtaining a security indicator created by a first user, the security Appeal 2020-003716 Application 15/561,564 9 indicator comprising a first observable and containing information identifying a security threat and associating the first observable with the identified security threat and determining as disclosed by DiValentin. One of ordinary skill in the art would have been motivated to make this modification in order to improve security controls in response to ongoing security threats as suggested by DiValentin. Id. at 6 (citing DiValentin ¶ 37) (emphasis omitted). Accordingly, the Examiner has provided sufficient reasoning with rational underpinnings for combining the teachings of Visbal and DiValentin. See In re Kahn, 441 F.3d 977, 988 (Fed. Cir. 2006) (“[R]ejections on obviousness grounds . . . [require] some articulated reasoning with some rational underpinning to support the legal conclusion of obviousness”) (cited with approval in KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 418 (2007). Appellant, in turn, does not address the actual reasoning provided by the Examiner. Appeal Br. 11; Reply Br. 1–3. Appellant also fails to provide sufficient evidence that the Examiner’s proffered combination would have been “uniquely challenging or difficult for one of ordinary skill in the art.” Leapfrog Enters., Inc. v. Fisher-Price, Inc., 485 F.3d 1157, 1162 (Fed. Cir. 2007). Id. For these reasons, we sustain the Examiner’s rejection of claim 1 as obvious over the teachings of Visbal and DiValentin, as well as the rejections of independent claim 8; and dependent claims 2–4, 6, 7, 9, and 12, which Appellant does not argue separately or only nominally argues separately. Appeal Br. 9, 12, 15, 18. Rejection of Claims 5 and 10 over Visbal, DiValentin, and Thomson Dependent claim 5 recites “obtaining a set of votes associated with the security indicator from the community of users, individual votes of the set of Appeal 2020-003716 Application 15/561,564 10 votes indicating whether the security indicator is malicious; and determining the indicator score associated with the security indicator based on the set of votes obtained from the community of users.” Appeal Br. 21. The Examiner relies on Thomson to teach the limitations at issue, finding Thomson “provides a user interface that allows a user (e.g., a cyber threat analyst, etc.) to submit ratings for various characteristics associated with a cyber threat indicator.” Final Act. 13 (citing Thomson Abstract). Appellant argues that “Thomson discusses an analyst using a user interface to submit a rating for characteristics of a cyber threat indicator, not a vote indicating whether the cyber threat indicator is malicious.” Appeal Br. 14. According to Appellant, Thomson’s TIC (cyber threat intelligence confidence rating) interface does not provide for determining a score based on a set of votes: [I]f hypothetically, multiple cyber analysts submitted rating configurations for the same threat, then Thomson’s TIC server would modify the score in response to each submission. This would not be tantamount to, however, determining or modifying an indicator score based on a set of votes obtained from a community of users. In other words, the submitted user configuration cannot be considered a vote or a vote of a set of votes; and Thomson’s modification of the score by the TIC server is not based on a set of votes. Appeal Br. 14. The Examiner finds Appellant’s argument unpersuasive because “submitting a rating is equivalent to voting” and “Thomson discloses a system provides a user interface that allows a user to submit rating for various characteristics associated with a cyber threat indicator (Abstract), [and] one of the characteristics is classification (spam).” Ans. 6 (citing Thomson Fig. 3b). Appeal 2020-003716 Application 15/561,564 11 Appellant’s arguments are persuasive of error because the Examiner does not adequately explain how Thomson’s disclosure of providing a user interface that allows a user to modify a classification rating value teaches the limitations at issue. We agree with the Examiner’s finding that “Thomson discloses a system provides a user interface that allows a user to submit rating for various characteristics associated with a cyber threat indicator.” Ans. 6. The Examiner, however, fails to sufficiently explain how “submitting a rating is equivalent to voting” to determine an indicator score. Id. To the contrary, we find the cited portions of Thomson describe allowing a user to modify a TIC score but that the TIC score does not disclose a mechanism for “determining the indicator score associated with the security indicator based on the set of votes obtained from the community of users.” For example, Thomson explains that “a user 30 can move the slider bar 304 next to the Criticality row or drag the slider bar left or right to adjust the Criticality weight/ rating” and TIC score 303, but the Examiner does not explain how TIC score 303 is determined based on the set of votes obtained from the community of users. Thomson 8:32–35. We, therefore, do not agree with the Examiner’s finding that Thomson’s user interface for modifying a TIC score teaches or suggests “determining the indicator score associated with the security indicator based on the set of votes obtained from the community of users” as recited in claim 5. Because we agree with at least one of the dispositive arguments advanced by Appellant for claim 5, we need not reach the merits of Appellant’s other arguments. Accordingly, based on the record before us, we do not sustain the Examiner’s 35 U.S.C. § 103 rejection of dependent claim Appeal 2020-003716 Application 15/561,564 12 5 as obvious over the combined teachings of Visbal, DiValentin, and Thomson. Claim 10 recites elements similar to those of claim 5; therefore, we also do not sustain for the same reasons the rejection of claim 10. Appeal Br. 23. Rejection of Claim 13 over Visbal, DiValentin, and Thomson Independent claim 13 recites “obtain a set of votes associated with the security indicator from the community of users, individual votes of the set of votes indicating whether the security indicator is malicious” and “determine an indicator score associated with the security indicator based on the observable score.” Appeal Br. 25 (emphasis added). In contrast with claims 5 and 10, claim 13 does not recite determining an indicator score based on the set of votes, but instead determines an indicator score based on the observable score, which does not reflect or take into account votes from the community of users. Although Appellant argues claim 13 separately, Appellant does so only nominally “by relying on the reasons that are discussed above for the § 103 rejection of claims 5 and 10” in the discussion of claim 13. Appeal Br. 15. As noted, however, claim 13 has a different scope than claims 5 and 10 because claim 13 does not recite determining an indicator score based on the set of votes. Accordingly, Appellant’s argument that Thomson’s TIC interface does not provide for determining a score based on a set of votes, which we found persuasive with respect to claims 5 and 10, is not persuasive with respect to claim 10, in view of the difference in scope of the claims. Consequently, we sustain the Examiner’s rejection of claim 13 as obvious over the combined teachings of Visbal, DiValentin, and Thomson. Appeal 2020-003716 Application 15/561,564 13 We also sustain the rejections of dependent claims 14 and 15, which Appellant only nominally argues separately. Appeal Br. 18. Rejection of Claim 11 over Visbal, DiValentin, Basavapatna, and Chavez Dependent claim 11 recites in part “instructions to determine a set of security indicators created by a particular user, the set of security indicators including at least the first security indicator.” Appeal Br. 24. The Examiner relies on Basavapatna’s discussion of receiving queries from users specifying a particular risk metric range to teach or suggest the limitations at issue. Final Act. 18–19 (citing Basavapatna ¶¶ 67, 140, 45). In particular, the Examiner finds Basavapatna discloses “the user can request to only view information for assets, vulnerabilities, or threats . . . the network monitor 102 receives queries from users specifying a particular risk metric range, identifies assets, vulnerabilities, or threats satisfying the query.” Final Act. 19 (citing ¶ 140). Appellant argues Basavapatna’s “‘sensor’ cannot be considered a ‘security indicator’ in the context of claim 11, in that the sensors of Basavapatna are not a set.” Appeal Br. 17 (citing Basavapatna ¶¶ 23, 67). Appellant further argues that paragraph [0045] of Basavapatna “discusses calculating a severity score, not determining a set of security indicators created by a particular user.” Id. The Examiner responds by pointing out that the “Examiner did not consider ‘sensor’ as a ‘security indicator’ or rules associating assets with sensors are not security indicators created by a particular user. [Rather, the] Examiner considered querying from users specifying a particular risk metric range.” Ans. 8 (citing Basavapatna ¶ 140). Appeal 2020-003716 Application 15/561,564 14 We agree with the Examiner’s findings, noting Basavapatna discloses that “users can set rules that associate particular aggregate risk metrics with particular actions. For example, a user can specify that if an aggregate risk metric for any vulnerability or threat rises above a specified threshold, the user should be alerted.” Basavapatna ¶ 140. Basavapatna further explains that “network monitor 102 receives queries from users specifying a particular risk metric range, identifies assets, vulnerabilities, or threats satisfying the query, and presents the identified assets, vulnerabilities, or threats to the user.” Id. Appellant, in turn, fails to specifically address the Examiner’s reliance (Final Act. 18–19; Ans. 7–8) on Basavapatna’s disclosure in paragraph 140 of receiving queries from users specifying a particular risk metric range to teach or suggest the limitations at issue (Appeal Br. 16–17). Accordingly, Appellant does not demonstrate error in the Examiner’s findings. Consequently, we sustain the Examiner’s rejection of claim 11 as obvious over the combined teachings of Visbal, DiValentin, Basavapatna, and Chavez. CONCLUSION For the reasons discussed, Appellant has not persuaded us of error in the Examiner’s obviousness rejections of independent claims 1, 8, and 13. We, therefore, sustain the Examiner’s rejection of these claims, as well as the rejections of dependent claims 2–4, 6, 7, 9, 11, 12, 14, and 15, which depend directly or indirectly from claims 1, 8, and 13. Appeal 2020-003716 Application 15/561,564 15 Appellant has persuaded us of error in the Examiner’s obviousness rejections of dependent claims 5 and 10. We, therefore, do not sustain the Examiner’s rejection of these claims. DECISION SUMMARY In summary: Claim(s) Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1–3, 6, 8, 9 103 Visbal, DiValentin 1–3, 6, 8, 9 4, 7 103 Visbal, DiValentin, Basavapatna 4, 7 5, 10, 13 103 Visbal, DiValentin, Thomson 13 5, 10 11 103 Visbal, DiValentin, Basavapatna, Chavez 11 12 103 Visbal, DiValentin, Wang 12 14 103 Visbal, Thomson, DiValentin, Waldman 14 15 103 Visbal, Thomson, DiValentin, Allen 15 Overall Outcome 1–4, 6–9, 11–15 5, 10 TIME PERIOD FOR RESPONSE No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a). See 37 C.F.R. § 1.136(a)(1)(iv) (2019). AFFIRMED IN PART Copy with citationCopy as parenthetical citation
