Ex Parte ALY et alDownload PDFPatent Trial and Appeal BoardMay 24, 201613213595 (P.T.A.B. May. 24, 2016) Copy Citation UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE FIRST NAMED INVENTOR 13/213,595 08/19/2011 HOSAMALY 73109 7590 05/26/2016 Cuenot, Forsythe & Kim, LLC 20283 State Road 7 Ste. 300 Boca Raton, FL 33498 UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. CA920100030US1_8150-0108 8566 EXAMINER W ALIULLAH, MOHAMMED ART UNIT PAPER NUMBER 2496 NOTIFICATION DATE DELIVERY MODE 05/26/2016 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address( es): ibmptomail@iplawpro.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte HOSAM ALY, CRAIG R. CONBOY, IOSIF V. ONUT, and GUY PODJARNY Appeal2014-009293 Application 13/213,595 1 Technology Center 2400 Before DEBRA K. STEPHENS, JASON V. MORGAN, and DAVID J. CUTITTA, Administrative Patent Judges. CUTITT A, Administrative Patent Judge. DECISION ON APPEAL This is an appeal under 35 U.S.C. § 134(a) from the Examiner's decision rejecting claims 21-34. We have jurisdiction over this appeal under 35 U.S.C. § 6(b) (2015). We AFFIRM. 2 1 According to Appellants, the real party in interest is IBM Corporation (see Appeal Br. 1 ). 2 Throughout this Opinion, we refer to (1) Appellants' Specification filed August 19, 2011 ("Spec."), (2) the Final Rejection ("Final Act.") mailed December 5, 2013, (3) the Appeal Brief ("Appeal Br.") filed February 28, Appeal2014-009293 Application 13/213,595 SUMMARY OF THE INVENTION According to Appellants, the invention relates to a computer- implemented process for two-tier deep analysis of hypertext transport protocol data that monitors Web traffic. Spec. if 8. The process receives a packet of Web traffic from a network to form a received packet, determines whether the Web traffic is suspicious using a first tier analysis and responsive to a determination that the Web traffic is suspicious, consumes the stored Web traffic using a deep analysis module. Id. The computer- implemented process further determines whether the stored Web traffic is a case of misuse using a second tier analysis and responsive to a determination that the stored Web traffic is a case of misuse, and feeds back data about a malicious connection to an intrusion protection system before returning to monitor the Web traffic. Id. Claims 21 and 28 are independent claims. Claim 21 is exemplary and is reproduced with key limitations emphasized: 21. A computer program product, comprising: a computer usable storage medium having stored therein computer usable program code for performing a two-tier deep analysis of Web traffic, the computer usable program code, which when executed by the computer hardware system, causes the computer hardware system to perform: receiving, using a intrusion prevention system, a packet of the Web traffic from a network; performing, using the intrusion prevention system, a first tier analysis on the received packet; causing, based upon a result of the first tier analysis, a second tier analysis to be peiformed on the received packet; and receiving, using the intrusion prevention system, data based upon the second tier analysis. 2014, (4) the Examiner's Answer ("Ans.") mailed June 25, 2014, and (5) the Reply Brief ("Reply Br.") filed August 20, 2014. 2 Appeal2014-009293 Application 13/213,595 REFERENCES The prior art relied upon by the Examiner in rejecting the claims on appeal: Son et al. ("Son") Waisman et al. ("Waisman") Kapoor et al. ("Kapoor") US 2005/0182950 Al US 2005/0262556 Al US 2008/0134330 Al REJECTIONS Aug. 18, 2005 Nov. 24, 2005 June 5, 2008 Claims 21, 23, 26, 28, 30, and 33 are rejected under 35 U.S.C. § 102(b) as being anticipated by Son. Claims 22-26, 29, 30, and 31-33 are rejected under 35 U.S.C. § 103(a) as being unpatentable over Son in view of Kapoor. Claims 27 and 34 are rejected under 35 U.S.C. § 103(a) as being unpatentable over Son in view of Waisman. Claims 21-34 are provisionally rejected for obviousness-type double patenting based on claims 21-27 of U.S. Patent Application No. 13/426,205 3. Our review in this appeal is limited only to the above rejections and issues raised by the Examiner and Appellants. We have not considered other possible issues including compliance with 35 U.S.C. § 101 that have not been raised by the Examiner and which are therefore not before us4 . 3 On page 1 of the Appeal Brief, Appellants identify a related appeal- namely, Appeal No. 2014-009110 (Application No. 13/426,205). 4 In the event of further prosecution, the Examiner is advised to consider whether, in light of paragraphs 20-22 of the Specification, claims 21 and 28 are directed to statutory subject matter under 35 U.S.C. § 101. 3 Appeal2014-009293 Application 13/213,595 ISSUES Did the Examiner err by finding Son discloses a computer program product in which a second tier analysis is performed based upon a result of a first tier analysis, as recited in claim 21? Did the Examiner err by finding the combination of Son in view of Kapoor teaches or suggests a computer program product wherein the first tier analysis is a network level analysis, and the second tier analysis is an application level analysis, as recited in claim 22? Did the Examiner err by finding the combination of Son in view of Kapoor teaches or suggests wherein the computer usable program code further causes the computer hardware system to perform: causing a connection profile to be constructed using the result of the second tier analysis, as recited in claim 25? Did the Examiner err by finding the combination of Son in view of Waisman teaches or suggests a computer program product wherein the second tier analysis is only performed upon the first tier analysis identifying the received packet as being suspicious, as recited in representative claim 27? FINDINGS OF FACT 1. Son discloses blocking system 24 that sequentially performs hardware filtering (relied upon by the Examiner to disclose a first tier analysis as claimed) and software filtering (relied upon by the Examiner to disclose a second tier analysis as claimed) on traffic attacks through the packet-dedicated processor and the host system. Son i-f 36; Final Act. 7. Son further discloses that the hardware filtering is primarily performed on network packets and 4 Appeal2014-009293 Application 13/213,595 the software filtering is secondarily performed on the network packets. Son i-f 42. Figure 3 illustrates that a packet is processed sequentially by going through the hardware filter first and the software filtering second. 2. Son teaches performing static hardware filtering and sending good and abnormal traffic to the software filter for further screening. Son i-f 42. 3. Kapoor teaches analyzing packets associated with application layer behavior. Kapoor i-f 56 and i-f 520. 4. Kapoor teaches constructing a connection profile using an analysis result. Kapoor i-f 169 and i-f 514. 5. Waisman teaches sending only abnormal traffic for second tier analysis. Waisman i-f 21. ANALYSIS Rejections Under 35 U.S.C. § 102(b) & § 103(a) Claims 21, 26, and 28 The Examiner finds that Son discloses every limitation of claim 21. Ans. 2--4, 8-1 O; Final Act. 6-8. Specifically, the Examiner finds that Son discloses "causing, based upon a result of the first tier analysis, a second tier analysis to be performed on the received packet" (emphasis added), as recited in claim 21. See Ans. 8-9. In disclosing the first and second tier analysis, the Examiner finds that in Son "hardware filtering and software filtering are analyzed on network traffic (packet/packets) in succession without others coming in between." Ans. 9 (citing Son i-fi-1 21, 3 6). 5 Appeal2014-009293 Application 13/213,595 Appellants argue that the Examiner "has not established that Son teaches that the software filtering is caused to be performed based upon a result of the hardware filtering." Appeal Br. 11-14; Reply Br. 2. Appellants' arguments do not persuade us of any reversible error in the Examiner's rejection. During examination, "the PTO must give claims their broadest reasonable construction consistent with the specification . . . . Therefore, we look to the specification to see if it provides a definition for claim terms, but otherwise apply a broad interpretation." In re ICON Health & Fitness, Inc., 496 F.3d 1374, 1379 (Fed. Cir. 2007). "[A]s applicants may amend claims to narrow their scope, a broad construction during prosecution creates no unfairness to the applicant or patentee." Id. Initially, we note "based on," as recited in claim 21, has not been defined explicitly in Appellants' Specification. In fact, Appellants' Specification faiis to even mention "based on" in the context of performing the first and second tier analysis. Consistent with the Examiner's finding (Ans. 9), we therefore interpret Son's disclosure of sequentially performing hardware and then software filtering on network packets (i-f 36) as disclosing "causing, based upon a result of the first tier analysis, a second tier analysis to be performed on the received packet" (emphasis added), as set forth below. Appellants argue that the Examiner "has not established that Son teaches that the software filtering is caused to be performed based upon a result of the hardware filtering" (i.e., the first tier analysis). Reply Br. 2. 6 Appeal2014-009293 Application 13/213,595 We disagree, because as the Examiner finds, Son discloses: [t]he blocking system 14 performs secondary software filtering on dynamic attacks by selectively transmitting processing results, including information on blocking results related to incoming packets, ieformation on packets primarily filtered out by the packet-dedicated processor, information on all the packets incoming to the packet-dedicated processor and partial information of packets according to a specific condition (for example, header information of all the packets) to the software filter. Ans. 9 (citing Son i-f 42) (emphasis added). In addition, we find Son indicates that hardware filtering is performed by the packet-dedicated processor and that "the software filtering is performed by selectively transmitting processing results of the packet- dedicated processor to the software filter." Son i-fi-1 16-1 7 (emphasis added) (see also Son i-fi-141--43). Thus, because Son discloses performing secondary software filtering on data primarily filtered by the packet-dedicated processor (hardware filtered packets), the Examiner correctly finds Son discloses the software filtering is caused to be performed based upon a result of the hardware filtering. Appellants further argue that as claimed, the same received packet undergoes a two-tier analysis (i.e., the same packet is analyzed twice), whereas Son teaches analyzing a packet in one instance and a packet stream in another instance and therefore, in Son, the same packet is not analyzed twice. Appeal Br. 13. We disagree with Appellants' argument, because, as noted by the Examiner, in Son, "blocking system 14 performs secondary software filtering on dynamic attacks by selectively transmitting processing results, 7 Appeal2014-009293 Application 13/213,595 including ... information on packets primarily filtered out by the packet- dedicated processor [and] information on all the packets incoming to the packet-dedicated processor." Ans. 9 (citing Son i-f 42). Thus Son's "software filtering considers each and every packet under consideration for analysis purpose." Ans. 9. Accordingly, we sustain the Examiner's 35 U.S.C. § 102(b) rejection of claim 21, and of claims 26, and 28, which Appellants do not argue separately. Appeal Br. 11. Claims 2 2 and 2 9 Claim 22 recites "[ t ]he computer program product of claim 21, wherein the first tier analysis is a network level analysis, and the second tier analysis is an application level analysis." The Examiner does not rely on Son to teach "the second tier analysis is an appiication ievei anaiysis," but instead reiies upon Kapoor to teach the limitation at issue. Ans. 5---6. Appellants argue that Kapoor fails to teach performing application level analysis because "the fact that a packet is associated with one layer does not establish the type of analysis that is being performed." Appeal Br. 15-16. We disagree, noting Appellants fail to establish the Examiner's finding that analyzing packets associated with application layer behavior suggests an application level analysis (Ans. 5), is contrary to the plain meaning of "application level" or is inconsistent with the Specification. In re Zietz, 893 F.2d 319, 321 (Fed. Cir. 1989). 8 Appeal2014-009293 Application 13/213,595 Appellants further argue the Examiner's proposed modification of Son based on Kapoor, would impermissibly change the core principle of Son because Son teaches two types of analysis, which would be substantively changed by the Examiner's proposed modification. Appeal Br. 16. We do not find Appellants' arguments persuasive. Here, Appellants provide only unsupported assertions that fail to identify persuasive evidence. Appeal Br. 16-1 7. That is, Appellants do not explain sufficiently why modifying Son based on Kapoor would impermissibly change the core principle of Son by changing Son's two types of analysis. Therefore, we are not persuaded by Appellants' arguments that the proposed combination of Son and Kapoor would impermissibly change the core principle of Son and so we sustain the rejection of claim 22 and of claim 29, which Appellants do not argue separately. Claims 25 and 32 Claim 25 recites "[ t ]he computer program product of claim 21, wherein the computer usable program code further causes the computer hardware system to perform: causing a connection profile to be constructed using the result of the second tier analysis." The Examiner does not rely on Son to teach "causing a connection profile to be constructed," but instead relies upon Kapoor at paragraphs 169 and 514. Final Act. 11; Ans. 6. Appellants contend the cited portions of Kapoor fails to suggest "a connection profile," as claimed. Appeal Br. 18. Specifically, Appellants state "completely absent from the Examiner's cited passage or reproduced language is any mention of the claimed 'connection profile' or that this 9 Appeal2014-009293 Application 13/213,595 connection profile is construed using the result of the second tier analysis." Id. Appellants' arguments are unpersuasive. As the Examiner finds, Kapoor teaches constructing a connection profile using a result of an analysis. Final Act. 11; Ans. 6. For example, Kapoor describes associating a subject of a training process with a networking behavior of a data flow and/or a content behavior of a data flow. Kapoor i-fi-f 169 and 514. In the case where the subject is associated with the content behavior, features may be extracted by using sequential one byte or two byte chunks that are normalized and then sorted, resulting in a profile. Id. Kapoor further describes the networking behavior may be associated with a connection time, an inter-connection time, a request time, a response time, a count of a number of bytes in a connection. Id. Hence, we find no reversible error in the Examiner's finding that Kapoor teaches causing a connection profile to be constructed based on an anaiysis resuit. Likewise, the Examiner reiies upon Son's teaching of secondary software filtering as the claimed "second tier analysis." Ans. 6. In essence, the Examiner finds that applying Kapoor's constructing of a connection profile to Son's second tier analysis improves one known data analysis process for another yielding no more than predictable results. See KSR Int'! Co. v. Teleflex Inc., 550 U.S. 398, 416 (2007); Final Act. 11; Ans. 6. In arguing against the Examiner's proposed combination of Son and Kapoor, Appellants fail to demonstrate that combining Kapoor's teaching of constructing a connection profile based on an analysis result with Son's teaching of a second tier analysis would yield anything more than a predictable result. Accordingly, we sustain the Examiner's rejection of 10 Appeal2014-009293 Application 13/213,595 claim 25 and of claim 32, which Appellants do not argue separately. Appeal Br. 17-18. Claims 27 and 34 Claim 2 7 recites "[ t ]he computer program product of claim 21, wherein the second tier analysis is only performed upon the first tier analysis identifying the received packet as being suspicious." The Examiner notes that "Son does not teaches [sic] exclusively, sending suspicious packet for next level analysis, but Waisman teaches based on risk level control logic send traffic to second level analysis [0021]." Ans. 12. Appellants contend: the Examiner's proposed modification [of Son based on Waisman] would impermissibly change the core principle of operation of Son. If the analysis of the alleged first tier analysis is that the received packet is suspicious, then Son teaches filtering out the packet If so; it cannot be subject to a second tier analysis. Thus, a second tier analysis is inconsistent with the core principle of operation of Son. Appeal Br. 19. We disagree because, contrary to Appellants' contention, the Examiner finds that Son teaches performing static hardware filtering and sending good and abnormal traffic to the software filter for further screening, while relying on Waisman to teach only sending abnormal traffic for second tier analysis. Ans. 12-13. We therefore do not find Appellants' arguments persuasive of error, because Appellants fail to provide sufficient evidence showing Son only discloses that a suspicious packet cannot be subject to a second tier analysis because it is always filtered out in a first tier analysis. 11 Appeal2014-009293 Application 13/213,595 Appellants further argue for the first time in the Reply Brief that the Examiner's proposed modification of Son based on Waisman would not achieve the results described by the Examiner. Reply Br. 10. That argument is untimely and will not be considered in the absence of any good faith showing why it could not have been timely presented in Appellants' Appeal Brief. 37 C.F.R. § 41.41(b)(2) (2012). Accordingly, we sustain the rejection under 35 U.S.C. § 103(a) of dependent claim 27 and of claim 34, which Appellants do not argue separately. Appeal Br. 18-19. Appellants also fail to argue the remaining dependent claims separately. Accordingly, the remaining dependent claims will stand or fall with independent claims 21 and 28. Claims 2 3 and 3 0 The Examiner rejects claim 23 under 35 U.S.C. § 102(b) as anticipated by Son. Finai Act. 6. The rejection of ciaim 23 under 35 U.S.C. § 102(b) is improper. Claim 23 depends from claim 22 and includes all the limitations recited therein. Claim 22, however, is rejected under 35 U.S.C. § 103(a) as being unpatentable over Son and Kapoor. Final Act. 9. Claim 23, therefore, cannot properly be rejected under 35 U.S.C. § 102(b) based on Son. The Examiner rejects claim 30 under 35 U.S.C. § 102(b) as anticipated by Son. Final Act. 6. The rejection of claim 30 under 35 U.S.C. § 102(b) is improper. Claim 30 depends from claim 29 and includes all the limitations recited therein. Claim 29, however, is rejected under 35 U.S.C. § 103(a) as being unpatentable over Son and Kapoor. Final Act. 11. Claim 12 Appeal2014-009293 Application 13/213,595 30, therefore, cannot properly be rejected under 35 U.S.C. § 102(b) based on Son. Accordingly, we summarily reverse the Examiner's 35 U.S.C. § 102(b) rejection of claims 23 and 30. Obviousness-type Double Patenting Rejections The Examiner rejected all of the claims on appeal for obviousness- type double patenting based on claims 21-27 of U.S. Patent Application No. 13/426,205. Final Act. 3-6. Appellants do not provide arguments disputing this rejection in the Appeal Brief. Therefore, we summarily affirm it. See Hyatt v. Dudas, 551 F.3d 1307, 1314 (Fed. Cir. 2008) When the appellant fails to contest a ground of rejection to the Board, ... the Board may treat any argument with respect to that ground of rejection as waived. In the event of such a waiver, the PTO may affirm the rejection of the group of claims that the examiner rejected on that ground without considering the merits of those rejections. DECISION We reverse the Examiner's rejection of claims 23 and 30 under 35 U.S.C. § 102(b). We affirm the Examiner's rejections of claims 21, 26, 28, and 33 under 35 U.S.C. § 102(b). We affirm the Examiner's rejection of claims 22-27 and 29-34 under 35 U.S.C. § 103(a). We affirm the Examiner's obviousness-type double patenting rejection of claims 21-34. 13 Appeal2014-009293 Application 13/213,595 No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(l )(iv). AFFIRMED 14 Copy with citationCopy as parenthetical citation
