Ex Parte BESKROVNY et alDownload PDFPatent Trial and Appeal BoardJan 31, 201713623067 (P.T.A.B. Jan. 31, 2017) Copy Citation United States Patent and Trademark Office UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O.Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 13/623,067 09/19/2012 EVGENY BESKROVNY IL920120050USl_8150-0259 9307 73109 7590 02/02/2017 Cuenot, Forsythe & Kim, LLC 20283 State Road 7 Ste. 300 Boca Raton, EL 33498 EXAMINER ABRISHAMKAR, KAVEH ART UNIT PAPER NUMBER 2494 NOTIFICATION DATE DELIVERY MODE 02/02/2017 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): ibmptomail@iplawpro.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte EVGENY BESKROVNY and OMER TRIPP Appeal 2016-006203 Application 13/623,0671 Technology Center 2400 Before THU A. DANG, STEPHEN C. SIU, and JOYCE CRAIG, Administrative Patent Judges. SIU, Administrative Patent Judge DECISION ON APPEAL This is a decision on appeal under 35 U.S.C. § 134(a) from the Examiner’s Final Rejection of claims 9—24. We have jurisdiction under 35 U.S.C. § 6(b). We affirm. 1 According to Appellants, the real party in interest is IBM Corporation (Appeal Brief, filed Nov. 23, 2015 (“App. Br.”) 1). Appeal 2016-006203 Application 13/623,067 The disclosed invention relates generally to vulnerability of a Web application. Spec 14. Independent claim 9 reads as follows: 9. A system comprising: a processor configured to initiate executable operations comprising: identifying infrastructure supporting a Web application; obtaining vulnerability data for the Web application from an external data source according to the infrastructure; deriving a test payload from the vulnerability data; determining a type of vulnerability exploited by the test payload; and selecting an existing validation operation of a testing system for validating a response from the Web application to the test payload according to the type of vulnerability. Appellants appeal the Examiner’s rejection of claims 17—24 under 35 U.S.C. § 101; claims 9, 12, 17, and 20 under 35 U.S.C. § 103(a) as unpatentable over Zaninotti (U.S. 7,894,501 B2, issued July 19, 2011) and Xiong et al., “A Model-Driven Penetration Test Framework for Web Applications,” 2010 (“Xiong”); claims 10 and 18 under 35 U.S.C. § 103(a) as unpatentable over Zaninotti, Xiong, and Yunus et al. (US 2006/0277606 Al, published Dec. 7, 2006); claims 11, 13, 16, 19, 21, and 24 under 35 U.S.C. § 103(a) as unpatentable over Zaninotti, Xiong, and Mendelev et al. (US 2013/0160130 Al, published June 20, 2013); claims 14 and 22 under 35 U.S.C. § 103(a) as unpatentable over Zaninotti, Xiong, and Sima et al. (US 2008/0120722 Al, published May 22, 2008); claims 15 and 23 under 35 2 Appeal 2016-006203 Application 13/623,067 U.S.C. § 103(a) as unpatentable over Zaninotti, Xiong, and Hugard et al. (US 2013/0247206 Al, published Sept. 19, 2013). ISSUE Did the Examiner err in rejecting claims 9—24? ANALYSIS 35 U.S.C. $ 101 - claims 17-24 Claim 17 recites a computer-readable storage medium. The Examiner finds that the “computer-readable storage medium,” as recited in claim 17 “can ... be interpreted as a signal” and “hence does not fall within at least one of the four categories of patent eligible subject matter.” Final Act. 4. Appellants disagree with the Examiner. App. Br. 11-23 (citing Spec.^l 11-12). The Specification discloses a “computer readable storage medium” that “may be, for example, but not limited to . . . [a] system, apparatus, or device, or any suitable combination of the foregoing.” Spec. 11. We agree with Appellants that the Specification discloses various examples of what “may” constitute a “computer readable storage medium.” However, Appellants do not demonstrate persuasively that the Specification also discloses that the “computer readable storage medium” is not a “signal.” Hence, Appellants have not demonstrated error in the Examiner’s finding 3 Appeal 2016-006203 Application 13/623,067 that the “computer-readable storage medium,” as recited in claim 17 (and dependent claims 18—24) “can ... be interpreted as a signal.” The Examiner did not err in rejecting claims 17—24 under 35 U.S.C. §101. 35 U.S.C. $ 103(a)-claims 9-24 Claim 9 recites obtaining vulnerability data for a Web application and deriving a test payload from the vulnerability data. Appellants argue that Zaninotti fails to disclose or suggest a “test payload . . . derived from the vulnerability data.” App. Br. 25, 26. The Examiner finds that Zaninotti discloses this feature. Final Act. 6 (citing Zaninotti 4:38 — 5:25). As the Examiner indicates, Zaninotti discloses a “Web application” (or “web component” — Zaninotti 4:41 42) and obtaining vulnerability data for the web component (or “checking for the existence of security flaws” and obtaining data used to “determine if the application is vulnerable” — Zaninotti 4:39-40, 47-48). Zaninotti also discloses that the system performs a “vulnerability analysis” to “look[] for a . . . database of attacks to be constructed against the web component[].” Zaninotti 4:52—54. In other words, as the Examiner points out, to which we agree, Zaninotti discloses deriving (or “constructing”) a test payload (or constructing a database of attacks against the web component) from the vulnerability data (or from using data in the “vulnerability analysis”). 4 Appeal 2016-006203 Application 13/623,067 Claim 9 recites determining a type of vulnerability exploited by the test payload. Appellants argue that Zaninotti fails to disclose or suggest the “type of vulnerability is determined from the test payload.” App. Br. 25. The Examiner finds that Zaninotti discloses this feature. Final Act. 6 (citing Zaninotti 4:38 — 5:25). As an initial matter, we note that claim 9 recites determining a type of vulnerability exploited by the test payload and does not appear to recite that the type of vulnerability is determined from the test payload. In any event, as the Examiner indicates, Zaninotti discloses “determin[ing] the type of technology” and constructing a database of attacks against a web component (i.e., a “test payload”) based on a vulnerability analysis using vulnerability data and the type of technology. Zaninotti also discloses an example of a “type” of technology and vulnerability in which “an open-source PHP web component [i.e., a PHP “type” of technology] will cause the system to try to append a set of. . . HTTP variables with invalid parameters.” Zaninotti 4:51—58. In other words, we agree with the Examiner that Zaninotti discloses a “type” of vulnerability that is “exploited by” (i.e., susceptible to such “attacks against [the] web component”) the test payload (i.e., an “attack” in the constructed database of such attacks against the web component). Claim 9 recites selecting an existing validation operation for validating a response from the Web application according to the type of vulnerability. Appellants argue that Zaninotti fails to disclose or suggest 5 Appeal 2016-006203 Application 13/623,067 “the existing validation operation is selected based upon the type of vulnerability.” App. Br. 25. The Examiner finds that Zaninotti discloses this feature. Final Act. 6 (citing Zaninotti 4:38 — 5:25). As the Examiner indicates, to which we agree, Zaninotti discloses at least one example of a response from a web application (e.g., a “PHP web component” that “cause[s] the system to try to append a set of. . . variables with invalid parameters” —4:55—57), selecting an existing validation operation (e.g., from “a provided [i.e., “existing”] database of attacks to be constructed against the web component’s set of URIs” — 4:52—53), and validating the response from the web application according to the type of vulnerability (e.g., “append[ing] . . .variables with invalid parameters” is “a characteristic of [the “type” of vulnerability] of PHP-based components” — 4:56—58). Appellants argue that Zaninotti fails to disclose or suggest “how [the] type of vulnerability is used to select an existing validation operation.” App. Br. 25. Claim 9 recites selecting an existing validation operation. Appellants do not demonstrate persuasively that claim 9 also recites “how” a type of vulnerability is used to select an existing validation operation. To the extent that Appellants argue that Zaninotti fails to disclose selecting an existing validation operation “according to the type of vulnerability,” as recited in claim 9, this argument was previously addressed above. For these reasons, we are not persuaded the Examiner erred in rejecting claim 9. Appellants do not provide additional, substantive 6 Appeal 2016-006203 Application 13/623,067 arguments in support of claims 10—24 or additional, substantive arguments with respect to Yunus, Mendelev, Sima, or Hugard. App. Br. 23, 31—34. SUMMARY We affirm the Examiner’s rejection of claims 17—24 under 35 U.S.C. § 101; claims 9, 12, 17, and 20 under 35 U.S.C. § 103(a) as unpatentable over Zaninotti and Xiong; claims 10 and 18 under 35 U.S.C. § 103(a) as unpatentable over Zaninotti, Xiong, and Yunus; claims 11, 13, 16, 19, 21, and 24 under 35 U.S.C. § 103(a) as unpatentable over Zaninotti, Xiong, and Mendelev; claims 14 and 22 under 35 U.S.C. § 103(a) as unpatentable over Zaninotti, Xiong, and Sima; claims 15 and 23 under 35 U.S.C. § 103(a) as unpatentable over Zaninotti, Xiong, and Hugard. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(l)(iv). AFFIRMED 7 Copy with citationCopy as parenthetical citation