Ex Parte COTE et alDownload PDFPatent Trial and Appeal BoardJun 15, 201713436626 (P.T.A.B. Jun. 15, 2017) Copy Citation United States Patent and Trademark Office UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O.Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 13/436,626 03/30/2012 Matthew COTE SIGN0059US 5121 138770 7590 06/19/2017 Artegis Law Group, LLP-VERISIGN, INC. 710 Lakeway Drive, Suite 185 Sunnyvale, CA 94085 EXAMINER POWERS, WILLIAM S ART UNIT PAPER NUMBER 2434 NOTIFICATION DATE DELIVERY MODE 06/19/2017 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): algdocketing @ artegislaw. com kcruz @ artegislaw.com rsmith @ artegislaw.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte MATTHEW COTE and TREVOR TONN Appeal 2016-006837 Application 13/436,6261 Technology Center 2400 Before JASON V. MORGAN, JOSEPH P. LENTIVECH, and DAVID J. CUTITTAII, Administrative Patent Judges. MORGAN, Administrative Patent Judge. DECISION ON APPEAL2 Introduction This is an appeal under 35 U.S.C. § 134(a) from the Examiner’s Final Rejection of claims 1—20. We have jurisdiction under 35 U.S.C. § 6(b). We AFFIRM-IN-PART. 1 Appellants identify Verisign, Inc., as the real party in interest. App. Br. 2. 2 Throughout this Decision we have considered the Appeal Brief filed Dec. 2, 2015 (“App. Br.”), Reply Brief filed June 28, 2016 (“Reply Br.”), Examiner’s Answer mailed May 5, 2016 (“Ans.”), Final Rejection mailed May 14, 2015 (“Final Act.”) and the Specification filed Mar. 30, 2012 (“Spec.”). Appeal 2016-006837 Application 13/436,626 Invention Appellants disclose malicious computer code detection that entails hooking one or more functions and creating “an event object... for each called function that is hooked.” Abstract. Exemplary Claims Claims 1 and 5, reproduced below with key limitations emphasized 1. A computer-implemented method for detecting malicious software code, comprising: launching, in a computing device of a computer system, a software application comprising a plurality of primary functions; receiving instructions from a server; performing a function call of a first primary function of the plurality of primary functions based on the instructions; intercepting the function call; calling and executing a secondary function to create a first event object, the first event object including one or more attributes related to the function call; storing the first event object in a collection of event objects of a data structure, the event objects of the collection including attributes related to function calls of the plurality of primary functions; determining that a rule is satisfied based on an application of one or more conditions of the rule to one or more of the event objects of the collection; and identifying, based on the determining, the software application as malicious software code. 5. The method of claim 1, wherein the one or more attributes of the first event object includes at least one of an object type, 2 Appeal 2016-006837 Application 13/436,626 an element type, a method name, an arguments string, or a loader object address. Rejections The Examiner rejects claims 1, 5—9, 11, 15—18, and 20 under 35 U.S.C. § 103(a) as being unpatentable over Dewey (US 2009/0150999 Al; publ. June 11, 2009) and Kirby (US 7,694,150 Bl; issu. Apr. 6, 2010). Final Act. 6—9. The Examiner rejects claims 2—\ and 12—14 under 35 U.S.C. § 103(a) as being unpatentable over Dewey, Kirby, and Rubin (US 2005/0108554 Al; publ. May 19, 2005). Final Act. 9-11. The Examiner rejects claims 10 and 19 under 35 U.S.C. § 103(a) as being unpatentable over Dewey, Kirby, and Baddour (US 2008/0010683 Al; publ. Jan. 10, 2008). Final Act. 11. ANALYSIS Claims 1—4, 6—14, and 16—20 Dewey teaches the use of “a program hook/jump 50 at the call address of the program execution engine 44 or shortly after the call address, which diverts processing of the program code to malicious-code detector 45 . . . before execution engine 44 executes the program code.” Dewey 116. The Examiner finds that this diversion (i.e., the use of program hook/jump 50 to divert processing to malicious-code detector 45) teaches or suggests calling and executing a secondary function, as recited in claim 1. Final Act. 7 (citing Dewey 116). The Examiner notes that “Dewey does not expressly mention making a first event object.” Final Act. 7. Rather, Dewey’s malicious-code detector 45 (i.e., a secondary function) “scans the program code (from the HTML and 3 Appeal 2016-006837 Application 13/436,626 associated files) for malicious code based on signature, heuristics, or other malicious-code detection techniques.” Dewey 116. Thus, the Examiner relies on Kirby’s signature generator—which computes a suspect object’s real-time signature on a suspect object—to teach or suggest creating a first event object (a signature), the first event object including one or more attributes related to the function call (where the signature is computed based on the suspect object). Final Act. 7 (citing Kirby Abstract, col. 4,11. 10-16). The Examiner concludes that it would have been obvious to an artisan of ordinary skill to modify Dewey’s teachings and suggestions of calling and executing a secondary function to include signature generation (as taught or suggested by Kirby) because Dewey, like Kirby, uses signatures in its detection system. Ans. 13 (citing Dewey 116; Kirby col. 2,1. 62—col. 3,1. 6); see also Final Act. 7 (citing Kirby Abstract). Appellants contend the Examiner erred because Dewey fails to teach or suggest creating a first event object in the manner claimed (App. Br. 5) while Kirby fails to teach or suggest calling and executing a secondary function {id. at 6). The Examiner correctly notes that Appellants’ contentions attack Dewey and Kirby individually rather than attacking the combined teachings and suggestions of the references. Ans. 9. Appellants respond that “the Examiner parsed the [disputed] feature midsentence and addressed each portion in isolation.” Reply Br. 2. Setting aside that “[e]ach claim begins with a capital letter and ends with a period” (MPEP 608.0l(m))—and thus, analysis of a claim’s limitations typically entails some form of parsing in the middle of a sentence (i.e., providing findings and reasoning with respect to part of the claim)—Appellants do not cite to any authority precluding the use of multiple references to teach or suggest 4 Appeal 2016-006837 Application 13/436,626 particular limitations within a larger recitation. Appellants submit that “claim terms are not interpreted in a vacuum, devoid of the context of the claim as a whole.” Reply Br. 2 (citing Hockerson-Halberstadt, Inc. v. Converse Inc., 183 F.3d 1369, 1374 (Fed. Cir. 1999)). However, the issues raised by Appellants’ arguments relate to whether the combination of Dewey and Kirby teaches or suggests the disputed recitation, not to whether the Examiner interpreted claim terms in isolation in a manner that led to the Examiner improperly interpreting their meaning. Moreover, Appellants do not show how the Examiner’s use of Dewey for one part of the disputed recitation and Kirby for another part of the disputed recitation evinces the Examiner unreasonably interpreted the disputed recitation or parts thereof. Appellants argue the Examiner erred because “Kirby does not disclose a ‘function call,’ much less ‘attributes related to the function call.''” App. Br. 7. However, we agree with the Examiner that it would have been obvious to an artisan of ordinary skill to have the signature generated during interception of a function call, as taught or suggested by the combination of Dewey and Kirby, relate to the function call itself. Ans. 11. Such a relationship would have been obvious given that Dewey’s scanned program code is the same code forwarded to program execution engine 44 (i.e., the called function). See Dewey 116. Moreover, whether Kirby’s signature generator is inherently invoked via a function call, as Appellants dispute (Reply Br. 5—6), does not address the issue of whether the disputed recitation is obvious in light of Dewey’s program code diversion to a malicious-code detector that uses signature-based malicious-code detection and in light of Kirby’s generation of a signature. 5 Appeal 2016-006837 Application 13/436,626 Furthermore, we do not agree with Appellants that “Kirby’s signature does not include any ‘attributes.’” App. Br. 7; see also id. at 9-10. As Appellants acknowledge, Kirby’s signature is a hash or message digest generated by a formula from a source (e.g., a string of text). App. Br. 7. Thus, the signature itself represents an attribute of the source data (i.e., the hash or message digest that is generated by the formula used). The Specification’s examples of other types of attributes, such as names, types, and arguments (see App. Br. 9; Spec. 138) are non-limiting and do not preclude an attribute generated from the source data (e.g., using formula or algorithm such as a hashing function) from falling within a reasonably broad interpretation of one or more attributes related to the function call. Appellants also contend “the asserted rational for combining Dewey and Kirby does not articulate any credible reasons that could support a legal conclusion of obviousness” (App. Br. 11; see also Reply Br. 11 and 13) and that “Dewey and Kirby cannot be predictably combined using known methods to arrive at the claimed invention” because “Dewey is directed to detecting malicious code using signatures” while “Kirby is directed to generating signatures of objects (e.g., files)” (App. Br. 11). However, we agree with the Examiner that the disputed recitation represents a predictable combination of the teachings and suggestions of Dewey and Kirby because they are both related to the use or generation of signatures, and because both references “are directed to protecting a computer system from malicious intent.” Ans. 13. Appellants do not provide persuasive evidence that modifying Dewey’s secondary function call and execution to generate a signature, as taught or suggested by Kirby, as part of Dewey’s process of using signature techniques would have been anything more than the 6 Appeal 2016-006837 Application 13/436,626 predictable use of prior art elements according to known methods to yield predictable results. For these reasons, we agree with the Examiner that the combination of Dewey and Kirby teaches or suggest “calling and executing a secondary function to create a first event object, the first event object including one or more attributes related to the function call,” as recited in claim 1. Accordingly, we sustain the Examiner’s 35 U.S.C. § 103(a) rejection of claim 1, and claims 2-4, 6—14, and 16—20, which Appellants do not argue separately with persuasive specificity. See App. Br. 14 and 16. Claims 5 and 15 In rejecting claim 5, the Examiner finds that Dewey’s disclosure of a “Document Object Module [that] determines object program code” teaches or suggests wherein the one or more attributes of the first event object includes at least one of an object type, an element type, a method name, an arguments string, or a loader object address. Final Act. 8; Ans. 14. Appellants contend the Examiner erred because “the mere disclosure of a Document Object Module determining object program code does not teach or suggest the claimed subject matter.” App. Br. 15. In particular, Appellants note that, according to the Examiner’s findings, “Dewey does not disclose the claimed ‘first event object,”’ and thus, Appellants argue the Document Object Module of Dewey does not disclose attributes of the first event object including one of an object type, an element type, a method name, an arguments string, or a loader object address. Reply Br. 15—16. We agree with Appellants. The Examiner relies on Kirby’s signature generation to teach or suggest creating a first event object, as recited in claim 1 from which claim 5 depends. See Final Act. 7. The Examiner relies 7 Appeal 2016-006837 Application 13/436,626 on Dewey, rather than Kirby, to show that it would have been obvious to have this first event object (i.e., Kirby’s generated signature) include one of the recited attributes of claim 5. Id. at 8; Ans. 14. However, the Examiner’s cursory findings (Final Act. 8; Ans. 14) fall short of showing that modifying Kirby’s generated signature to include one of the recited attributes would have been obvious to an artisan of ordinary skill in light of Dewey’s Document Object Module. Therefore, the Examiner’s findings do not show that the combination of Dewey and Kirby teaches or suggests “wherein the one or more attributes of the first event object includes at least one of an object type, an element type, a method name, an arguments string, or a loader object address,” as recited in claim 5. Accordingly, we do not sustain the Examiner’s 35 U.S.C. § 103(a) rejection of claim 5, and claim 15, which recites similar recitations. DECISION We affirm the Examiner’s decision rejecting claims 1—4, 6—14, and 16-20. We reverse the Examiner’s decision rejecting claims 5 and 15. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a). See 37 C.F.R. § 41.50(f). AFFIRMED-IN-PART 8 Copy with citationCopy as parenthetical citation
