Ex Parte MuttikDownload PDFPatent Trial and Appeal BoardNov 20, 201210755450 (P.T.A.B. Nov. 20, 2012) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________ Ex parte IGOR GARRIEVICH MUTTIK ____________ Appeal 2010-006286 Application 10/755,450 Technology Center 2400 ____________ Before MAHSHID D. SAADAT, MICHAEL J. STRAUSS, and JUSTIN BUSCH, Administrative Patent Judges. SAADAT, Administrative Patent Judge. DECISION ON APPEAL Appellant appeals under 35 U.S.C. § 134(a) from the rejection of claims 1, 3-13, 15-18, 20-30, 32-35, 37-47, 49-52, and 55. Claims 2, 14, 19, 31, 36, 48, 53, and 54 have been canceled. We have jurisdiction under 35 U.S.C. § 6(b). We affirm. Appeal 2010-006286 Application 10/755,450 2 STATEMENT OF THE CASE Introduction Appellant’s invention relates to detecting malicious computer program activity resulting from computer viruses, worms, Trojans, etc., using detected characteristics of external program calls (see Spec. 1:5-8). Exemplary independent claim 1 reads as follows: 1. A computer program product embodied on a tangible computer readable medium operable to detect malicious computer program activity, comprising: logging code operable to log a stream of external program calls; primary set identifying code operable to identify, within said stream of external program calls, a primary set of one or more external program calls matching one or more rules indicative of malicious computer program activity from among a set of rules; secondary set identifying code operable to identify, within said stream, at least one secondary set of one or more external program calls associated with said primary set of one or more external program calls; modifying code operable to modify said set of rules such that said at least one secondary set of one or more external program calls are more strongly associated with malicious computer program activity than said primary set of said one or more external program calls; promoting code operable to determine whether said modified set of rules decreases malicious network traffic, and to promote said modified set of rules from a temporary set to a permanent set if it is determined that said modified set of rules decreases said malicious network traffic; and additional promoting code operable to determine whether said modified set of rules slows malware propagation, and to promote said modified set of rules from said temporary set to said permanent set if it is determined that said modified set of rules slows said malware propagation; Appeal 2010-006286 Application 10/755,450 3 wherein one of said at least one secondary set of one or more external program calls precedes said primary set of one or more external program calls within said stream of external program calls; wherein said set of rules is modified to include a new rule corresponding to said secondary set of one or more external program calls, said new rule thereafter being used in addition to other rules within said set of rules. The Examiner’s Rejections Claims 1, 3-13, 15-18, 20-30, 32-35, 37-47, 49-52, and 55 stand rejected under 35 U.S.C. § 112, first paragraph, as failing to comply with the enablement requirement. (See Ans. 3). Claims 1, 3-13, 15-18, 20-30, 32-35, 37-47, and 49-52 stand rejected under 35 U.S.C. § 112, second paragraph, as being indefinite (See id.). FINDINGS OF FACT The record supports the following relevant findings of fact (FF) by a preponderance of the evidence: 1. Appellant’s disclosure (Spec. 3:17-25) describes the claimed modified set of rules being more sensitive to additional external program as follows: The present technique recognizes that external program calls logged in association with the primary set of external program calls known to correspond to malicious computer program activity may themselves subsequently be used as an indicator for malicious computer program activity. The secondary sets of external program calls are “tainted” by their association with the primary set of external program calls and the set of rules may be modified to be more sensitive to the secondary set of external program calls. In this way, the set of rules associated with malicious computer program activity may Appeal 2010-006286 Application 10/755,450 4 be extended and the detection made potentially more sensitive, reliable and proactive. 2. Appellant’s disclosure (Spec. 6:4-12) describes the claimed determining “whether said modified set of rules decreases malicious network traffic” and “whether said modified set of rules slows malware propagation” as follows: In determining the validity and/or quality of the secondary set it is advantageous to check if the modifications have positive effect. This can be decided either internally (by applying some higher-level rules to the set modifications) or by external signal(s). An example of such an external signal could be a report that modified rule(s) decrease the malicious network traffic or slowdown the malware propagation. As an example, after a modified set is transmitted to other computers some network sensors detect the effect (e.g., decrease of traffic) and send a “positive” signal back. That raises the score or promotes a rule from “temporary” into “permanent” set. PRINCIPLES OF LAW Enablement “[T]o be enabling, the specification of a patent must teach those skilled in the art how to make and use the full scope of the claimed invention without ‘undue experimentation.’” In re Wright, 999 F.2d 1557, 1561 (Fed. Cir. 1993). The key word is “undue,” not experimentation. In re Wands, 858 F.2d 731,737 (Fed. Cir. 1988). In determining whether undue experimentation would have been required to make and use an invention, the following factors are considered: (1) the quantity of experimentation necessary, (2) the amount of direction or guidance presented, (3) the presence or absence of working examples, (4) the nature of the invention, (5) the state of the Appeal 2010-006286 Application 10/755,450 5 prior art, (6) the relative skill of those in the art, (7) the predictability or unpredictability of the art, and (8) the breadth of the claims. Wands, 858 F.2d at 737. Indefiniteness The general rule is that a claim must set out and circumscribe a particular area with a reasonable degree of precision and particularity when read in light of the disclosure as it would be by the artisan. In re Moore, 439 F.2d 1232, 1235 (CCPA 1971). Acceptability of the claim language depends on whether one of ordinary skill in the art would understand what is claimed in light of the specification. Seattle Box Co. v. Industrial Crating & Packing, Inc., 731 F.2d 818, 826 (Fed. Cir. 1984). See also Metabolite Labs., Inc. v. Lab. Corp. of Am. Holdings, 370 F.3d 1354, 1366 (Fed. Cir. 2004): The requirement to “distinctly” claim means that the claim must have a meaning discernible to one of ordinary skill in the art when construed according to correct principles...Only when a claim remains insolubly ambiguous without a discernible meaning after all reasonable attempts at construction must a court declare it indefinite. (Citations omitted). ANALYSIS Rejection under 35 U.S.C. § 112, first paragraph The Examiner has taken the position that the Specification “does not disclose how to detect whether the modified set of rules decreases malicious network traffic or slows malware propagation” (Ans. 3). The Examiner further points out that “it is unclear how modified rules in one particular Appeal 2010-006286 Application 10/755,450 6 system has [sic] any effect on the amount of malicious traffic or the amount of propagated malware” (id.). In response, Appellant contends (App. Br. 12) that the Specification, in page 6, lines 4-12, sufficiently enables the disputed claim language by stating: [S]uch excerpt discloses that “after a modified set is transmitted to other computers some network sensors detect the effect (e.g., decrease of traffic) and send a ‘positive’ signal back” (Page 6, lines 9-11), which clearly teaches how to detect whether the modified set of rules decreases malicious network traffic or slows malware propagation, as noted by the Examiner. Appellant further argues (id.) that the Specification, in page 3, lines 17-25, sufficiently enables the disputed claim language by stating: “[a secondary set of] external program calls logged in association with the primary set of external program calls known to correspond to malicious computer program activity may themselves subsequently be used as an indicator for malicious computer program activity,” where “[t]he secondary sets of external program calls are ‘tainted’ by their association with the primary set of external program calls and the set of rules may be modified to be more sensitive to the secondary set of external program calls,” and where “the set of rules associated with malicious computer program activity may be extended and the detection made potentially more sensitive, reliable and proactive” (emphasis added). The Examiner further explains the determination of nonenablement based on an analysis of Wands factors (see Ans. 4-6). The Examiner finds that the cited portion of the Specification in page 6 refers to a “report” for signaling whether or not the modified rules successfully decreased malicious network traffic or slowed malware propagation (Ans. 5). The Examiner reasonably explains that the amount of experimentation necessary for a Appeal 2010-006286 Application 10/755,450 7 person of ordinary skill in the art to generate this “report” and carry out Appellant’s claimed invention would be undue (id.). With respect to the amount of guidance or direction needed to enable the invention, the Examiner also states that the Specification does not clearly describe how the skilled artisan measures the change in such traffic or malware propagation based on modified rules (Ans. 6). In addressing these undue experimentation factors, we disagree with Appellant’s contention (Reply Br. 4-7 (not numbered)) that sending back the “report” in the form of a “positive signal” when the “network sensors” detect the effect is described with sufficient detail that the skilled artisan knows what experiments and in what amount are due (FF 2). In other words, Appellant attempts to dismiss the Examiner’s reasonable question with respect to how the total change in the amount of malicious traffic or malware propagation is measured and reflected in the “report.” Therefore, even if modifying the set of rules to decrease malicious activity is determined (FF 1), the absence of any factually supported technical explanation on the record for identifying how a report in the form of a positive signal back is generated, raises a question as to whether the guidance provided in Appellant’s Specification is adequate to enable a person of ordinary skill in the art to ascertain, without undue experimentation, “how to detect whether the modified set of rules decreases malicious network traffic or slows malware propagation.” In view of the above discussion, it is our opinion that, under the factual situation presented in the present case, the subject matter of claims 1, 3-13, 15-18, 20-30, 32-35, 37-47, 49-52, and 55 is not adequately enabled by the description of the invention provided in the Specification of the present application. Thus, we Appeal 2010-006286 Application 10/755,450 8 sustain the rejection of claims 1, 3-13, 15-18, 20-30, 32-35, 37-47, 49-52, and 55 under 35 U.S.C. § 112, first paragraph, as containing subject matter which was not described in the specification in such a way as to enable one skilled in the art to make and/or use the invention. Rejection under 35 U.S.C. § 112, second paragraph The Examiner’s underlying basis for support of this rejection is that the claim term “more strongly associated” is indefinite as “the Specification does not provide a standard for ascertaining the requisite degree” (Ans. 3, 8). Appellant contends that the Specification, in pages 4 and 9, provides examples of how the score values associated with a second set of rules indicate stronger association of those rules with malicious activity (App. Br. 13-14; Reply Br. 9-11). We agree with Appellant’s reasoning and rebuttal that score values associated with a second set of rules indicate how the external program calls are “more strongly associated” with malicious activity. As such, the skilled artisan, upon reading the claims in light of the Specification, would be able to ascertain the scope of the claimed invention, specifically the term “more strongly associated” recited in claims 1, 18, and 35. Therefore, we do not sustain the rejection of claim 1, 3-13, 15-18, 20-30, 32-35, 37-47, and 49-52 under the second paragraph of 35 U.S.C. § 112. CONCLUSIONS On the record before us, we conclude that the Examiner erred in rejecting claims 1, 3-13, 15-18, 20-30, 32-35, 37-47, and 49-52 as being indefinite. However, based on the findings of facts and analysis above, we conclude that, since Appellant’s disclosure does not comply with the Appeal 2010-006286 Application 10/755,450 9 enablement requirement of the statute, the Examiner did not err in rejecting claims 1, 3-13, 15-18, 20-30, 32-35, 37-47, 49-52, and 55 under 35 U.S.C. § 112, first paragraph. DECISION The Examiner’s decision rejecting claims claim 1, 3-13, 15-18, 20-30, 32-35, 37-47, 49-52, and 55 is affirmed. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED tj Copy with citationCopy as parenthetical citation
