Ex Parte StephensDownload PDFPatent Trial and Appeal BoardDec 19, 201411790037 (P.T.A.B. Dec. 19, 2014) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 11/790,037 04/23/2007 Gregory D. Stephens 2272.1240000 7939 26111 7590 12/19/2014 STERNE, KESSLER, GOLDSTEIN & FOX P.L.L.C. 1100 NEW YORK AVENUE, N.W. WASHINGTON, DC 20005 EXAMINER EDWARDS, JAMES A ART UNIT PAPER NUMBER 2448 MAIL DATE DELIVERY MODE 12/19/2014 PAPER Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ________________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ________________ Ex parte GREGORY D. STEPHENS ________________ Appeal 2012-006306 Application 11/790,037 1 Technology Center 2400 ________________ Before ALLEN R. MacDONALD, JOHN A. EVANS, and JASON J. CHUNG, Administrative Patent Judges. CHUNG, Administrative Patent Judge. DECISION ON APPEAL This is a decision on appeal under 35 U.S.C. § 134(a) of the Final Rejection of claims 1–4, 6, 7, and 10–25. 2 We have jurisdiction under 35 U.S.C. § 6(b). An oral hearing was conducted on December 11, 2014. We reverse. 1 According to Appellant, the real party in interest is The MITRE Corporation. App. Br. 4. 2 Claim 5 was previously cancelled. App. Br. 4. Claims 8 and 9 were objected to as being dependent from rejected base claim 1, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claim. Id. at 5. Appeal 2012-006306 Application 11/790,037 2 INVENTION The invention is directed to insider threat detection in computer networks. Spec. ¶ 1. Claims 1 and 11 are illustrative of the invention and are reproduced below: 1. A method for passively attributing an anonymous network event to an associated user, comprising: filtering network events occurring over a pre-determined time interval according to at least one of Internet Protocol (IP) address and event attribution type to generate a filtered event list, wherein said event attribution type indicates a confidence level associated with the user attribution of an event; and attributing the anonymous network event to a user associated with an event in said filtered event list, wherein said user maximizes an event attribution function, wherein said attributing step further comprises: calculating, for each user associated with an event in said filtered event list, an event attribution function value, said event attribution function value indicating a confidence level associated with the attribution of the anonymous event to said each user; and selecting a user having the largest event attribution function value. 11. A method for passively attributing an anonymous network event to an associated user, comprising: filtering network events occurring over a pre-determined time interval according to Internet Protocol (IP) address and event attribution type to generate a filtered event list, wherein said event attribution type indicates a confidence level associated with the user attribution of an event; and attributing the anonymous network event to a user associated with a nearest-neighbor event relative to said anonymous network event in said filtered event list, wherein said nearest-neighbor event is at least one of (a) nearest in time to the anonymous network event and (b) nearest in distance to the anonymous network event in said filtered event list. Appeal 2012-006306 Application 11/790,037 3 REJECTION AT ISSUE 3 Claims 1–4, 6, 7, and 10–25 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over the combination of Muret (US 6,792,458 B1) and Muret (US 2009/0204704 A1). Ans. 4–18. ANALYSIS Rejection of Claims 1–4, 6, 7, 10, 20–23, and 25 under 35 U.S.C. § 103(a) The Examiner finds Muret (US 6,792,458 B1) teaches matching an event with a first user with an ID and timestamp in range, which the Examiner maps to “maximizes an event attribution function.” Ans. 6 and 19–20. Appellant contends Muret (US 6,792,458 B1) fails to teach “maximiz[ing] an event attribution function” because matching a visitor to a website hit is not equivalent to maximizing. We agree with Appellant. The cited portions of Muret (US 6,792,458 B1) relied upon by the Examiner teach matching an event with a first user with an ID and timestamp in range. See Muret (US 6,792,458 B1), col. 10, ll. 40–50; Ans. 6 and 19–20. However, the Examiner has not persuasively explained how a matching algorithm taught in column 10, lines 40–50 of Muret (US 6,792,458 B1) teaches “maximiz[ing] an event attribution function.” App. Br. 19–20. Put another way, matching is not an equivalent to maximizing. Accordingly, for the reasons stated supra, we do not sustain the Examiner’s rejection of independent claims 1, 20, 23, and 25, and their corresponding dependent claims 2–4, 6, 7, 10, 21, and 22. 3 The Examiner withdrew the rejection of claims 23–25 under 35 U.S.C. § 101 because a person of ordinary skill in the art would not interpret “a computer useable hardware medium” as a signal. Ans. 18. Appeal 2012-006306 Application 11/790,037 4 Rejection of Claims 11–19 and 24 under 35 U.S.C. § 103(a) The Examiner finds Muret (US 6,792,458 B1) teaches matching an event with a first user with an ID and timestamp in range and if the timestamp is out of range, the search continues, which the Examiner maps to “nearest-neighbor event is at least one of (a) nearest in time to the anonymous network event and (b) nearest in distance to the anonymous network event in said filtered event list.” Ans. 8–9 and 20–21. Appellant contends Muret (US 6,792,458 B1) fails to teach a “nearest-neighbor event is at least one of (a) nearest in time to the anonymous network event and (b) nearest in distance to the anonymous network event in said filtered event list” because matching an event with a visitor within a time range is not equivalent to a “nearest-neighbor” in time or distance. App. Br. 22–23. We agree with Appellant. The cited portions of Muret (US 6,792,458 B1) relied upon by the Examiner teach matching an event with a first user with an ID and timestamp in range and if the timestamp is out of range, the search continues. See Muret (US 6,792,458 B1), col. 10, ll. 40–50; And. 8–9 and 20–21. However, the Examiner has not persuasively explained how a matching algorithm taught in column 10, lines 40–50 of Muret (US 6,792,458 B1) teaches a “nearest-neighbor event is at least one of (a) nearest in time to the anonymous network event and (b) nearest in distance to the anonymous network event in said filtered event list” (emphasis added). App. Br. 22–23. Moreover, Muret (US 6,792,458 B1) is merely matching a user with a timestamp in range. Id. Put another way, Muret (US 6,792,458 B1) merely teaches a “neighbor event” instead of a “nearest- neighbor event” (emphasis added). Appeal 2012-006306 Application 11/790,037 5 Accordingly, for the reasons stated supra, we do not sustain the Examiner’s rejection of independent claims 11 and 24, and their corresponding dependent claims 12–19. DECISION The Examiner’s decision rejecting claims 1–4, 6, 7, and 10–25 under 35 U.S.C. § 103(a) is reversed. REVERSED kis Copy with citationCopy as parenthetical citation
