HEWLETT PACKARD ENTERPRISE DEVELOPMENT LPDownload PDFPatent Trials and Appeals BoardJun 9, 20212020000489 (P.T.A.B. Jun. 9, 2021) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 15/437,230 02/20/2017 Tomasz Jaroslaw Bania 90323968 9241 146568 7590 06/09/2021 MICRO FOCUS LLC 500 Westover Drive #12603 Sanford, NC 27330 EXAMINER LANIER, BENJAMIN E ART UNIT PAPER NUMBER 2437 NOTIFICATION DATE DELIVERY MODE 06/09/2021 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): software.ip.mail@microfocus.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________ Ex parte TOMASZ JAROSLAW BANIA, WILLIAM G. HORNE, PRATYUSA K. MANADHATA, and TOMAS SANDER Appeal 2020-000489 Application 15/437,230 Technology Center 2400 ____________ Before JUSTIN BUSCH, CARL L. SILVERMAN, and JAMES W. DEJMEK, Administrative Patent Judges. SILVERMAN, Administrative Patent Judge. DECISION ON APPEAL Pursuant to 35 U.S.C. § 134(a), Appellant1 appeals from the Examiner’s decision to reject claims 1–15, which constitute all pending claims. We have jurisdiction under 35 U.S.C. § 6(b). We reverse. 1 We use the word “Appellant” to refer to “applicant” as defined in 37 C.F.R. § 1.42(a) (2018). Appellant identifies the real party in interest as EntIT Software LLC. Appeal Br. 3. Appeal 2020-000489 Application 15/437,230 2 STATEMENT OF THE CASE Appellant’s disclosure is directed to monitoring security of a computer system. Abstr., Spec. ¶¶ 12, 14, 19–21; Figs. 1, 5. Claim 1 is illustrative of the invention and reads as follows (emphasis added): 1. A method comprising: determining relations among a plurality of entities associated with a computer system; selectively grouping behavior anomalies exhibited by the plurality of entities into collections based at least in part on the determined relations among the entities; and selectively reporting the collections to a security operations center. Appeal Br. 18 (Claims Appendix). REFERENCES AND REJECTIONS The prior art relied upon by the Examiner is: Name Reference Date Van De Weyer US 8,468,606 B2 June 18, 2013 Muddu US 2017/0134415 A1 May 11, 2017 Claims 1–8 and 10–14 stand rejected under 35 U.S.C. § 102 as unpatentable over Muddu. Final Act. 4–17. Claims 9 and 15 stand rejected under 35 U.S.C. § 103 as unpatentable over Muddu and Van De Weyer. Final Act. 17–20. Appeal 2020-000489 Application 15/437,230 3 ANALYSIS We have reviewed the Examiner’s rejection in light of Appellant’s contentions in the Appeal Brief and the Reply Brief that the Examiner has erred, as well as the Examiner’s response to Appellant’s arguments in the Appeal Brief. Arguments which Appellant could have made, but did not make are deemed to be waived. See 37 C.F.R. § 41.37(c)(1)(iv). On the record before us, we are persuaded the Examiner has erred and provide the following for highlighting and emphasis. Appellant argues the Examiner errs in finding Muddu discloses claim 1’s limitation of “selectively grouping behavior anomalies exhibited by the plurality of entities into collections based at least in part on the determined relations among the entities” (also referred to as “disputed limitation”). Appeal Br. 8–10; Reply Br. 1–2. Appellant argues that, although Muddu describes how anomalies are detected, Muddu fails to disclose the disputed limitation, which includes “selectively grouping behavior anomalies exhibited by the plurality of entities into collections based at least in part on the determined relations among the entities.” Appeal Br. 9–10 (citing Muddu ¶¶ 214, 211, 178, 182, 179). Regarding the disputed limitation, the Examiner finds Muddu discloses wherein security platform 300 can detect anomalies and threats by determining behavior baselines (“selectively grouping behavior anomalies[collections of behavior anomalies]”) of various entities based on the interaction between entities (users, devices, networks ... ) and then compare activities of those entities to their behavior baseline to determine whether the activities are anomalous or even rise to the level of threat). Id. at 4–5. Appeal 2020-000489 Application 15/437,230 4 In the Answer, the Examiner finds Appellant’s argument is not persuasive because Muddu discloses that the graph generator identifies events that occur based on actions performed by one entity with respect to another entity (Muddu: [0215]) such that relationship graphs are generated based upon these identified events (Muddu: [0218]). These relationship graphs would represent determined relations among the entities associated with the identified events. The relationship graphs for these particular actions are combinable into a composite relationship graph for a particular entity ([0221]). This described combination of relationship graphs into a composite graph can be considered a grouping of behavior anomalies exhibited by a plurality of entities into collections based at least in part on relations among the entities as claimed. Ans. 4–5. In the Reply Brief, Appellant reiterates and argues the Examiner’s reference to Muddu, paragraphs 215, 218, and 221 in the Answer does not disclose the disputed limitation. Reply Br. 1–2. According to Appellant, although conceivable a behavior anomaly may be detected or identified based on the relationships among the entities, as depicted in the relationship graph of Fig. 9B, Muddu fails to selectively group multiple behavior anomalies exhibited by a plurality of entities into collections based at least in part on the determined relations among the entities. Id. at 2. Appellant argues, identifying an anomaly, such as a beaconing anomaly, fails to disclose grouping multiple behavior anomalies into collections, whether based on relations among entities or on some other criteria. Id. As discussed below, on the record before us, we are persuaded by Appellant’s arguments regarding claim 1 because the Examiner does not provide sufficient evidence as required for anticipation Appeal 2020-000489 Application 15/437,230 5 Muddu generally relates to “detect[ing] security related anomalies and threats in a computer network environment.” Muddu, Abstract; see also Muddu ¶¶ 3, 140, 151, 182. Muddu describes an anomaly may represent an event of possible concern, which, when analyzed separately or as a set of anomalies, may indicate a threat. Muddu ¶ 149. Muddu describes that anomalies and threats are detected by determining baseline behaviors for a particular type of entity and determining whether an event is an aberration to the established baseline. See Muddu ¶¶ 182–186. Muddu describes the types of entities may be “a user, a group of users, a device, a group of devices, an application and/or a group of applications.” Muddu ¶ 184 (emphasis added). Muddu further describes that “discovered anomalies and threats may be presented to a network operator” so that appropriate action may be taken. Muddu ¶¶ 151, 171. Muddu describes an embodiment comprising an analysis module. Muddu ¶ 178, Fig. 5. According to Muddu, the analysis module (which may be expanded into two components) performs anomaly detection (i.e., by the first component of the analysis module) and threat detection (i.e., by the second component of the analysis module). Muddu ¶ 178. Muddu describes the output of the anomaly detection section may be stored in a graph database. Muddu ¶ 179. Further, event-data relationship graphs may be aggregated “in order to compose a composite relationship graph for a given enterprise or associated network.” Muddu ¶¶ 179, 221. In addition, Muddu describes the composite graph may include nodes representing anomalies. Muddu ¶ 179; see also Muddu ¶ 214 (describing a relationship graph generator “operable to identify a number of relationships between the entities, and to explicitly record these relationships between the entities”). Muddu describes the graph generator “can identify a relationship between Appeal 2020-000489 Application 15/437,230 6 entities involved in an event.” Muddu ¶ 215. Moreover, Muddu describes a relationship can be identified based on a comparison to a table of identifiable relationships. Muddu ¶ 215. A claim is anticipated only if each and every element as set forth in the claims is found, either expressly or inherently described in a single prior art reference, and arranged as required by the claim. Verdegaal Bros., Inc. v. Union Oil Co. of Cal., 814 F.2d 628, 631 (Fed. Cir. 1987). To anticipate, a prior art reference must disclose more than “multiple, distinct teachings that the artisan might somehow combine to achieve the claimed invention.” NetMoneyIN, Inc. v. VeriSign, Inc., 545 F.3d 1359, 1371 (Fed. Cir. 2008); see also In re Arkley, 455 F.2d 586, 587 (CCPA 1972) (“The [prior art] reference must clearly and unequivocally disclose the claimed [invention] or direct those skilled in the art to the [invention] without any need for picking, choosing, and combining various disclosures not directly related to each other by the teachings of the cited reference.”). Here, the Examiner has not identified within Muddu selectively grouping the anomalies based on the relationship between the entities as recited in the claim. Although Muddu may suggest such a grouping, a rejection under § 103 is not before us. Therefore, we do not sustain the anticipation rejection of claim 1, independent claims 10 and 13 which recite limitations similar to claim 1, and dependent claims 2–8 and 11–14. In the obviousness rejection of dependent claims 9 and 15 over Muddu and Van De Weyer, the Examiner applies the Van De Weyer reference to the additional limitations of the dependent claims and provides no additional evidence regarding the independent claims from which these claims depend, and which are discussed supra. Final Act. 15–20. Therefore, we do not sustain the rejection of dependent claims 9 and 15. Appeal 2020-000489 Application 15/437,230 7 CONCLUSION For the reasons stated above, we do not sustain the anticipation rejections of claims 1–8 and 10–14 and the obviousness rejections of claims 9 and 15.2 Because our decision with regard to the disputed limitation is dispositive of the rejections made, we do not address additional arguments raised by Appellant. 2 We note that the Final Rejection was mailed shortly after the Office issued Revised Guidance on determining whether claims recite patent-eligible subject matter under 35 U.S.C. § 101. In the event of further prosecution, we invite the Examiner to determine whether the pending claims comport with the requirements of patent eligibility. In particular, we leave it to the Examiner to determine whether claim 1 merely recites a mental process (i.e., observation, evaluation, or judgment) of observing the architecture and organization of a computer network and organizing information related to observed conditions based on the arrangement of entities within the computer network. We further invite the Examiner to determine whether there are any additional elements recited in the claim that would integrate into a practical application the mental processes of observing and organizing information related to a computer network, or if the reporting of the observed data to a security operations center is merely post-solution activity that is insufficient to confer patent eligibility. Although the Board is authorized to reject claims under 37 C.F.R. § 41.50(b), no inference should be drawn when the Board elects not to do so. See Manual of Patent Examining Procedure (MPEP) § 1213.02. Appeal 2020-000489 Application 15/437,230 8 DECISION SUMMARY In summary: Claims Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1–8, 10–14 102 Muddu 1–8, 10–14 9, 15 103 Muddu, Van De Weyer 9, 15 Overall Outcome 1–15 REVERSED Copy with citationCopy as parenthetical citation