INTERNATIONAL BUSINESS MACHINES CORPORATIONDownload PDFPatent Trials and Appeals BoardJun 23, 20212020001127 (P.T.A.B. Jun. 23, 2021) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 14/721,091 05/26/2015 Robert R. Friedlander YOR920150278US1 3071 118492 7590 06/23/2021 Law Office of Jim Boice JAMES EDWARD BOICE 1902 Stoneridge Road Austin, TX 78746 EXAMINER POPHAM, JEFFREY D ART UNIT PAPER NUMBER 2432 NOTIFICATION DATE DELIVERY MODE 06/23/2021 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): jim@boiceip.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________ Ex parte ROBERT R. FRIEDLANDER, JAMES R. KRAEMER, JEB R. LINTON, and CHRISTOPHER M. POULIN ___________ Appeal 2020-001127 Application 14/721,091 Technology Center 2400 ____________ Before JEAN R. HOMERE, JAMES B. ARPIN, and MICHAEL J. ENGLE, Administrative Patent Judges. ARPIN, Administrative Patent Judge. DECISION ON APPEAL Appellant1 appeals under 35 U.S.C. § 134(a) from the Examiner’s decision rejecting claims 1–18 and 20. Final Act. 2.2 Claim 19 is cancelled, 1 “Appellant” refers to “applicant” as defined in 37 C.F.R. § 1.42. Appellant identifies the real party-in-interest as International Business Machines Corporation. Appeal Br. 2. 2 In this Decision, we refer to Appellant’s Appeal Brief (“Appeal Br.,” filed July 10, 2019) and Reply Brief (“Reply Br.,” filed November 14, 2019); the Final Office Action (“Final Act.,” mailed January 14, 2019) and the Examiner’s Answer (“Ans.,” mailed September 17, 2019); and the Specification (“Spec.,” filed May 26, 2015). Rather than repeat the Examiner’s findings and Appellant’s contentions in their entirety, we refer to these documents. Appeal 2020-001127 Application 14/721,091 2 and claims 21 and 22 are withdrawn from consideration. Id. We have jurisdiction under 35 U.S.C. § 6(b). We affirm. STATEMENT OF THE CASE The claimed methods, storage devices, and systems “relate[] to the field of detecting malicious attacks on computers that are accessible via networks.” Spec. ¶ 1. Appellant’s Figure 2 is reproduced below. Figure 2 depicts “an exemplary process for creating a synthetic event that describes multiple attack types.” Id. ¶ 4. In particular, the Specification explains, Appeal 2020-001127 Application 14/721,091 3 the attack surfaces 202a-202d are similar types of resources.[3] For example, assume that attack surfaces 202a-202d are all servers. However, detected anomaly 204a is an attempt to change an Internet Protocol (IP) address for the server that is represented by attack surface 202a, detected anomaly 204b is an attempt to access the server that is represented by attack surface 202b by using an incorrect password, detected anomaly 204c is an attempt to take offline (i.e., disconnect from a network) the server that is represented by attack surface 202c, and detected anomaly 204d is an attempt to extract protected data stored within the server that is represented by attack surface 202d. The detected anomalies 204a-204d may have been thwarted by security systems (e.g., security system 212 shown in FIG. 2, which may be implemented as computer 102 shown in FIG. 1) associated with the servers that are represented by the attack surfaces 202a-202d. However, these security systems did not raise any alarms, since such anomalies are common. Nonetheless, it is the disparity among the detected anomalies 204a-204d that is used by one or more embodiments of the present invention to raise an alarm that the detected anomalies 204a-204d are part of a family/cohort of nefarious attacks, particularly due to the low frequency of the detected anomalies 204a-204d (i.e., they are not ‘high intensity attacks’ that by definition occur within a short time period). Id. ¶¶ 47–48; see id. ¶¶ 30, 38, 63 (defining “high intensity attacks”). As noted above, claims 1–18 and 20 are pending. Claims 1, 15, and 17 are independent. Appeal Br. 24 (claim 1), 26–27 (claim 15) 27–28 (claim 17) (Claims App.). Claims 2–14 and 20 depend directly or indirectly 3 Alternatively, “attack surfaces” may be different types of resources. Spec. ¶ 42; see id. ¶ 45 (attack surfaces “include, but are not limited to, personal computers, tablet computers, servers, smart phones, computer networks, mechanical equipment, and/or firmware/software (e.g., application programs, e-mail system, operating systems, basic input output systems – BIOS, etc.)”). Appeal 2020-001127 Application 14/721,091 4 from claim 1, claim 16 depends directly from claim 15, and claim 18 depends directly from claim 17. Id. at 24–28. Claim 1, reproduced below with disputed limitations emphasized, is illustrative. 1. A method of probabilistically detecting a low intensity threat event to an attack surface, the method comprising: receiving, by one or more processors, a notification of disparate anomalies experienced by each of multiple attack surfaces over an extended period of time, wherein the disparate anomalies are different types of anomalies compared to one another, and wherein the extended period of time exceeds a maximum threshold time period required to identify a high intensity attack against one or more of the multiple attack surfaces; generating, by the one or more processors, a synthetic event, wherein the synthetic event comprises a listing of all of the disparate anomalies experienced by the multiple attack surfaces and a rule-based reason for combining the listing of all of the disparate anomalies; receiving, by the one or more processors, a notification that at least one particular attack surface is experiencing a predefined quantity of the disparate anomalies found in the synthetic event; and in response to receiving the notification that the at least one particular attack surface is experiencing the predefined quantity of the disparate anomalies found in the synthetic event, generating, by the one or more processors, an alert that a malicious attack is being attempted against one or more of the multiple attack surfaces. Id. at 24 (emphases added). Independent claims 15 and 17 recite limitations corresponding to the disputed limitations of claim 1. Id. at 26–27, 27–28. Appeal 2020-001127 Application 14/721,091 5 REFERENCES AND REJECTIONS The Examiner relies upon the following references: Name4 Reference Published/Issued Filed Mitomo US 2005/0091513 A1 Apr. 28, 2005 Apr. 12, 2004 Senturk- Doganaksoy US 2009/0030752 A1 Jan. 29, 2009 July 27, 2007 Cochenour US 2015/0172300 A1 June 18, 2015 Jan. 9, 2014 Lin US 9,112,895 B1 Aug. 18, 2015 June 25, 2012 The Examiner rejects (1) claims 1–10, 12, and 14–18 under 35 U.S.C. § 103 as obvious over Lin and Mitomo (Final Act. 16–27); (2) claims 11 and 13 under 35 U.S.C. § 103 as obvious over Lin, Mitomo, and Cochenour (id. at 27–28); and (3) claim 20 under 35 U.S.C. § 103 as obvious over Lin, Mitomo, and Senturk-Doganaksoy (id. at 28–29). We review the appealed rejections for error based upon the issues identified by Appellant, and in light of the contentions and evidence produced thereon. Ex parte Frye, 94 USPQ2d 1072, 1075 (BPAI 2010) (precedential). The Examiner and Appellant focus their findings and contentions on claims 1, 2, 5, 6, 10, and 16; so do we. See Appeal Br. 8, 14, 16, 18, 19; Ans. 17–21. Arguments not made are forfeited.5 Unless 4 All reference citations are to the first named inventor only. 5 See Ans. 3 (discussing lack of challenges to the rejections of claims 11, 13, and 20); see also In re Google Tech. Holdings LLC, 980 F.3d 858, 863 (Fed. Cir. 2020) (“We interpret the Patent Office to be arguing that Google’s failure to raise its lexicography arguments, inadvertent or not, compels a finding of forfeiture.”); 37 C.F.R. § 41.37(c)(1)(iv) (2018) (“Except as provided for in §§ 41.41, 41.47 and 41.52, any arguments or authorities not included in the appeal brief will be refused consideration by the Board for purposes of the present appeal.”). Appeal 2020-001127 Application 14/721,091 6 otherwise indicated, we adopt the Examiner’s findings in the Final Office Action and the Answer as our own and add any additional findings of fact for emphasis. We address the rejections below. ANALYSIS A. Withdrawal of Claim 22 from Consideration Claim 21 was withdrawn from consideration as directed to a non- elected invention, and the Examiner withdraws claim 22 from consideration for substantially the same reasons as claim 21. See Final Act. 2–3, 14–15. Appellant contends, however, (1) the Examiner errs in withdrawing claim 22 from consideration and (2) if claim 22 is not allowable due to its dependence from claim 1, we should return claim 22 to the Examiner because the Final Office Action’s examination of the pending claims is incomplete. Appeal Br. 21–22. Nevertheless, a challenge to a restriction requirement is an issue petitionable to the Technology Center Director and not an issue appealable to the Board. Manual of Patent Examining Procedure (MPEP) § 1002.02(c)(2) (9th ed. Rev. 10.2019, June 2020); see Ex parte Johnson, Appeal No. 2017-011464, 2018 WL 3085134, at *2 (PTAB 2018). Therefore, we do not address the withdrawal or the patentability of claim 22 in this decision. B. Obviousness over Lin and Mitomo 1. Independent Claim 1 As noted above, the Examiner rejects independent claim 1 as obvious over the combined teachings of Lin and Mitomo. Final Act. 3–10, 16–19. In particular, the Examiner finds Lin teaches or suggests the majority of the Appeal 2020-001127 Application 14/721,091 7 limitations, as recited in claim 1. Id. at 3–10, 16–18 (citing Lin, 2:24–60, 3:40–4:21, 4:35–5:39, 5:66–7:57, 8:11–9:3, 9:30–10:39, 10:53–67, 11:5– 12:18). The Examiner finds, however, Lin “does not appear to explicitly disclose that the synthetic event includes a rule based reason for combining the listing of all of the disparate anomalies.” Id. at 19. Nevertheless, the Examiner finds Mitomo teaches or suggests the limitation missing from Lin’s teachings. Id. (citing Mitomo ¶¶ 194–205, Figs. 1, 5–8). Further, the Examiner finds a person of ordinary skill in the relevant art would have had reason to combine the teachings of Lin and Mitomo to achieve the methods of claim 1. Id. Appellant contends the Examiner fails to show that Lin and Mitomo teach or suggest the disputed limitations of claim 1 for three reasons. Appeal Br. 8–13; see Reply Br. 2–3. On this record, Appellant does not persuade us the Examiner errs in the findings regarding Lin’s teachings and Mitomo’s teachings. First, Appellant contends the Examiner errs in relying on Lin to teach or suggest, receiving . . . a notification of disparate anomalies experienced by each of multiple attack surfaces over an extended period of time, wherein the disparate anomalies are different types of anomalies compared to one another, and wherein the extended period of time exceeds a maximum threshold time period required to identify a high intensity attack against one or more of the multiple attack surfaces. Appeal Br. 8–9; see Reply Br. 2–3. In particular, Appellant asserts, “the present invention is directed to detecting events that do not rise to the level of being a ‘high intensity attack’, but rather collectively make up a low intensity attack over an ‘extended period of time’.” Appeal Br. 8. Thus, Appeal 2020-001127 Application 14/721,091 8 although Appellant implicitly acknowledges that detecting “high intensity attacks” was known, Appellant contends, “Lin never teaches or suggests identifying known high intensity attacks. Rather, Lin merely states that an event that is not normal is anomalous, with no discussion of whether the event/attack is high intensity. (See col. 9, lines 30-67 of Lin.)” Reply Br. 2; see also Senturk-Doganaksoy ¶ 30 (“A heatmap illustrates the anomaly- intensity and the direction of a ‘target observation.’”).6 We disagree with Appellant. The Specification discloses: A low intensity attack is defined as a malicious attack against one or more resources over an extended period of time. This extended period of time exceeds that used in a high intensity attack. That is, a high intensity attack is identified by the fact that it has many attacks over a short period of time. In the case of a DDoS attack, the period of time may be a few seconds. In the case of a DDoS attack against various resources, the same malware is deployed against the various resources within a short amount of time (e.g., within a few minutes). Spec. ¶ 38 (emphases added). However, the Specification also discloses: The extended period during which the disparate anomalies occur may exceed a maximum threshold time period required to identify a high intensity attack against one or more of the multiple attack surfaces. For example, assume that in order for an event to be recognized as a high intensity attack (or any type of attack) by a security system (e.g., security system 212 in FIG. 2), a predefined quantity of events (disparate anomalies) must occur within one hour or less. If this quantity of disparate anomalies occur[s] over a time period that is longer than one 6 See Okajima v. Bourdeau, 261 F.3d 1350, 1355 (Fed. Cir. 2001) (“[T]he absence of specific findings on the level of skill in the art does not give rise to reversible error ‘where the prior art itself reflects an appropriate level and a need for testimony is not shown’” (quoting Litton Indus. Prods., Inc. v. Solid State Sys. Corp., 755 F.2d 158, 163 (Fed. Cir. 1985))). Appeal 2020-001127 Application 14/721,091 9 hour (or week or month or year, depending on what time period has been deemed appropriate for a high intensity attack), then they do not cause the security system to initially raise an alarm, even though the security system may have determined that the event is in fact an anomaly (although not necessarily a malicious attack). Id. ¶ 63 (emphases added). Thus, although the Specification discloses that a high intensity attack occurs at a higher rate over “a short period of time,” the Specification also discloses that such “a short period of time” may be a few seconds or as long as a year, as may be appropriate for the particular attack. Lin discloses: In some embodiments, anomaly detection server 116 is configured to store anomalous events that occur across different times and/or different resources internal to enterprise network 108 or resources external to enterprise network 108. Over time, anomaly detection server 116 may be retrained using new event data (e.g., event data that was previously current) and therefore updated. In some embodiments, anomaly detection server 116 is configured to periodically detect links among the determined set of anomalous events to find series of anomalous events (which are also sometimes referred to as paths of interest) that may be related even if a subset of any one path did not seem related. For example, a path of interest may comprise events that took place over different time slots (where each time slot is a fixed period of time) and/or across different resources internal to enterprise network 108 or resources external to enterprise network 108. Lin, 3:59–4:7 (emphasis added). Further, Appellant acknowledges, “Lin describes lots of different types of anomalies.” Appeal Br. 10 (citing Lin, 4:46–5:39); see Ans. 9 (citing Lin, 4:3–7). Thus, Lin teaches that anomalous events may be detected over time, and anomaly detection server 116 may be trained to detect paths of interest based on events “that may be related even if a subset of any one path did not seem related.” Id. at 4:2–3. Appeal 2020-001127 Application 14/721,091 10 For example, Lin’s Figure 7 is reproduced below. Figure 7 depicts “a diagram showing an example of links determined between anomalous events presented in a table.” Id. at 1:44–45. Lin discloses: In the example [depicted in Figure 7], a determined link between two anomalous events is shown as a dotted line, such as dotted link 702 that is drawn between the anomalous event determined by Sensor 6 during Day 1 and the anomalous event determined by Sensor 4 during Day 2. As shown in the example, an anomalous event may be determined to be linked to zero or more other anomalous events. As shown in the example, an anomalous event may be linked to another anomalous event (potentially associated with the same or different entities/resources at the same enterprise network) that occurred during another time slot and/or detected by another sensor. Id. at 11:27–38 (emphases added). In view of Lin’s teachings concerning “paths of interest,” the Examiner finds Lin “clearly shows that the paths of interest in Lin comprise disparate anomalies occurring over a time period longer than that required to detect a single anomalous activity or specific type of activity.” Ans. 12 Appeal 2020-001127 Application 14/721,091 11 (citing Lin 2:52–60); see In re Preda, 401 F.2d 825, 826 (CCPA 1968) (“in considering the disclosure of a reference, it is proper to take into account not only specific teachings of the reference but also the inferences which one skilled in the art would reasonably be expected to draw therefrom”). We agree with the Examiner. Consequently, we are not persuaded of Examiner error by this first reason. Second, Appellant contends the combined teachings of Lin and Mitomo do not teach or suggest, “the synthetic event comprises a listing of all of the disparate anomalies experienced by the multiple attack surfaces.” Appeal Br. 11 (quoting claim 1). In particular, Appellant contends, “There is no teaching/suggestion of a synthetic event that includes a listing of all of the disparate anomalies (i.e., ‘different types of anomalies’), as presently claimed.” Id. at 12. The Examiner responds, however, It has already been shown that Lin includes such a synthetic event that includes a listing of all of the disparate anomalies. For example, the path of interest in Lin includes disparate anomalous events (e.g., “there is not necessarily an attribute common to all anomalous events within the path” as in column 11, lines 62-63). Indeed, as explained above, the disparate anomalies of the claims may in fact share the same feature as well (e.g., claims 6 and 10), thus showing that all of the events within the path of interest are disparate anomalies as defined in the claims. Moreover, as explained previously and above, the claims do not prohibit there being non-disparate anomalies in the event. Claim 1, for example, uses open-ended comprising language in stating “wherein the synthetic event comprises a listing of all of the disparate anomalies . . .”. Since this is open-ended, the synthetic event may comprise additional information and, outside an explicit prohibition to the contrary, may certainly include anomalous events that share a common feature. Appeal 2020-001127 Application 14/721,091 12 Ans. 19–20 (emphases added); see id. at 6. Thus, the Examiner finds Lin’s paths of interest teach or suggest the recited synthetic events. Again, we agree with the Examiner. Further, as noted above, Appellant contends, “Lin describes lots of different types of anomalies, but never teaches/suggests a listing of disparate anomalies.” Appeal Br. 10. The Examiner responds, however, “Lin clearly describes disparate anomalies, for example, in Lin’s disclosure of disparate anomalies (e.g., ‘form a series of linked anomalous events . . . and therefore a path of interest even though there is not necessarily an attribute common to all anomalous events within the path’[).]” Ans. 22 (citing Lin, 11:58–63) see also Lin, 3:40–45 (describing anomalies as security threats), 4:46–5:39 (describing disparate anomalies); cf. Spec. ¶¶ 51 (disparate anomalies as various types of malware), 56–63 (describing disparate anomalies). Thus, the Examiner finds the paths of interest, as depicted in Lin’s Figure 7, are derived from a table of anomalous events “experienced by the multiple attack surfaces,” as depicted in the table of Lin’s Figure 6; and, therefore, the Examiner finds Lin teaches or suggests “a listing of all of the disparate anomalies experienced by the multiple attack surfaces.” Ans. 23; see Appeal Br. 24 (Claims App.) (emphasis added). Consequently, we are not persuaded of Examiner error by this second reason. Third, Appellant contends the combined teachings of Lin and Mitomo do “not teach or suggest that ‘the synthetic event comprises . . . a rule-based reason for combining the listing of all of the disparate anomalies.” Appeal Br. 12 (quoting claim 1). In particular, Appellant contends, “Paragraphs [0194] - [0205] of Mitomo teach a process for predicting a second unauthorized access while a first unauthorized access is occurring (see Appeal 2020-001127 Application 14/721,091 13 paragraph [0195] of Mitomo). None of these passages from Mitomo teach[es] or suggest[s] a ‘rule-based reason for combining the listing of all of the disparate anomalies’.” Id. (emphasis added). The Examiner responds: Cited figure 1 [of Mitomo] shows a report output unit, which outputs the report mentioned in the abstract and further citations below. Cited figure 5 [of Mitomo] shows storage of scenario definitions, ongoing scenarios, and providing of an unauthorized access report which occurs when one of those scenarios is met. Figure 6 [of Mitomo] shows that the scenario definitions include specific names. Figure 7 [of Mitomo] shows that the ongoing scenarios include scenario names as well. Figure 8 [of Mitomo] shows the process of determining whether a scenario is met and creating an unauthorized access report. . . . Paragraphs 194-205 of Mitomo disclose scenario detection, prediction, comparison, and tracking, as well as sending of a report and preventative measures. Paragraph 203, for example, describes outputting of an unauthorized access report if a scenario is met, such report having already been described above with respect to figure 8 and paragraph 116, for example. Ans. 24–25 (emphases added). In particular, Mitomo’s Figure 8 discloses the step of “Determin[ing] based on one ongoing scenario whether the scenario advances due to the input event.” Mitomo, Fig. 8 (step S15). Thus, Mitomo discloses that additional events are added to a pattern, e.g., a listing, based on comparison to the requirements of an ongoing scenario, e.g., a rule- based analysis. The Examiner finds, “Mitomo clearly discloses that the synthetic event (e.g., Lin’s path of interest, corresponding to Mitomo’s report) includes a rule based reason for combining the listing of all of the anomalies Appeal 2020-001127 Application 14/721,091 14 (e.g., the name of the unauthorized access scenario that was met by the events).” Ans. 25. To the extent, Appellant challenges the teachings of Lin and Mitomo individually, such a challenge is not persuasive. Appellant cannot show nonobviousness by attacking references individually when the rejection is based on the references’ combined teachings. See In re Merck & Co., Inc., 800 F.2d 1091, 1097 (Fed. Cir. 1986); In re Keller, 642 F.2d 413, 426 (CCPA 1981). We agree with the Examiner that Lin and Mitomo together teach or suggest, “the synthetic event comprises . . . a rule-based reason for combining the listing of all of the disparate anomalies.” Consequently, we are not persuaded of Examiner error by this third reason. On this record, we are not persuaded the Examiner errs in rejecting claim 1 as obvious over the combined teachings of Lin and Mitomo, and we sustain that rejection. Further, Appellant does not challenge the obviousness rejection of independent claims 15 and 17, separately, or of dependent claims 3, 4, 7–9, 12, 14, and 18, separately from its challenge to their base claims. Appeal Br. 14. Therefore, we also sustain the rejection of those dependent claims. 2. Dependent Claims 2 and 16 Claim 2 recites, in the methods of claim 1, “collecting, by the one or more processors, the disparate anomalies from disparate physical locations; and in response to the collected disparate anomalies from the disparate physical locations exceeding a predetermined level, generating, by the one or more processors, the synthetic event.” Appeal Br. 24 (Claims App.) (emphases added). Claim 16 depends from independent claim 15 and recites limitations corresponding to those recited in claim 2. Id. at 27. Appeal 2020-001127 Application 14/721,091 15 The Examiner rejects claims 2 and 16 as obvious over the combined teachings of Lin and Mitomo. Final Act. 10–12, 19–20. In particular, the Examiner finds Lin teaches or suggests, “collecting . . . the disparate anomalies from disparate physical locations” (Ans. 34 (citing Lin, 2:24–25, 3:40–50, Fig. 8)) and “the collected disparate anomalies from the disparate physical locations exceeding a predetermined level” (Final Act. 20 (citing, e.g., Lin, 7:21–25 (describing a “threshold score”))). (Emphases added.) Appellant challenges the rejection of claims 2 and 16. Appeal Br. 14–16; see Reply Br. 3–4 (reiterating previous contentions). In its challenge, Appellant repeats the limitations recited in claims 2 and 16, summarizes the Examiner’s citations to Lin, and contends: None of these passages teach or suggest “generating . . . the synthetic event” (which includes “a listing of all of the disparate anomalies experienced by the multiple attack surfaces and a rule- based reason for combining the listing of all of the disparate anomalie[s]”), particularly “in response to the collected disparate anomalies from the disparate physical locations exceeding a predetermined level”. Appeal Br. 14–15. The Examiner responds, “Appellant is still not providing any actual argument here other than a general allegation and, even in this general allegation, appears to rely entirely on claim 1’s subject matter.” Ans. 35. We agree with the Examiner. Appellant’s challenge is little more than a naked assertion that the disputed limitations are not taught or suggested by the applied references. See 37 C.F.R. § 41.37(c)(1)(iv) (2018) (“A statement [that] merely points out what a claim recites will not be considered an argument for separate patentability of the claim.”); In re Lovin, 652 F.3d 1349, 1357 (Fed. Cir. Appeal 2020-001127 Application 14/721,091 16 2011) (“[W]e hold that the Board reasonably interpreted Rule 41.37 to require more substantive arguments in an appeal brief than a mere recitation of the claim elements and a naked assertion that the corresponding elements were not found in the prior art.”). Further, to the extent Appellant relies on alleged deficiencies in the base claims, we addressed those challenges above. We are not persuaded the Examiner errs in rejecting claims 2 and 16 over the combined teachings of Lin and Mitomo. Further, the Examiner adequately shows that Lin and Mitomo teach or suggest the additional limitations of claims 2 and 16. Final Act. 10–12, 19–20; see Ans. 32–35. Consequently, we sustain the rejection of claims 2 and 16. 3. Dependent Claim 5 Claim 5 recites, in the methods of claim 1, receiving, by the one or more processors, a notification that at least one of the disparate anomalies found in the synthetic event resulted in a successful malicious attack against a certain attack surface; and in response to receiving the notification that at least one of the disparate anomalies found in the synthetic event resulted in the successful malicious attack against the certain attack surface, issuing, by the one or more processors, a warning that all of the disparate anomalies found in the synthetic event are suspected malicious attacks. Appeal Br. 25 (Claims App.) (emphases added). The Examiner rejects claim 5 as obvious over the combined teachings of Lin and Mitomo. Final Act. 12–13, 21–22. In particular, the Examiner finds Lin teaches or suggests, “that at least one of the disparate anomalies found in the synthetic event resulted in a successful malicious attack against Appeal 2020-001127 Application 14/721,091 17 a certain attack surface” (Final Act. 21 (citing, e.g., Lin, 3:40–41 (“Anomaly detection server 116 is configured to detect potential anomalous behavior (e.g., security threats)”)))7 and “issuing . . . a warning that all of the disparate anomalies found in the synthetic event are suspected malicious attacks” (id. (citing, e.g., Lin, 8:67–9:3 (“In some embodiments, detection engine 212 is configured to generate and present a list of paths of interest where the paths are ranked based on their respective scores.” (emphasis added)))). (Emphases added.) Appellant challenges the rejection of claim 5. Appeal Br. 16–17; see Reply Br. 4–5 (reiterating previous contentions). Similar to the challenge to the rejection of claims 2 and 16, discussed above, Appellant repeats the limitations recited in claim 5, summarizes the Examiner’s citations to Lin, and contends: None of these passages teach or suggest “issuing ... a warning that all of the disparate anomalies found in the synthetic event are suspected malicious attacks”, particularly “in response to receiving the notification that at least one of the disparate anomalies found in the synthetic event resulted in the successful malicious attack against the certain attack surface”. Appeal Br. 16–17. The Examiner responds, “As with claim 2, Appellant has not actually provided any reason as to why Appellant believes the language of claim 5 is different from the cited prior art.” Ans. 38. We agree with the Examiner. Again, Appellant’s challenge is little more than a naked assertion that the disputed limitations are not taught or suggested by the applied 7 See also Lin, 5:14–15 (“2) Mail server anomaly Spike in incoming (e.g., phishing) email”). Appeal 2020-001127 Application 14/721,091 18 references. See 37 C.F.R. § 41.37(c)(1)(iv) (quoted above); Lovin, 652 F.3d at 1357 (quoted above). We are not persuaded the Examiner errs in rejecting claim 5 over the combined teachings of Lin and Mitomo. Further, the Examiner adequately shows that Lin and Mitomo teach or suggest the additional limitations of claim 5. Final Act. 12–13, 21–22; see Ans. 35–38. Consequently, we sustain the rejection of claim 5. 4. Dependent Claim 6 Claim 6 recites, in the methods of claim 1, receiving, by the one or more processors, a notification that at least one of the disparate anomalies found in the synthetic event contains a known malicious feature; and in response to receiving the notification that at least one of the disparate anomalies found m the synthetic event contains the known malicious feature, issuing, by the one or more processors, a warning that all of the disparate anomalies found in the synthetic event are suspected malicious attacks. Appeal Br. 25 (Claims App.) (emphases added). The Examiner rejects claim 6 as obvious over the combined teachings of Lin and Mitomo. Final Act. 22–23. In particular, the Examiner finds Lin teaches or suggests, “at least one of the disparate anomalies found in the synthetic event contains a known malicious feature” (Final Act. 23 (citing, e.g., Lin, 11:22–40 (describing “links (relationships)” between anomalous events used to form a path of interest))) and “issuing . . . a warning that all of the disparate anomalies found in the synthetic event are suspected malicious attacks” (id. (citing, e.g., Lin, 8:67–9:3 (“In some embodiments, detection engine 212 is configured to generate and present a list of paths of interest where the paths are ranked based on their respective scores.” Appeal 2020-001127 Application 14/721,091 19 (emphasis added))); see Ans. 39). (Emphases added.) Appellant challenges the rejection of claim 6. Appeal Br. 18–19; see Reply Br. 5 (reiterating previous contentions). Similar to the challenges to the rejection of claims 2, 5, and 16, discussed above; Appellant repeats the limitations recited in claim 6; summarizes the Examiner’s citations to Lin, and contends: None of the cited passages from Lin teach or suggest “issuing ... a warning that all of the disparate anomalies found in the synthetic event are suspected malicious attacks”, particularly “in response to receiving the notification that at least one of the disparate anomalies found in the synthetic event contains the known malicious feature”. Appeal Br. 18–19. The Examiner responds, “As with claims 2 and 5, Appellant has refrained from actually providing any reason as to why Appellant believes the reference does not disclose the quoted subject matter.” Ans. 39. We agree with the Examiner. Yet again, Appellant’s challenge is little more than a naked assertion that the disputed limitations are not taught or suggested by the applied references. See 37 C.F.R. § 41.37(c)(1)(iv) (quoted above); Lovin, 652 F.3d at 1357 (quoted above). We are not persuaded the Examiner errs in rejecting claim 6 over the combined teachings of Lin and Mitomo. Further, the Examiner has adequately shown that Lin and Mitomo teach or suggest the additional limitations of claim 6. Final Act. 22–23; see Ans. 38–39. Consequently, we sustain the rejection of claim 6. Appeal 2020-001127 Application 14/721,091 20 5. Dependent Claim 10 Claim 10 recites, in the methods of claim 1, wherein all of the disparate anomalies were attempted misuses of the multiple attack surfaces, and wherein all of the attempted misuses were prevented by security systems on the multiple attack surfaces, 8 and wherein the method further comprises: appending, by the one or more processors, an explanation to the synthetic event describing what prompted the security systems to prevent the attempted misuses. Appeal Br. 25–26 (Claims App.) (emphases added). The Examiner rejects claim 10 as obvious over the combined teachings of Lin and Mitomo. Final Act. 14–15, 25. In particular, the Examiner finds Mitomo teaches or suggests, “all of the disparate anomalies were attempted misuses of the multiple attack surfaces, and wherein all of the attempted misuses were prevented by security systems on the multiple attack surfaces” (Final Act. 25 (citing, e.g., Mitomo ¶ 195 (“In other words, possible future events can be predicated based on the following event transitions of an unauthorized access scenario while an ongoing scenario is progressing based on the unauthorized access scenario defined by event series.” (emphasis added)))) and “appending . . . an explanation to the synthetic event describing what prompted the security systems to prevent the attempted misuses” (id. (citing, e.g., Mitomo ¶ 203 (“The output unauthorized access report is notified from the attack report unit 550 to the administrators of the unauthorized access detection device 500, the target 8 We understand claim 10 recites that the “disparate anomalies” are of a single type, i.e., “attempted misuses.” See Ans. 7; Spec. ¶ 73. Appeal 2020-001127 Application 14/721,091 21 device, and the devices serving as tools of the attack.”))). (Emphases added.) Appellant challenges the rejection of claim 10 for three reasons. Appeal Br. 19–21; see Reply Br. 5–6 (reiterating previous contentions). We are not persuaded any of these reasons show Examiner error. First, Appellant contends, “the invention claimed in Claim 10 does not include the feature of a ‘report including an explanation for providing such data within the report’. Rather, the feature appends, to the synthetic event, an explanation describing, ‘what prompted the security systems to prevent the attempted misuses.’” Appeal Br. 20 (emphases omitted). In particular, referring to its Figure 2, Appellant contends the Specification discloses, “an explanation (e.g., reason 210 in FIG. 2) is appended to the synthetic event describing what prompted the security systems to prevent the attempted misuses.” Id. (quoting Spec. ¶ 73 (emphasis added)). Nevertheless, the Specification only discloses that “reason 210” is an example of “an explanation.” See Spec. ¶ 73 (using “e.g.”). Although the claims are interpreted in light of the Specification, limitations from the Specification are not read into the claims. Ans. 42; see In re Van Geuns, 988 F.2d 1181, 1184 (Fed. Cir. 1993). Appellant’s contention is unpersuasive because it is “not based on limitations appearing in the claims.” See In re Self, 671 F.2d 1344, 1348 (CCPA 1982). During examination, the claims are interpreted as broadly as their terms reasonably allow. In re Am. Acad. of Sci. Tech Ctr., 367 F.3d 1359, 1369 (Fed. Cir. 2004). The term “explanation” appears only once in the Specification, and an “explanation” is merely something that explains. See, e.g., RANDOM HOUSE WEBSTER’S COLLEGE DICTIONARY 463 (2nd Random House ed. Appeal 2020-001127 Application 14/721,091 22 1999). We find no reason to limit an “explanation” to something less than its ordinary meaning. Thus, we agree with the Examiner that Mitomo’s report teaches or suggests the recited “explanation.” Ans. 40–41. Second, Appellant contends, “Mitomo never teaches or suggests a synthetic event that includes a listing of all of the disparate anomalies experienced by the multiple attack surfaces and a rule-based reason for combining this listing.” Appeal Br. 20. Nevertheless, we addressed this contention above with respect to claim 10’s base claim, claim 1. Moreover, as noted above, Appellant cannot show nonobviousness by attacking references individually when the rejection is based on the references’ combined teachings. See Merck, 800 F.2d at 1097; Keller, 642 F.2d at 426. As noted above, we remain in agreement with the Examiner that Lin and Mitomo together teach or suggest this limitation of claim 1. Ans. 42; see Final Act. 18–19. Third, Appellant contends: Appellant has carefully re-read all of Mitomo, including the cited paragraphs [0194] - [0205], and is unable to find any passage that teaches providing a reason or explanation for “what prompted the security systems to prevent the attempted misuses”. Rather, Mitomo, and particularly the cited passages [0194] - [0205] of Mitomo, teaches predicting an attack and taking preventive measures against such an attack. Appeal Br. 20 (italics added). Again, however, we addressed this contention above with respect to claim 10’s base claim, claim 1. Moreover, Mitomo discloses: The output unauthorized access report is notified from the attack report unit 550 to the administrators of the unauthorized access detection device 500, the target device, and the devices serving as tools of the attack. Appeal 2020-001127 Application 14/721,091 23 Mitomo ¶ 203. The Examiner then finds: This clearly shows outputting a report regarding the attack to all of the devices associated therewith. It is this report that includes data such as “the IP address of a device being used by the attacker, the IP address of a device being a target of the attack, and the name of the unauthorized access scenario completed” as seen in paragraph 116 of Mitomo (associated with cited figure 8). The unauthorized access scenario is clearly “a reason or explanation for ‘what prompted the security systems to prevent the attempted misuses’” since it identifies the precise scenario being used for unauthorized accesses (which are clearly attempted misuses, since an entity that is not authorized is attempting access). Ans. 43. Thus, the Examiner finds that Mitomo teaches or suggests this limitation of claim 10; we agree. None of Appellant’s reasons persuades us that the Examiner errs in finding that the combined teachings of Lin and Mitomo render claim 10 obvious. Consequently, we sustain the rejection of claim 10. C. Obviousness over Lin, Mitomo, and Cochenour or Senturk-Doganaksoy As noted above, the Examiner also rejects claims 11 and 13 under 35 U.S.C. § 103 as obvious over Lin, Mitomo, and Cochenour (Final Act. 27– 28); and claim 20 under 35 U.S.C. § 103 as obvious over Lin, Mitomo, and Senturk-Doganaksoy (id. at 28–29). Appellant does not challenge these rejections separately from the challenge to their base claim, claim 1. Ans. 3. Consequently, because we are not persuaded the Examiner errs in rejecting claim 1, we also are not persuaded the Examiner errs in rejecting claim 11, 13, or 20 as obvious over the combined teachings of Lin, Mitomo, and Cochenour or Senturk-Doganaksoy; and we sustain those rejections. Appeal 2020-001127 Application 14/721,091 24 DECISION 1. The Examiner does not err in rejecting: a. claims 1–10, 12, and 14–18 under 35 U.S.C. § 103 as obvious over Lin and Mitomo; b. claims 11 and 13 under 35 U.S.C. § 103 as obvious over Lin, Mitomo, and Cochenour; or c. claim 20 under 35 U.S.C. § 103 as obvious over Lin, Mitomo, and Senturk-Doganaksoy. 2. Thus, on this record, claims 1–18 and 20 are not patentable. CONCLUSION We affirm the Examiner’s rejections of claims 1–18 and 20. In summary: Claim(s) Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1–10, 12, 14– 18 103 Lin, Mitomo 1–10, 12, 14– 18 11, 13 103 Lin, Mitomo, Cochenour 11, 13 20 103 Lin, Mitomo, Senturk-Doganaksoy 20 Overall Outcome 1–18, 20 No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a). See 37 C.F.R. § 1.136(a)(1)(iv) (2018). AFFIRMED Copy with citationCopy as parenthetical citation
