Matias Madou et al.Download PDFPatent Trials and Appeals BoardDec 31, 201913331815 - (D) (P.T.A.B. Dec. 31, 2019) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 13/331,815 12/20/2011 Matias Madou 82850249 7122 146568 7590 12/31/2019 MICRO FOCUS LLC 500 Westover Drive #12603 Sanford, NC 27330 EXAMINER DAVIS, ZACHARY A ART UNIT PAPER NUMBER 2492 NOTIFICATION DATE DELIVERY MODE 12/31/2019 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): software.ip.mail@microfocus.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte MATIAS MADOU, BRIAN V. CHESS, and SEAN PATRICK FAY Appeal 2018-008934 Application 13/331,815 Technology Center 2400 Before MARC S. HOFF, JAMES R. HUGHES, and DENISE M. POTHIER, Administrative Patent Judges. HUGHES, Administrative Patent Judge. DECISION ON APPEAL STATEMENT OF THE CASE Pursuant to 35 U.S.C. § 134(a), Appellant1 appeals from the Examiner’s decision rejecting claims 1–11, 13–15, 21–23, and 26. Claims 16 and 20 have been withdrawn from consideration; claims 12, 17–19, 24, and 25 have been canceled. See Final Act. 1–2.2 We have jurisdiction under 35 U.S.C. § 6(b). 1 We use the word Appellant to refer to “applicant” as defined in 37 C.F.R. § 1.42(a). Appellant identifies the real party in interest as EntIT Software LLC. See Appeal Br. 3. 2 We refer to Appellant’s Specification (“Spec.”), filed Dec. 20, 2011; Appeal Brief (“Appeal Br.”), filed Mar. 19, 2018; and Reply Brief (“Reply Br.”), filed Sept. 18, 2018. We also refer to the Examiner’s Final Office Appeal 2018-008934 Application 13/331,815 2 We REVERSE. CLAIMED SUBJECT MATTER The invention relates generally to software application security and, more specifically, to application security testing systems and processor- readable media including instructions for application security testing that tests an application by attacking it—by “providing attack data sets to the application.” Spec. ¶ 1010; see Spec. ¶¶ 1001–1003, 1010–1012; Abstract. Claims 1 and 11 are independent. Claim 1, reproduced below, is illustrative of the claimed subject matter: 1. A non-transitory processor-readable medium storing code representing instructions that, when executed at a processor, cause the processor, to: [A] access an attack description; [B] intercept a data set from an application via an application programming interface (API), the intercepted data set based on an attack data set, wherein the attack data set is used to test for a security vulnerability in the application; [C] correlate, using a Hamming distance, the intercepted data set with the attack description using a correlation type identifier; and [D] report the security vulnerability for the application in response to the intercepted data set based at least in part on a result of the correlation. Appeal Br. 30 (Claims App.) (bracketed limitation designations added). Action (“Final Act.”), mailed Oct. 18, 2017; and Answer (“Ans.”) mailed July 19, 2018. Appeal 2018-008934 Application 13/331,815 3 REFERENCES The prior art relied upon by the Examiner as evidence is: Name Reference Date Protas US 2010/0175108 A1 July 8, 2010 JBroFuzz Open Web Application Security Project (OWASP), OWASP JBroFuzz Tutorial (“JBroFuzz”) Mar. 30, 2010 HP WebInspect Hewlett-Packard Development Company, L.P., HP WebInspect for the Windows operating system, Software Version 8.00— User Guide (“HP WebInspect”) Mar. 2009 Sekar R. Sekar, An Efficient Black-box Technique for Defeating Web Application Attacks, Network and Distributed Systems Symposium (NDSS) (“Sekar”) Feb. 9, 2009 Nanda Susanta Nanda et al., Dynamic Multi- Process Information Flow Tracking for Web Application Security, Proceedings ACM/IFIP/USENIX Int’l Conf. Middleware, pp.1–20 (“Nanda”) 2007 Bookstein Bookstein et al., Generalized Hamming Distance, Information Retrieval, vol. 5, pp. 353–375 (“Bookstein”) 2002 REJECTIONS 1. The Examiner rejects claims 1–11, 13–15, 21–23, and 26 under 35 U.S.C. § 101 as being directed to patent-ineligible subject matter. See Final Act. 10–12. 2. The Examiner rejects claim 21 under 35 U.S.C. § 112, first paragraph, as failing to comply with the written description requirement. See Final Act. 13–14. 3. The Examiner rejects claims 1–10 and 21 under 35 U.S.C. § 112, second paragraph, as being indefinite for failing to particularly point Appeal 2018-008934 Application 13/331,815 4 out and distinctly claim the subject matter which the applicant regards as the invention. See Final Act. 14–15. 4. The Examiner rejects claims 1–6, 8–11, 13–15, 21–23, and 26 under 35 U.S.C. § 103(a) as being unpatentable over HP WebInspect, JBroFuzz, and Protas. See Final Act. 16–23. 3. The Examiner rejects claims 1–11, 13–15, 21–23, and 26 under 35 U.S.C. § 103(a) as being unpatentable over Sekar, Bookstein, and Protas. See Final Act. 16–23. 4. The Examiner rejects claim 7 under 35 U.S.C. § 103(a) as being unpatentable over HP WebInspect, JBroFuzz, Protas, and Nanda. See Final Act. 23–24. OPINION Subject Matter Eligibility—35 U.S.C. § 101 Under 35 U.S.C. § 101, a patent may be obtained for “any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof.” The Supreme Court has “long held that this provision contains an important implicit exception: Laws of nature, natural phenomena, and abstract ideas are not patentable.” Alice Corp. v. CLS Bank Int’l, 573 U.S. 208, 216 (2014) (quoting Ass’n for Molecular Pathology v. Myriad Genetics, Inc., 569 U.S. 576, 589 (2013)). The Supreme Court, in Alice, reiterated the two-step framework previously set forth in Mayo Collaborative Servs. v. Prometheus Labs., Inc., 566 U.S. 66, 77–80 (2012), “for distinguishing patents that claim laws of nature, natural phenomena, and abstract ideas from those that claim patent- eligible applications of those concepts.” Alice, 573 U.S. at 217. The Appeal 2018-008934 Application 13/331,815 5 framework requires us first to consider “whether the claims at issue are directed to one of those patent-ineligible concepts.” Alice, 573 U.S. at 217. If so, we then examine “the elements of [the] claim both individually and ‘as an ordered combination’ to determine whether the additional elements ‘transform the nature of the claim’ into a patent-eligible application.” Alice, 573 U.S. at 217 (quoting Mayo, 566 U.S. at 78, 79). That is, we examine the claim for an “inventive concept,” “an element or combination of elements that is ‘sufficient to ensure that the patent in practice amounts to significantly more than a patent upon the [ineligible concept] itself.’” Alice, 573 U.S. at 217–18 (alteration in original) (quoting Mayo, 566 U.S. at 72– 73). The Patent Office recently published revised guidance concerning this framework and the application of § 101. USPTO’s 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50 (Jan. 7, 2019) (hereinafter “2019 Revised Guidance”). Under that guidance, we first look to whether the claim recites: (1) any judicial exceptions, including certain groupings of abstract ideas (i.e., mathematical concepts, mental processes, or certain methods of organizing human activity such as a fundamental economic practice or managing personal behavior or relationships or interactions between people) (hereinafter “Step 2A, prong 1”); and (2) additional elements that integrate the judicial exception into a practical application (see MPEP §§ 2106.05(a)–(c), (e)–(h)) (hereinafter “Step 2A, prong 2”).3 See 2019 Revised Guidance, 84 Fed. Reg. at 51–52, 55. 3 All references to the MPEP are to the Ninth Edition, Revision 08-2017 (rev. Jan. 2018). Appeal 2018-008934 Application 13/331,815 6 A claim that integrates a judicial exception into a practical application applies, relies on, or uses the judicial exception in a manner that imposes a meaningful limit on the judicial exception, such that the claim is more than a drafting effort designed to monopolize the judicial exception. See 2019 Revised Guidance, 84 Fed. Reg. at 54. When the judicial exception is so integrated, then the claim is not directed to a judicial exception and is patent eligible under 35 U.S.C. § 101. See 2019 Revised Guidance, 84 Fed. Reg. at 54. Only if a claim: (1) recites a judicial exception and (2) does not integrate that exception into a practical application, do we then evaluate whether the claim provides an inventive concept. See 2019 Revised Guidance 84 Fed. Reg. at 56; Alice, 573 U.S. at 217–18. For example, we look to whether the claim: (3) adds a specific limitation beyond the judicial exception that is not “well-understood, routine, conventional” in the field (see MPEP § 2106.05(d)); or (4) simply appends well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception.4 See 2019 Revised Guidance, 84 Fed. Reg. at 56. With these principles in mind, we turn to the merits of the § 101 rejection. Statutory Subject Matter We find that claim 1 recites a “processor-readable medium,” and Appellant’s “medium” stores instructions to be executed by a processor to 4 Items (3) and (4) are collectively referred to as “Step 2B” hereinafter and in the 2019 Revised Guidance. Appeal 2018-008934 Application 13/331,815 7 perform the functions delineated in claim 1. See claim 1 (Appeal Br. 30 (Claims App.)). Computer-readable media (or processor-readable media, in the instant claims) are statutory subject matter. See David J. Kappos, Subject Matter Eligibility of Computer Readable Media, 1351 Off. Gaz. Pat. Office 212 (Feb. 23, 2010). Also, because Appellant’s claim 1 recites a medium storing instructions to be executed by a processor in order to perform the delineated functions, we analyze Appellant’s claim 1 as a process, which is also a statutory category of subject matter (USPTO’s Step 1). Abstract Idea The Examiner rejects Appellant’s claims 1–11, 13–15, 21–23, and 26 as being directed to patent-ineligible subject matter. See Final Act. 10–12; Ans. 4–7. Appellant argues claims 1–11, 13–15, 21–23, and 26 together for this rejection. See Appeal Br. 7–13; Reply Br. 1–6. We address the rejection of Appellant’s claim 1 with respect to whether the claim recites a judicial exception (an abstract idea), which is dispositive of the patent- eligibility issue. Specifically, the Examiner rejects Appellant’s claim 1 as being directed to patent- ineligible subject matter (see Final Act. 10–12), and concludes claim 1 “is directed to a software implementation of a method that includes accessing an attack description, intercepting a data set, correlating the data set and attack description, and reporting a security vulnerability” where the “step of correlating the data set with the attack description is directed to an abstract idea” (Final Act. 10). See Final Act. 10–12; Ans. 4–7. Further, the Examiner concludes the limitations of Appellant’s claim 1, in particular the correlation step, are similar to several precedential cases Appeal 2018-008934 Application 13/331,815 8 including Benson, Flook, Perkin-Elmer, SmartGene, Cybersource, and Digitech. See Final Act. 10.5 In summary, the Examiner concludes “[b]ecause the claims recite . . . abstract ideas of comparing/correlating data using mathematical operations, the claims are directed to abstract ideas.” Final Act. 11; see Final Act. 10–12; Ans. 4–7. Appellant contends the Examiner erred in rejecting the claims as being directed to patent-ineligible subject matter. See Appeal Br. 7–13; Reply Br. 1–6. Specifically, Appellant contends, with respect to the first step of the Alice analysis, that the claims (in particular claim 1) do not recite an abstract concept and the Examiner improperly interpreted the claims—the Examiner “broad[ly] overgeneraliz[es] or mischaracterize[es] . . . the claim language.” Appeal Br. 11; see Appeal Br. 7–12; Reply Br. 1–3. Appellant also contends claim 1 (and the other pending claims) are drawn to a technological improvement—“identifying and reporting security vulnerabilities for applications . . . improves the operation of the computer system . . . .[and] [a]s such, the claims are necessarily rooted in . . . computer technology.” Appeal Br. 8; see Appeal Br. 7–8; Reply Br. 3. Appellant further contends the instant claims are not analogous to the judicial exceptions in the Examiner-cited cases and do not recite mental processes similar to the claims in SmartGene. See Appeal Br. 9; see also Appeal Br. 8–12; Reply Br. 1–3. 5 The Examiner cites: Gottschalk v. Benson, 409 U.S. 63 (1972); Parker v. Flook, 437 U.S. 584 (1978); PerkinElmer, Inc. v. Intema Ltd., 496 F. Appx. 65 (Fed. Cir. 2012); SmartGene, Inc. v. Advanced Biological Labs., SA, 555 Fed. Appx. 950 (Fed. Cir. 2014); CyberSource Corp. v. Retail Decisions, Inc., 654 F.3d 1366 (Fed. Cir. 2011); and Digitech Image Techs., LLC v. Elecs. for Imaging, Inc., 758 F.3d 1344 (Fed. Cir. 2014). Appeal 2018-008934 Application 13/331,815 9 For the reasons discussed below, we conclude Appellant’s claim 1 (and the other pending claims) does not recite abstract ideas. In view of the 2019 Revised Guidance, we provide our reasoning as follows. Claim 1 (Appeal Br. 30 (Claims App.)) recites a processor-readable medium storing instructions to be executed by a processor in order to perform certain delineated process functions, including: “access[ing] an attack description” (limitation A), i.e., accessing data (see Spec. ¶ 1014); and “intercept[ing] a data set from an application via an application programming interface (API), the intercepted data set based on an attack data set,” and where “the attack data set is used to test for a security vulnerability in the application” (limitation B), i.e., intercepting data from an application via an API (see Spec. ¶ 1015). Claim 1 also recites “correlate[ing] the intercepted data set with the attack description” “using a Hamming distance” and “a correlation type identifier” (limitation C). That is, performing data analysis or manipulation (a comparison or correlation) of the intercepted data to the attack description (using a correlation type identifier and a Hamming distance). See Spec. ¶¶ 1016, 1019–1020. Claim 1 further recites “report[ing] the security vulnerability for the application in response to the intercepted data set based at least in part on a result of the correlation” (limitation D). In other words, determining a correlation (see limitation C) indicates a security vulnerability and reporting the security vulnerability. See Spec. ¶ 1017. In summary, claim 1 recites a process including accessing an attack description, intercepting a data set via an API, correlating the intercepted data with the attack description utilizing a Hamming distance and a correlation type identifier to determine a vulnerability, and reporting the Appeal 2018-008934 Application 13/331,815 10 vulnerability. Hereinafter, we refer to this process as the “application security testing process.” Appellant points out that claim 1 (as well as the other pending claims) is “directed to a solution for testing applications that include observing, or monitoring, an application while the application is being tested by a scanner for security vulnerabilities.” Appeal Br. 7–8 (citing Spec. ¶ 1012). When interpreted in conjunction with the Specification (in particular, Spec. ¶¶ 1012–1020), claim 1 requires providing an attack data set to an application and monitoring the application’s processing of the data at an API. See Spec. ¶ 1033. The intercepted data is analyzed to determine if there is a correlation with an attack description indicative of a security vulnerability. See Spec. ¶¶ 1014–1020, 1033. Although, as set forth by the Examiner (see Final Act. 10–11; Ans. 5– 6), claim 1 involves comparing data using mathematical correlations—which the Examiner equates to a mental process—the Examiner does not appreciate how the limitations of claim 1 operate as a whole. The correlation (limitation C) by itself may involve a mental process (see 2019 Revised Guidance, 84 Fed. Reg. at 52, 53 (“[m]ental processes” are “concepts performed in the human mind (including an observation, evaluation, judgment, opinion)”), but the claim recites that the data to be correlated is intercepted via an API. Put another way, the correlated data is collected from an application processing a particular set of data (an attack). Intercepting data from an application processing an attack and correlating that data is not a mental process that can practically be performed in the mind or using a pen and paper. The instant claims are similar to the claims found to be to be patent-eligible in SRI Int’l. See SRI International, Inc. v. Appeal 2018-008934 Application 13/331,815 11 Cisco Systems, Inc., 930 F.3d 1295, 1303–04 (Fed. Cir. 2019) (“[C]laims . . . directed to . . . using a plurality of network monitors . . .[to] analyze specific types of data on the network” cannot practically be performed in the human mind—“the human mind is not equipped to detect suspicious activity by using network monitors and analyzing network packets as recited by the claims” (id. at 1304).). The instant claims cannot practically be performed in the human mind and, therefore, do not recite a mental process. See USPTO’s October 2019 Update: Subject Matter Eligibility, § II.C.i (available at https://www.uspto.gov/sites/default/files/documents/ peg_oct_2019_update.pdf) (“October 2019 Update”) (“Claims do not recite a mental process when they do not contain limitations that can practically be performed in the human mind.”). In summary, we conclude Appellant’s claim 1 does not recite a judicial exception (USPTO’s Step 2A, Prong 1; see 2019 Revised Guidance) because claim 1 recites a process including intercepting a data set via an API and correlating the intercepted data with an attack description utilizing a Hamming distance and a correlation type identifier to determine a vulnerability—the application security testing process— that cannot be practically performed in the human mind. For at least the reasons above, we are persuaded of Examiner error in the rejection of claim 1 under 35 U.S.C. § 101. Thus, we do not sustain the Examiner’s rejection under § 101 of independent claim 1, independent claim 11, which recite commensurate limitations, and dependent claims 2–10, 13– 15, 21–23, and 26, which depend from claims 1 and 11, respectively. Appeal 2018-008934 Application 13/331,815 12 The Indefiniteness Rejection of Claims 1–10 and 21 The Examiner rejects claims 1–10 and 21 as being indefinite. See Final Act. 14–15; Ans. 8–10. Specifically, the Examiner finds claim 1 (as well as dependent claims 2–4 and 6–9) recites “in response to the intercepted data set,” but concludes “the phrase . . . is unclear with respect to what is actually responded to” and this “ambiguity renders the claim indefinite.” Final Act. 15 (quotations omitted). The Examiner also finds that claim 5 recites “intercepting the data set comprises intercepting the application in response to intercepting execution of the application” but the phrase is “generally unclear and of indefinite scope.” Final Act. 15. The Examiner further finds that claim 10 recites “the processor-readable medium further storing code,” but concludes “it is not clear how this phrase relates grammatically to the remainder of the claim.” Final Act. 15. The Examiner additionally finds claim 21 recites causing “the processor to form an observer,” but concludes it “is not clear what steps or functions would be required to form an observer, which generally renders the scope of the claim unclear.” Final Act. 15. Appellant contends “the Final Office Action fails to set forth the prima facie case of indefiniteness” (Appeal Br. 13) and the basis of the Examiner’s rejection is actually to the “scope, or breadth, of the claim”; however, claim scope or breadth should not “be equated with indefiniteness” (Appeal Br. 14). Appellant makes similar arguments with respect to claim 5 (see Appeal Br. 14–15), claim 10 (see Appeal Br. 15), and claim 21 (see Appeal Br. 15). The essence of the requirement under 35 U.S.C. § 112, second paragraph, is that the language of the claims must make clear what subject Appeal 2018-008934 Application 13/331,815 13 matter the claims encompass—i.e., “whether those skilled in the art would understand what is claimed when the claim is read in light of the specification.” Star Scientific, Inc. v. R.J. Reynolds Tobacco Co., 655 F.3d 1364, 1380 (Fed. Cir. 2011) (quoting Orthokinetics, Inc. v. Safety Travel Chairs, Inc., 806 F.2d 1565, 1576 (Fed. Cir. 1986)); see In re Packard, 751 F.3d 1307, 1310–14 (Fed. Cir. 2014). “[W]e apply the approach for assessing indefiniteness approved by the Federal Circuit in Packard, i.e., ‘[a] claim is indefinite when it contains words or phrases whose meaning is unclear.’ Put differently, ‘claims are required to be cast in clear—as opposed to ambiguous, vague, indefinite— terms.’” In re McAward, Appeal 2015-006416, 2017 WL 3669566, *5 (PTAB Aug. 25, 2017) (precedential) (quoting In re Packard, 751 F.3d at 1310, 1313–14) (citations omitted). Claim 1 (as discussed supra) determines and reports a vulnerability for an application in response to the intercepted data set based on the result of the correlation. We find the language of claim 1 (as well as dependent claims 2–4 and 6–9), when properly construed, would be understood by those skilled in the art, and the language is not unclear. The Examiner apparently misconstrues the claim language and does not explain why the disputed language would be unclear to one of ordinary skill in the art. In light of our findings and Appellant’s arguments, we find the Examiner fails to sufficiently explain why one of ordinary skill in the art would not understand what is claimed. With respect to claim 5, we interpret claim 5 to recite intercepting the data set (which is recited in claim 1) further includes intercepting the application, i.e., execution of the application. See Appeal Br. 14–15; Spec. Appeal 2018-008934 Application 13/331,815 14 ¶¶ 1015, 1033–1036, 1038. We find the language of claim 5, when properly construed, would be understood by those skilled in the art, and the language is not unclear. The Examiner does not provide an interpretation (or alternate interpretations) of the purportedly unclear claim language and does not explain why the disputed language would be unclear to one of ordinary skill in the art. In light of our findings and Appellant’s arguments, we find the Examiner fails to sufficiently explain why one of ordinary skill in the art would not understand what is claimed. With respect to claim 10, we interpret claim 10 to recite the medium storing code to perform additional functionality (an additional process step)—to “determine whether the intercepted data set satisfies a security rule.” See Appeal Br. 15; Spec. ¶ 1075. We find the disputed language of claim 10 is not unclear as to how it “relates . . . to the remainder of the claim” (Final Act. 15), and would be understood by those skilled in the art. The Examiner does not explain why the disputed language would be unclear to one of ordinary skill in the art. In light of our findings and Appellant’s arguments, we find the Examiner fails to sufficiently explain why one of ordinary skill in the art would not understand what is claimed by Appellant. With respect to claim 21, we interpret claim 21 to recite storing code to perform additional functionality—to “form an observer,” i.e., forming or instantiating an observer module that performs the delineated process steps. See Appeal Br. 15; Spec. ¶¶ 1012–1016. We find the language of claim 21 would be understood by those skilled in the art, and the language is not unclear. The Examiner does not explain why the disputed language would be unclear to one of ordinary skill in the art. In light of our findings and Appellant’s arguments, we find the Examiner fails to sufficiently explain Appeal 2018-008934 Application 13/331,815 15 why one of ordinary skill in the art would not understand what is claimed by Appellant. Therefore, we do not sustain the Examiner’s indefiniteness rejection of claims 1–10 and 21. The Written Description Rejection of Claim 21 The Examiner rejects claim 21 as failing to comply with the written description requirement. See Final Act. 13–14; Ans. 11. Specifically, the Examiner finds claim 21 “has been amended to recite causing a processor ‘to form an observer’ to perform various functions,” but there is “not clear written description of this limitation in the specification,” in particular, “there appears to be no mention in the specification of such a step of forming the observer.” Final Act. 14. Appellant contends that the disputed feature—forming an observer— is supported by the Specification, and the Specification “is replete with implementations in which instructions are executed to form an observer.” Appeal Br. 16; see Appeal Br. 16–17 (citing Spec. ¶ 1032); Reply Br. 8–9 citing Spec. ¶¶ 1025, 1082). The test for sufficiency under the written description requirement “is whether the disclosure of the application relied upon reasonably conveys to those skilled in the art that the inventor had possession of the claimed subject matter as of the filing date.” Ariad Pharms, Inc. v. Eli Lilly and Co., 598 F.3d 1336, 1351 (Fed. Cir. 2010). Appellant’s cited paragraphs describe an observer and an observer installing additional monitor code. See Spec. ¶ 1032; Appeal Br. 16–17; Reply Br. 8–9. We find the above-described subject matter from Appellant’s Specification provides sufficient written description support for Appeal 2018-008934 Application 13/331,815 16 the claimed features the Examiner found lacking in such support. In particular, the above description shows Appellant had possession of an observer or observer module and storing instructions to “form” or instantiate an observer. We, therefore, find the Examiner erred in rejecting independent claim 21 as lacking sufficient written description support. Obviousness Rejections of Claims 1–11, 13–15, 21–23, and 26 The Examiner rejects independent claim 1 (as well as independent claim 11, and dependent claims 2–6, 8–10, 13–15, 21–23, and 26) over HP WebInspect, JBroFuzz, and Protas. See Final Act. 16–19; Ans. 11–12. The Examiner also rejects independent claim 1 (as well as independent claim 11, and dependent claims 2–10, 13–15, 21–23, and 26) over Sekar, Bookstein, and Protas. See Final Act. 16–19; Ans. 11–12. The Examiner further rejects dependent claim 7 over HP WebInspect, JBroFuzz, Protas, and Nanda. See Final Act. 23–24. Appellant contends Protas do not teach the disputed limitations of claim 1 (and claim 11). See Appeal Br. 17–18; Reply Br. 9, 11. Specifically, Appellant contends, inter alia, that “the purpose of [Protas’ API (element 79)] is to intercept an initiation signal [(element 74)]” and Protas’ API “does not, and is not used for . . . intercepting a data set from an application or used, for purposes of analyzing, correlating or determining a vulnerability of the application.” Appeal Br. 18 (citing Protas ¶¶ 47, 48, 51, 53); see also Figs. 5, 6a-6c. We agree with Appellant that the Examiner-cited portions of Protas (in combination with HP WebInspect and JBroFuzz, or alternately in combination with Sekar and Bookstein) do not describe intercepting a data set from an application using an application programming interface (API) where the intercepted data set from the application is the result of processing Appeal 2018-008934 Application 13/331,815 17 an attack data set provided to the application—“the intercepted data set based on an attack data set, wherein the attack data set is used to test for a security vulnerability in the application” (claim 1 (Appeal Br. 30 (Claims App.))). At best the Examiner-cited portions of Protas generally describe detecting vulnerabilities and in a separate embodiment describe an API intercepting a signal. See Ans. 12 (citing Protas ¶¶ 18, 47, 48, 51, 53). Although a signal, in general, may constitute data or even a data set—as suggested by the Examiner (see Ans. 12)—Protas does not disclose, teach, or suggest the intercepted initiation signal include such data. The Examiner instead relies on HP WebInspect or Sekar for the dataset (which neither reference describes as being intercepted from an application). See Final Act. 17 (citing HP WebInspect, pp. 41, 70; Sekar §§ 3, 4, 4.1). The Examiner does not sufficiently explain how one would combine Protas’ intercepted initiation signal with application data (from the application under test) described in either HP WebInspect or Sekar to meet the disputed limitation that requires intercepting a data set from an application via an API, where the intercepted data set from the application results from (is based on) processing an attack data provided to the application. Consequently, we are constrained by the record before us to find that the Examiner erred in finding that the combination of Protas and HP WebInspect or Sekar (and the additional cited references—JBroFuzz or Bookstein) renders obvious Appellant’s claim 1. Independent claim 11 includes limitations of commensurate scope. Claims 2–10, 13–15, 21–23, and 26 depend on and stand with claims 1 and 11, respectively. Accordingly, we do not sustain the Examiner’s obviousness rejections of claims 1–11, 13–15, 21–23, and 26. Appeal 2018-008934 Application 13/331,815 18 CONCLUSION For the reasons discussed above, we determine that claims 1–11, 13– 15, 21–23, and 26 are not directed to an abstract idea. We also determine claim 21 complies with the written description requirement and claims 1–10 and 21 are not indefinite. We further determine that claims 1–11, 13–15, 21–23, and 26 are not obvious in view of the cited prior art. Appellant has shown that the Examiner erred in rejecting claims 1–11, 13–15, 21–23, and 26 under 35 U.S.C. § 101. Appellant has also shown that the Examiner erred in rejecting claim 21 under 35 U.S.C. § 112, first paragraph. Appellant has further shown that the Examiner erred in rejecting claims 1–10 and 21 under 35 U.S.C. § 112, second paragraph. Additionally, Appellant has shown that the Examiner erred in rejecting claims 1–11, 13– 15, 21–23, and 26 under 35 U.S.C. § 103. We therefore reverse the Examiner’s rejection of claims 1–11, 13–15, 21–23, and 26. Appeal 2018-008934 Application 13/331,815 19 DECISION SUMMARY In summary: Claims Rejected 35 U.S.C. § Reference(s)/ Basis Affirmed Reversed 1–11, 13–15, 21–23, 26 101 Patent Eligible Subject Matter 1–11, 13–15, 21–23, 26 21 112 Written Description 21 1–10, 21 112 Indefiniteness 1–10, 21 1–11, 13–15, 21–23, 26 103 Sekar, Bookstein, Protas 1–11, 13–15, 21–23, 26 1–6, 8–11, 13–15, 21– 23, 26 103 HP WebInspect, JBroFuzz, Protas 1–6, 8–11, 13–15, 21– 23, 26 7 103 HP WebInspect, JBroFuzz, Protas, Nanda 7 Overall Outcome 1–11, 13–15, 21–23, 26 REVERSED Copy with citationCopy as parenthetical citation