Veracode, Inc.Download PDFPatent Trials and Appeals BoardFeb 10, 20222020006183 (P.T.A.B. Feb. 10, 2022) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 16/011,606 06/18/2018 Michael Floering 105.VER-024US2 7772 159682 7590 02/10/2022 GILLIAM IP PLLC (Veracode) 7200 N. Mopac Expy. Suite 440 Austin, TX 78731 EXAMINER TRAN, TRI MINH ART UNIT PAPER NUMBER 2432 NOTIFICATION DATE DELIVERY MODE 02/10/2022 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): uspto@gilliamip.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte MICHAEL FLOERING Appeal 2020-006183 Application 16/011,606 Technology Center 2400 Before MICHAEL J. STRAUSS, CHRISTA P. ZADO, and ADAM J. PYONIN, Administrative Patent Judges. STRAUSS, Administrative Patent Judge. DECISION ON APPEAL1 Pursuant to 35 U.S.C. § 134(a), Appellant2 appeals from the Examiner’s decision to reject claims 1-7, 10-16, 19, and 21-25. Ans. 6. We have jurisdiction under 35 U.S.C. § 6(b). We REVERSE. 1 We refer to the Specification, filed June 18, 2018 as amended April 11, 2019 (“Spec.”); Final Office Action, mailed December 17, 2019 (“Final Act.”); Appeal Brief, filed April 30, 2020 (“Appeal Br.”); Examiner’s Answer, mailed July 1, 2020 (“Ans.”); and Reply Brief, filed August 28, 2020 (“Reply Br.”). 2 Appellant refers to “applicant” as defined in 37 C.F.R. § 1.42. Appellant identifies the real party in interest as Veracode, Inc. Appeal Br. 3. Appeal 2020-006183 Application 16/011,606 2 STATEMENT OF THE CASE Introduction The Application “generally relates to vulnerability assessment of computer systems and, more particularly, to systems and methods for identifying and aggregating vulnerabilities associated with a network accessible server such as a web server.” Spec. ¶ 1. Claims 1-7, 10-16, 19, and 21-25 are pending; claims 1, 12, and 19 are independent. Appeal Br. 15-19. Claim 1 is reproduced below for reference: 1. A method comprising: communicating first requests to network accessible servers associated with a set of one or more domains; identifying a plurality of software components indicated in responses from the network accessible servers; obtaining vulnerability information for the plurality of software components; determining an aggregate vulnerability for each network accessible server based on at least one of a ratio of software components of the network accessible server indicated as vulnerable by the vulnerability information to total software components used by the network accessible server and a frequency of use of those of the plurality of software components of the network accessible server indicated as vulnerable by the vulnerability information; and indicating vulnerability of the network accessible servers based on the aggregate vulnerabilities. Appeal 2020-006183 Application 16/011,606 3 Rejection3 Claims 1-7, 10-16, 19, and 21-25 stand rejected under 35 U.S.C. § 101 as being patent ineligible. Ans. 6-9. STANDARD OF REVIEW We review the appealed rejections for error based upon the issues identified by Appellant, and in light of the contentions and evidence produced thereon. Ex parte Frye, 94 USPQ2d 1072, 1075 (BPAI 2010) (precedential). Arguments not made are forfeited.4 ANALYSIS Section 101 defines patentable subject matter: “Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.” 35 U.S.C. § 101. The Supreme Court, however, has “long held that this provision contains an important implicit exception” that “[l]aws of nature, natural phenomena, and abstract ideas are not patentable.” Mayo Collaborative Servs. v. Prometheus Labs., Inc., 566 U.S. 66, 70 (2012) (quotation omitted). “Eligibility under 35 U.S.C. § 101 is a question of law, based on underlying facts.” SAP Am., Inc. v. InvestPic, LLC, 898 F.3d 1161, 3 The Examiner has withdrawn prior rejections under 35 U.S.C. § 101 (Ans. 3) and § 103 (Final Act. 2) and imposes a new rejection under § 101 in the Answer (Ans. 6). 4 See 37 C.F.R. § 41.37(c)(1)(iv) (2013) (“Except as provided for in §§ 41.41, 41.47 and 41.52, any arguments or authorities not included in the appeal brief will be refused consideration by the Board for purposes of the present appeal.”). Appeal 2020-006183 Application 16/011,606 4 1166 (Fed. Cir. 2018). To determine patentable subject matter, the Supreme Court has set forth a two-part test. “First, we determine whether the claims at issue are directed to one of those patent-ineligible concepts” of “laws of nature, natural phenomena, and abstract ideas.” Alice Corp. v. CLS Bank Int’l, 573 U.S. 208, 217 (2014). “The inquiry often is whether the claims are directed to ‘a specific means or method’ for improving technology or whether they are simply directed to an abstract end-result.” RecogniCorp, LLC v. Nintendo Co., 855 F.3d 1322, 1326 (Fed. Cir. 2017). A court must be cognizant that “all inventions at some level embody, use, reflect, rest upon, or apply laws of nature, natural phenomena, or abstract ideas” (Mayo, 566 U.S. at 71), and “describing the claims at . . . a high level of abstraction and untethered from the language of the claims all but ensures that the exceptions to § 101 swallow the rule.” Enfish, LLC v. Microsoft Corp., 822 F.3d 1327, 1337 (Fed. Cir. 2016). Instead, “the claims are considered in their entirety to ascertain whether their character as a whole is directed to excluded subject matter.” Internet Patents Corp. v. Active Network, Inc., 790 F.3d 1343, 1346 (Fed. Cir. 2015). If the claims are directed to an abstract idea or other ineligible concept, then we continue to the second step and “consider the elements of each claim both individually and ‘as an ordered combination’ to determine whether the additional elements ‘transform the nature of the claim’ into a patent-eligible application.” Alice, 573 U.S. at 217 (quoting Mayo, 566 U.S. at 79, 78). The Supreme Court has “described step two of this analysis as a search for an ‘inventive concept’-i.e., an element or combination of elements that is sufficient to ensure that the patent in practice amounts to Appeal 2020-006183 Application 16/011,606 5 significantly more than a patent upon the ineligible concept itself.” Id. at 217-18 (quotation omitted). The U.S. Patent & Trademark Office has published revised guidance on the application of § 101. USPTO, 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50 (Jan. 7, 2019) (“Guidance”). The Manual of Patent Examining Procedure (“MPEP”) incorporates this revised guidance and subsequent updates at Section 2106 (9th ed. Rev. 10.2019, rev. June 2020).5 Under Step 2A, the Office first looks to whether the claim recites: (1) Prong One: any judicial exceptions, including certain groupings of abstract ideas (i.e., mathematical concepts, certain methods of organizing human activity such as a fundamental economic practice, or mental processes); and (2) Prong Two: additional elements that integrate the judicial exception into a practical application (see MPEP § 2106.05(a)-(c), (e)-(h)). Only if a claim (1) recites a judicial exception and (2) does not integrate that exception into a practical application, does the Office then, under Step 2B, look to whether the claim: (3) adds a specific limitation beyond the judicial exception that is not “well-understood, routine, conventional” in the field (see MPEP § 2106.05(d)); or (4) simply appends well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception. MPEP § 2106.05(d). 5 All references to the MPEP are to the Ninth Edition, Revision 10.2019 (Last Revised June 2020), unless otherwise indicated. Appeal 2020-006183 Application 16/011,606 6 The Examiner concludes that claims 1-7, 10-16, 19, and 21-25 are directed to patent-ineligible subject matter. Ans. 6. We select independent claim 1 as representative for this rejection. Analyzing claim 1 under Step 2A, Prong One, the Examiner determines the step of determining an aggregate vulnerability for each network accessible server and indicating vulnerability of the network accessible servers covers processes that can be performed in the human mind and, as such, recites concepts that fall within the mental processes category of abstract ideas. Id. The Examiner explains as follows. In particular, the determining steps encompasses a user thinking, with the aid of pen and paper an aggregate vulnerability (score) for each network accessible server based on the claim constraints. The step of indicating covers any step to identify a vulnerability based on the aggregate vulnerabilities, including a mental association. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea. Id. at 7. Having determined the claim recites a judicial exception (i.e., an abstract idea), the Examiner’s analysis proceeds to Prong Two where the Examiner addresses the additional elements, as follows. The claim recites the additional elements “communicating first requests to network accessible servers associated with a set of one or more domains; identifying a plurality of software components indicated in responses from the network accessible servers; obtaining vulnerability information for the plurality of software components.” These steps are merely steps to gather the requisite information, and hence are insignificant pre-solution activity. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not Appeal 2020-006183 Application 16/011,606 7 impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea. Id. Continuing the analysis under Step 2B, the Examiner determines “[t]he claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception.” Id. In particular, the Examiner determines: the additional element of “communicating first requests to network accessible servers associated with a set of one or more domains; identifying a plurality of software components indicated in responses from the network accessible servers; obtaining vulnerability information for the plurality of software components” are extra solution activity. Moreover, the mere collection or receipt of data over a network is a well-understood, routine, and conventional technique when it is claimed in a merely generic manner, as it is done here. Id. at 8. Appellant contends, inter alia, the Examiner’s analysis under Step 2A, Prong Two, mischaracterizes the additional elements as “merely steps to gather the requisite information, and hence are insignificant pre-solution activity.” Reply Br. 12 (quoting Ans. 7). Appellant argues as follows. These elements are certainly more than a nominal or tangential addition to the independent claims. In fact, these elements directly reflect the specific improvement upon prior techniques for and integration into a practical application of vulnerability assessment of network accessible servers discussed above and in Appellant’s Brief. This combination of elements in particular reflects the improvement upon existing solutions which require analysis of program code of the software components despite an owner entity or testing service lacking knowledge of the identities of the software components and/or access to program code of the software components as described in Appellant’s Brief. The improvement reflected in these elements clearly affords more than simple gathering of data, as the claim language Appeal 2020-006183 Application 16/011,606 8 directly reflects that the vulnerability assessment of the network accessible servers according to the recited technique can be completed without ever accessing the program code of the software components used by the network accessible servers or without the prior knowledge of the identities of the software components. These elements thus cannot be reduced to mere data-gathering, especially when read in light of the instant [S]pecification, and instead are indicative of a substantial improvement upon prior solutions for vulnerability assessment of network accessible servers. Id. at 13-14 (citations omitted). Appellant further argues the claims are different from the data-gathering step of CyberSource6 which Appellant characterizes as “generically claim[ing] the collection of certain types of data.” Id. at 14. Appellant argues, in contrast to CyberSource, claims 1, 12, and 19 pertain to a specific technique for identifying software components used by a network accessible server and accessing vulnerability information for the software components, such as in cases where the identities of the software components may be unknown to an owner entity or testing service responsible for the network accessible server at the time of the assessment. Id. Appellant further argues, because of these additional elements, the claims cannot wholly be performed in the human mind and, as such are similar to those found patent-eligible in SRI International, Inc. v. Cisco Systems, Inc., 930 F.3d 1295 (Fed. Cir. 2019). Id. at 11. We are persuaded by Appellant’s arguments that the Examiner has not satisfied the proper burden for making a prima facie case for patent ineligibility under 35 U.S.C. § 101. 6 CyberSource Corp. v. Retail Decisions, Inc., 654 F.3d 1366, 1370 (Fed. Cir. 2011). Appeal 2020-006183 Application 16/011,606 9 Although we agree with the Examiner that claim 1 recites the mental processes of aggregating vulnerability for each network accessible server based on the claim constraints and identifying a vulnerability based on the aggregate vulnerabilities (Ans. 7), the Examiner has not shown that the claim, as a whole, fails to “integrate[] the recited judicial exception into a practical application of the exception.” MPEP § 2106.04(d) (emphasis added). Put another way, the Examiner has not sufficiently addressed whether the claims “apply, rely on, or use the judicial exception in a manner that imposes a meaningful limit on the judicial exception, such that the claim is more than a drafting effort designed to monopolize the judicial exception.” Id. (emphasis added). This analysis, under Prong Two, considers the claim as a whole, i.e., “the limitations containing the judicial exception as well as the additional elements in the claim besides the judicial exception need to be evaluated together to determine whether the claim integrates the judicial exception into a practical application.” MPEP § 2106.04(d)(III); October 2019 Patent Eligibility Guidance Update, at 12, available at https://www.uspto.gov/sites/default/files/documents/ peg_oct_2019_update.pdf. Here, Appellant argues that “[w]hen properly considering the claims as a whole and the [S]pecification as required by both the 2019 [Patent Eligibility Guidance] and case law, the claims should be found to integrate the alleged mental process into a practical application of performing vulnerability assessment of network accessible servers.” Reply Br. 12. Appellant points to the Specification as elaborating on the advantages provided by the claimed invention, including “that obtaining vulnerability information according to the recited technique allows for vulnerability Appeal 2020-006183 Application 16/011,606 10 assessment of network accessible servers in cases where identities of software components used by the servers are unknown or where program code of the software components is inaccessible.” Id. at 13. Therefore, Appellant concludes “[a]pplication of Step 2A should result in the claims being found not directed to a judicial exception at least because the claims as a whole integrate any mental process alleged to be recited into a practical application of assessing vulnerability of network accessible servers.” Id. at 15. In the context of revised Step 2A, claim limitations that “reflect[] an improvement in the functioning of a computer, or an improvement to other technology or technical field” are indicative of a recited judicial exception being integrated into a practical application. Guidance 55 (citing DDR Holdings, LLC v. Hotels.com, L.P., 773 F.3d 1245, 1257 (Fed. Cir. 2014)); see also MPEP § 2106.05(a). A limitation that “applies or uses the judicial exception in some other meaningful way beyond generally linking the use of the judicial exception to a particular technological environment” similarly integrates the exception into a practical application. Guidance 55 (citing Diamond v. Diehr, 450 U.S. 175, 184 (1981)); see also MPEP § 2106.05(e). Here, claim 1 is specifically directed to obtaining vulnerability information for software components indicated by network accessible servers and determining and indicating an aggregate vulnerability for each server. The Specification explains “different software applications associated with a network accessible server may include vulnerabilities such as allowing unauthorized access to client data, commonly called data breach, permitting the network accessible server to be hijacked by a malicious user in furtherance of attacks against other web properties.” Spec. ¶ 3. However, Appeal 2020-006183 Application 16/011,606 11 Appellant discloses that identifying these vulnerabilities may be complicated because a party that is responsible for providing services may not be aware of these vulnerabilities “in part because a typical web service often uses a number of software applications/components that are interrelated in a complex manner, and several of these components may be obtained from different third parties.” Spec. ¶ 4. Thus, Appellant argues, “an owner entity or testing service which lacks knowledge of the identities of software components used by network accessible servers of interest or access to program code of the software components as required by prior solutions can still assess vulnerability of the network accessible servers according to the recited technique.” Reply Br. 8. We determine claim 1 is analogous to the claims found eligible in SRI Int’l. Claim 1’s steps of communicating, identifying, and obtaining are directed to gathering information about the network itself to determine an aggregate vulnerability of network components, i.e., network accessible servers. Cf. Appeal Br. 13. Thus, claim 1 improves the technical functioning of the network by reciting a specific technique for identifying server vulnerabilities. See SRI Int’l, 930 F.3d at 1303 (concluding that a claim that recites using a plurality of network monitors to analyze specific network traffic data and integrate generated reports from the monitors to identify hackers and intruders on the network constitutes an improvement in computer network technology); see also BASCOM Glob. Internet Servs., Inc. v. AT&T Mobility LLC, 827 F.3d 1341, 1350 (Fed. Cir. 2016) (holding that even though the claim at issue recites the abstract idea of filtering, the claimed invention improves technology when the filtering limitations are considered in combination with the remaining limitations). Appeal 2020-006183 Application 16/011,606 12 Because claim 1 as a whole integrates the recited abstract idea into a practical application of that idea, it is not “directed to” the recited abstract idea and thus qualifies as eligible subject matter under § 101. The Examiner thus errs in rejecting independent claim 1. Because the Examiner rejects claims 2-7, 10-16, 19, and 21-25 (Ans. 8-9) for the same reasons as claim 1, we do not sustain the rejection of claims 1-7, 10-16, 19, and 21-25 under § 101. CONCLUSION We reverse the Examiner’s rejection of claims 1-7, 10-16, 19, and 21-25 under 35 U.S.C. § 101 as being patent ineligible. DECISION SUMMARY In summary: Claims Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1-7, 10-16, 19, 21-25 101 Eligibility 1-7, 10-16, 19, 21-25 REVERSED Copy with citationCopy as parenthetical citation