Ex Parte NazzalDownload PDFPatent Trial and Appeal BoardNov 29, 201810880332 (P.T.A.B. Nov. 29, 2018) Copy Citation UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE FIRST NAMED INVENTOR 10/880,332 06/28/2004 Robert N. Nazzal 87555 7590 12/03/2018 Riverbed Technology Inc. - PVFD c/o PARK, VAUGHAN, FLEMING & DOWLER LLP 2820 Fifth Street Davis, CA 95618 UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. RIV-0600 6133 EXAMINER BELANI, KISHIN G ART UNIT PAPER NUMBER 2443 NOTIFICATION DATE DELIVERY MODE 12/03/2018 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): j eannie@parklegal.com wendy@parklegal.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte ROBERT N. NAZZAL Appeal2017-004079 Application 10/880,332 1 Technology Center 2443 Before KEVIN F. TURNER, KRISTEN L. DROESCH, and ALEX S. YAP Administrative Patent Judges. TURNER, Administrative Patent Judge. DECISION ON APPEAL Appellant appeals under 35 U.S.C. § 134(a) from a Final Office action dated March 24, 2016 ("Final Act."), rejecting claims 27-31, 33-37, and 39-43. We have jurisdiction under 35 U.S.C. § 6(b ). We REVERSE. 1 According to Appellant, the real party in interest is Riverbed Technology, Inc., the assignee of this application. (Br. 3). Appeal2017-004079 Application 10/880,332 THE CLAIMED SUBJECT MATTER The claims are directed to methods, systems, and mechanisms to detect anomalies and process anomalies into events. Spec. 1:21-28, 5:6-7. Claims 27, 33, and 39 are independent. Claim 27, reproduced below, is illustrative of the claimed subject matter, with emphases added: 27. A method for detecting an intrusion event in a network, the method comprising: receiving a threshold value for a monitored network parameter, wherein the threshold value is received from a user via a user interface (UI) associated with a computer, and wherein the threshold value corresponds to an alert severity level; receiving a threshold type for the monitored network parameter, wherein the threshold type is received from the user via the UI, and wherein the threshold type specifies either a lower limit or an upper limit for the threshold value; receiving a time duration for the monitored network parameter, wherein the time duration is received from the user via the UI; constructing, by the computer, a rule for detecting a network intrusion event based on the threshold value, the threshold type, and the time duration; compiling the constructed rule for execution; and executing the constructed rule, wherein said executing the constructed rule comprises: generating an alert when the monitored network parameter remains above the threshold value during the entire time duration when the threshold type is an upper limit; generating the alert when the monitored network parameter remains below the threshold value during the entire time duration when the threshold type is a lower limit; and wherein the severity level of the alert is set to the alert severity level corresponding to the threshold value. 2 Appeal2017-004079 Application 10/880,332 REJECTIONS Claims 27, 29, 31, 33, 35, 37, 39, 41, and 43 are rejected under 35 U.S.C. I03(a) as being unpatentable over Ginter (US 7,779,119 B2, pub. Aug. 17, 2010), Rakoshitz (US 6,578,077 Bl, pub. June 10, 2003), 2 and Huima (US 2004/0015905 Al, pub. Jan. 22, 2004); Claims 28, 31, 34, 37, 40, and 43 are rejected under 35 U.S.C. I03(a) as being unpatentable over Ginter, Rakoshitz, Huima, and Norton (US 7,305,708 B2, pub. Dec. 4, 2007); and Claims 30, 36, and 42 are rejected under 35 U.S.C. I03(a) as being unpatentable over Ginter, Rakoshitz, Huima, and Levillain (US 2003/0107590 Al, pub. June 12, 2003). ANALYSIS The § 103 (a) reiections Appellant argues claims 27-31, 33-37, and 39-43 together as a group. We note that all of the rejections rely, at least in part, on the combination of Ginter, Rakoshitz, and Huima, and the Examiner does not find that additional references Norton or Levillain corrects the deficiencies identified below regarding the combination of Ginter, Rakoshitz, and Huima. See Final Act. 24--34; Ans. 16-23; see generally Br. We select claim 27 as representative. Thus, claims 28-31, 33- 37, and 39-43 will stand or fall with claim 27. See C.F.R. § 4I.37(c)(l)(iv). 2 A provisional application 60/067 ,857, ("Rakoshitz provisional"), filed Dec. 5, 1997, is incorporated by reference in Rakoshitz. See Rakoshitz 1: 5-8. 3 Appeal2017-004079 Application 10/880,332 The Examiner finds that Ginter and Huima disclose all the elements of claim 27, except for receiving a time duration for the monitored network parameter. Final Act. 3-8. The Examiner also finds that the combination of Ginter and Huima do not disclose the following limitations: (1) wherein the time duration is received from the user via the UI; and (2) generating an alert when the monitored network parameter remains above/below the received threshold value during the entire time duration when the threshold type is an upper/lower limit. Id. The Examiner argues that Rakoshitz3 discloses the following three elements that comprise the time duration limitation of claim 27: (1) creating a time duration rule; 4 (2) setting time intervals for applying the rule; 5 and (3) generating the alert when the monitored network parameter remains below the received threshold value during the entire time duration when the threshold type is a lower limit. 6 Final Act. 7; Ans. 24--25. The Examiner argues that given the teachings of Ginter and Huima in view of Rakoshitz, one of ordinary skill in the art would have found it obvious that the guaranteed minimum bandwidth, falling below a received threshold value, would have been detected, and this would have resulted in the generation of a corresponding alert, and for these reasons, would have met the limitation of claim 27. Final Act. 7-8. 3 The Examiner relies on Rakoshitz to teach the time duration limitation of claim 27. The disclosure is found in Rakoshitz provisional, which is incorporated by reference in Rakoshitz. 4 See, e.g., Rakoshitz provisional 59---60 ( demonstrating the creating and insertion of a time rule). 5 See, e.g., Rakoshitz provisional 59---60 ( demonstrating the creating and insertion of a time rule on specific days of the month, days of the week or time). 6 See, e.g., Rakoshitz provisional 59 ( disclosing enabling alarms), 84, item 4 ( disclosing a lower limit threshold). 4 Appeal2017-004079 Application 10/880,332 Appellant argues that the Examiner's obviousness rejection is improper because the combination of Ginter and Rakoshitz fails to teach or suggest an intrusion detection system, wherein an alert is generated when the monitored network parameter remains above/below the threshold value during the entire time duration when the threshold type is an upper/lower limit. Br. 15-19; Reply 4--8. More specifically, Appellant argues that "time duration" in Rakoshitz has a different meaning than "time duration" in claim 27. Br. 18-19; Reply 6-8; see also Br. 18 ("Although Rakoshitz discloses the term 'time duration,' this term is used in a very different way in Rakoshitz than the way the term is being used in claim 27. Appellant believes that the Examiner has failed to appreciate this difference."). Further, to illustrate this difference, Appellant explains that Rakoshitz's teachings cannot differentiate between a network parameter that crosses and remains above a threshold value on Monday from 1 :00 PM to 1: 15 PM, from a network parameter that crosses and remains above a threshold value on Tuesday from 2:00 PM to 3:00 PM, i.e., other than during the entire time duration. Reply 7-8. Appellant argues that the limitation of claim 27 can differentiate between these threshold crossings, if the "time duration" is set to a specific time, i.e., 30 minutes. Id. at 8. As Appellant notes, only Tuesday's threshold crossing would generate an alarm because the network parameter crosses and remains above the threshold for the entire 30 minute time duration. Id. For these reasons, Appellant argues, "time duration" in Rakoshitz has a different meaning from "time duration" in claim 27, and thus, cannot meet the "time duration" limitation of claim 27. We agree with Appellant. Here, the Examiner's combination of Ginter and Rakoshitz fails to disclose an anomaly detection system that generates an alert when the monitored network 5 Appeal2017-004079 Application 10/880,332 parameter crosses and remains above the threshold value for the entire time duration, if the threshold value is set as an upper limit, or remains below the threshold value for the entire time duration, if the threshold value is set as a lower limit. Rather, the combination of Ginter and Rakoshitz teaches an anomaly detection system that generates an alert once the monitored network parameter goes below the threshold value. The Examiner does not offer sufficient evidence to show that Rakoshitz teaches generating an alert when the monitored network parameter remains below the threshold value for the entire time duration. Final Act. 7; Ans. 24--25. More specifically, there is no disclosure in Rakoshitz that supports the Examiner's assertion that an alert is generated when the monitored network parameter remains below the threshold value during the entire time duration. Compare Rakoshitz provisional 80 ("In the Time Cell, you can define the time interval for which the rule applies. Time slots can be created or an existing time slot can be applied to a rule[]."), and Rakoshitz provisional Figure 29 (the time slot allows the user to select for specific days of the month, days of the week or times that the rule will be applied), with Figure 10 of the instant application ( the duration setting (246) controls how long the monitored network parameter must stay above/below the threshold value before an alert is generated). Additionally, the Examiner does not argue that one of ordinary skill in the art would have found it obvious to configure the detection system so that an alert would only be generated when the monitored network parameter fell below the threshold value for the entire time duration, given the teachings of Rakoshitz. In view of the above, we are persuaded the Examiner erred in rejecting claim 27. For the above reasons, we do not sustain the rejection of claim 27 under 35 U.S.C. § I03(a), as well as the rejections of claims 28-31, 33-37, and 39-43. 6 Appeal2017-004079 Application 10/880,332 DECISION The Examiner's rejections of claims 27-31, 33-37, and 39-43 are reversed. REVERSED 7 Copy with citationCopy as parenthetical citation