Ex Parte Tarquini et alDownload PDFBoard of Patent Appeals and InterferencesJul 17, 200710003510 (B.P.A.I. Jul. 17, 2007) Copy Citation The opinion in support of the decision being entered today is not binding precedent of the Board 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 UNITED STATES PATENT AND TRADEMARK OFFICE ____________________ BEFORE THE BOARD OF PATENT APPEALS AND INTERFERENCES ____________________ Ex parte RICHARD PAUL TARQUINI, RICHARD LOUIS SCHERTZ, and CRAIG ANDERSON ____________________ Appeal 2007-0477 Application 10/003,510 Technology Center 2100 ____________________ Decided: July 17, 2007 ____________________ Before JAMES D. THOMAS, ALLEN R. MACDONALD, and JAY P. LUCAS, Administrative Patent Judges. MACDONALD, Administrative Patent Judge. DECISION ON APPEAL AFFIRMED Appeal 2007-0477 Application 10/003,510 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 STATEMENT OF CASE Appellants appeal under 35 U.S.C. § 134 from a Final Rejection of claims 1 to 16. We have jurisdiction under 35 U.S.C. § 6(b). Appellants invented a method and computer readable medium for integrating a decode engine with an intrusion detection system. (Specification 1). Independent claims 1 and 10 under appeal reads as follows: 1. A method of detecting network-intrusions at a first node of a network, comprising: identifying a frame as an intrusion by an intrusion detection application; archiving event-data associated with the frame; and decoding the event-data by a decode engine, the decode engine integrated within the intrusion detection application. 10. A computer-readable medium having stored thereon a set of instructions to be executed, the set of instructions, when executed by a processor, cause the processor to perform a computer method of: identifying, by an intrusion detection application, a frame of data as intrusion- related; and decoding, by the intrusion detection application, the intrusion- related data. 2 Appeal 2007-0477 Application 10/003,510 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 The prior art relied upon by the Examiner in rejecting the claims on appeal is: Trcka US 6,453,345 B2 Sep. 17, 2002 (filed May 7, 1997) Porras US 6,704,874 B1 Mar. 9, 2004 (filed Jul. 25, 2000) The Examiner rejected claim 10 under 35 U.S.C. § 102(e) as being anticipated by Porras. The Examiner rejected claims 1-9 and 11-16 under 35 U.S.C. § 103(a) as being unpatentable over Porras and Trcka. Appellants contend that the claimed subject matter is not anticipated and would not have been obvious. More specifically, Appellants contend: 1) As to claims 1-9, that the Examiner relies on the monitoring system 22 of Porras as corresponding to the “intrusion detection application,” but the Examiner offers no support or showing that Porras’s translation module 32 (decode engine) is “integrated within” system 22 as required by claim 1. (Br. 6). 2) As to claim 10, that the Examiner again relies on the monitoring system 22 of Porras as corresponding to the “intrusion detection application,” but offers no support or showing that Porras’s system 22 “decod[es] . . . the intrusion-related data” as required by claim 10. Further, module 32 performs this function and module 32 is not part of system 22 of Porras. (Br. 8). 3) As to claims 11-16 which depend from claim 10, Trcka does not remedy the defects of Porras. (Br. 8). 3 Appeal 2007-0477 Application 10/003,510 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 The Examiner contends monitoring system 22 and translation module 32 are integrated in network based alert management system 10 of Porras. (Answer 8:20-9:9). We affirm. ISSUE Have Appellants shown that the Examiner has failed to establish that Porras describes “an intrusion detection application” having both “identifying” and “decoding” as required by claims 1 and 10? FINDINGS OF FACT Appellants invented a method and computer readable medium for integrating a decode engine with an intrusion detection system. (Specification 1, ll. 7-9). Porras describes a network-based alert management system 10 (i.e., an intrusion detection application) meeting all the limitations of claim 10 and all the limitations of claim 1 except “archiving” (col. 3, l. 16 to col. 4, l. 25). Porras describes that system 10 includes fault monitoring systems 22 for identifying intrusions (col. 3, ll. 30-37, and col. 3, l. 54 to col. 4, l. 1). Porras describes that system 10 includes translation module 32 (i.e., decoding engine) (col. 3, ll. 30-37, and col. 3, l. 54 to col. 4, l. 1). Trcka describes using archival data in a network security system (col. 11, ll. 27-48). 4 Appeal 2007-0477 Application 10/003,510 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 PRINCIPLES OF LAW On appeal, Appellants bear the burden of showing that the Examiner has not established a legally sufficient basis for anticipation based on the Porras patent. Appellants may sustain this burden by showing that the prior art reference relied upon by the Examiner fails to disclose an element of the claim. It is axiomatic that anticipation of a claim under § 102 can be found only if the prior art reference discloses every element of the claim. See In re King, 801 F.2d 1324, 1326, 231 USPQ 136, 138 (Fed. Cir. 1986) and Lindemann Maschinenfabrik GMBH v. American Hoist & Derrick Co., 730 F.2d 1452, 1458, 221 USPQ 481, 485 (Fed. Cir. 1984). On appeal, Appellants bear the burden of showing that the Examiner has not established a legally sufficient basis for combining the teachings of Porras with those of Trcka. “Section 103 forbids issuance of a patent when ‘the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.’” KSR Int'l Co. v. Teleflex Inc., 127 S. Ct. 1727, 1734, 82 USPQ2d 1385, 1391 (2007). The question of obviousness is resolved on the basis of underlying factual determinations including (1) the scope and content of the prior art, (2) any differences between the claimed subject matter and the prior art, (3) the level of skill in the art, and (4) where in evidence, so-called secondary considerations. Graham v. John Deere Co., 383 U.S. 1, 17-18, 148 USPQ 459, 467 (1966). See also KSR, 127 S. Ct. at 5 Appeal 2007-0477 Application 10/003,510 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 1734, 82 USPQ2d at 1391 (“While the sequence of these questions might be reordered in any particular case, the [Graham] factors continue to define the inquiry that controls.”) In KSR, the Supreme Court emphasized “the need for caution in granting a patent based on the combination of elements found in the prior art,” id. at 1739, 82 USPQ2d at 1395, and discussed circumstances in which a patent might be determined to be obvious without an explicit application of the teaching, suggestion, motivation test. In particular, the Supreme Court emphasized that “the principles laid down in Graham reaffirmed the ‘functional approach’ of Hotchkiss, 11 How. 248.” KSR at 11 (citing Graham v. John Deere Co., 383 U.S. 1, 12 (1966) (emphasis added)), and reaffirmed principles based on its precedent that “[t]he combination of familiar elements according to known methods is likely to be obvious when it does no more than yield predictable results.” Id. The Court explained: When a work is available in one field of endeavor, design incentives and other market forces can prompt variations of it, either in the same field or a different one. If a person of ordinary skill can implement a predictable variation, §103 likely bars its patentability. For the same reason, if a technique has been used to improve one device, and a person of ordinary skill in the art would recognize that it would improve similar devices in the same way, using the technique is obvious unless its actual application is beyond his or her skill. 6 Appeal 2007-0477 Application 10/003,510 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 Id. at 1740, 82 USPQ2d at 1396. The operative question in this “functional approach” is thus “whether the improvement is more than the predictable use of prior art elements according to their established functions.” Id. Under this framework, once an Examiner demonstrates that the elements are known in the prior art and that one of ordinary skill could combine the elements as claimed by known methods and would recognize that the capabilities or functions of the combination are predictable, then the Examiner has made a prima facie case that the claimed subject matter is likely to be obvious. The burden then shifts to the Appellant to show that the Examiner erred in these findings or to provide other evidence to show that the claimed subject matter would have been nonobvious. ANALYSIS As to claim 10, the Examiner correctly shows where all the claimed features appear in the Porras prior art reference. (See Findings of Fact above.). As to claim 1, the Examiner correctly shows where all the claimed features except “archiving” appear in the Porras prior art reference. As we have already found, Porras explicitly describes that system 10 includes systems 22 and module 32. Thus, contrary to Appellants’ contentions, Porras teaches a decode engine integrated within an intrusion detection application. Appellants have not established that the Examiner erred with respect to this contention. 7 Appeal 2007-0477 Application 10/003,510 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Appellants arguments appear to be based on an erroneous reading of the Examiner’s rejections (e.g., Answer 4:11-20). The Examiner’s rejection of claim 1 reads in part: Regarding Claim 1 Porras teaches a method of detecting network-intrusions [detecting suspicious activities, such as intrusion, and based on that generating digital alerts] (Fig. 1 Item 22, and col. 1 line 26 to line 28) at a first node of a network [Fig. l, item 12], comprising: identifying [sensors 22 monitoring various host/network traffic for suspicious activities] frame [streams] as an intrusion by an intrusion detection application (co1. 3 line 30 to line 37, and co1. 3 line 54 to co1. 4 line 1); archiving event-data [raw, unprocessed alerts] associated with the frame [steams]; and decoding [translation module 32] the event-data by a decode engine [aggregation, that is combining alerts produced by a single monitoring sensor] (col. 6 line 2 to line 5), the decode engine integrated within the intrusion detection application (co1. 4 line 1 to line 25). Appellants interpret the Examiner’s citation at the end of the “identifying” step as referring to only the immediately preceding “intrusion detection application,” rather than the entire preceding “identifying” step. Appellants are in error as is shown by the Examiner’s citation at the end of the “decoding” step above. The Examiner’s discussions of both steps above are similarly structured in that they conclude with a citation preceded by “intrusion detection application.” Appellants’ interpretation of the first citation (identifying step) as referring solely to the “intrusion detection application” fails to acknowledge and give a reasonable meaning to the second citation (decoding step). 8 Appeal 2007-0477 Application 10/003,510 1 2 3 4 5 6 7 8 9 10 11 12 CONCLUSIONS OF LAW (1) Appellants have failed to establish that the Examiner erred in rejecting claim 10 as being unpatentable under 35 U.S.C. § 102(e) over Porras. (2) Appellants have failed to establish that the Examiner erred in rejecting claims 1-9 and 11-16 as being unpatentable under 35 U.S.C. § 103(a) over Porras and Trcka. (3) Claims 1-16 are not patentable. DECISION The Examiner's rejection of claims 1-16 is Affirmed. 13 14 15 16 17 18 19 20 21 22 23 24 25 26 AFFIRMED rwk HEWLETT-PACKARD COMPANY Intellectual Property Administration P.O. Box 272400 Fort Collins CO 80527-2400 9 Copy with citationCopy as parenthetical citation