Microsoft Technology Licensing, LLCDownload PDFPatent Trials and Appeals BoardMay 14, 202014261908 - (D) (P.T.A.B. May. 14, 2020) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 14/261,908 04/25/2014 John J. Lambert 323114-US- CNT (M15.067C) 4516 148708 7590 05/14/2020 Buckley, Maschoff & Talwalkar LLC 50 Locust Avenue New Canaan, CT 06840 EXAMINER GOODCHILD, WILLIAM J ART UNIT PAPER NUMBER 2433 NOTIFICATION DATE DELIVERY MODE 05/14/2020 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): microsoft@bmtpatent.com usdocket@microsoft.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte JOHN J. LAMBERT, MATTHEW W. THOMLINSON, ALEXANDER R. G. LUCAS, JAMES P. KELLY, DAVID S. CARTER, MATTHEW I. DIVER, and EMMA L. CROWE Appeal 2018-008147 Application 14/261,908 Technology Center 2400 Before JEAN R. HOMERE, CAROLYN D. THOMAS, and PHILLIP A. BENNETT, Administrative Patent Judges. HOMERE, Administrative Patent Judge. DECISION ON APPEAL I. STATEMENT OF THE CASE1 Pursuant to 35 U.S.C. § 134(a), Appellant appeals from the Examiner’s decision to reject claims 1–18, 21, and 22, which constitute all of the claims pending in this appeal.2 Appeal Br. 5. Claims 19 and 20 have 1 We refer to the Specification filed Apr. 25, 2014 (“Spec.”); the Final Office Action, mailed June 15, 2017 (“Final Act.”); the Supplemental Appeal Brief, filed Feb. 26, 2018 (“Appeal Br”); the Examiner’s Answer, mailed June 08, 2018 (“Ans.”), and the Reply Brief, filed Aug. 08, 2018 (“Reply”). 2 We use the word “Appellant” to refer to “applicant” as defined in 37 C.F.R. § 1.42(a). Appellant identifies Microsoft, Inc. as the real party-in- interest. Appeal Br. 3. Appeal 2018-008147 Application 14/261,908 2 been canceled. Appeal Br. 36 (Claims App). We have jurisdiction under 35 U.S.C. § 6(b). We affirm. II. CLAIMED SUBJECT MATTER According to Appellant, the claimed subject matter is directed to a method and system for identifying an attempt to circumvent a security mechanism protecting the integrity of an application. Spec. ¶¶ 4–6. Figure 1, discussed and reproduced below, is useful for understanding the claimed invention: Figure 1 illustrates computer systems (12, 14, 16) including analyzers (32, 34, 36) connected via network (24) and connections (18, 20, 22) to system Appeal 2018-008147 Application 14/261,908 3 monitor (26) including statistics module (28) and error report analyzer (28). Id. ¶ 14, 15. Claims 1, 9, and 21 are independent. Claim 1, reproduced below with disputed limitations emphasized in italics, is illustrative of the claimed subject matter: 1. A method of identifying an attempt to exploit an application, the method involving a device having a processor and comprising: executing, on the processor, instructions that cause the device to: obtain a crash report generated by a computing system in response to a crash of the application during execution within the computing system, wherein the crash report includes error data related to one or more errors arising during the crash of the application; analyze the crash report to identify, from the contents of the crash report, a memory access pattern indicating an attempted exploit of a security mechanism that protects the integrity of the application during execution; analyze the crash report for information contained in the contents of the crash report that indicates a point of attack within the application of the attempted exploit by subverting the security mechanism; and store information describing the attempted exploit, including the point of attack of the attempted exploit within the application.. Appeal Br. 33 (Claims Appendix) (emphasis added). Appeal 2018-008147 Application 14/261,908 4 III. REFERENCES The Examiner relies upon the following references.3 Name Reference Date Rubin US 2005/0108554 A1 May 19, 2005 Phillips US 2005/0182949 A1 Aug. 18, 2005 Costea US 2006/0070130 A1 Mar. 30, 2006 Murotake US 7,490,350 B1 Feb. 10, 2009 IV. REJECTIONS The Examiner rejects claims 1–18, 21, and 22 as follows: 1. Claims 1–6, 8–13, 16–18, 21, and 22 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over the combination of Costea and Phillips. Final Act. 2–7. 2. Claims 7, 14, and 15 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over the combination of Costea, Phillips, and Murotake. Final Act. 7–8. 3. Claims 1–6, 9–13, 16–18, 21, and 22 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over the combination of Costea and Rubin. Final Act. 8–12. 4. Claims 7, 14, and 15 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over the combination of Costea, Rubin, and Murotake. Final Act. 13–14. 3 All reference citations are to the first named inventor only. Appeal 2018-008147 Application 14/261,908 5 5. Claim 8 stands rejected under 35 U.S.C. § 103(a) as being unpatentable over the combination of Costea, Rubin, and Phillips. Final Act. 14. V. ANALYSIS We consider Appellant’s arguments seriatim, as they are presented in the Appeal Brief, pages 17–32 and the Reply Brief, pages 3–17.4 We are unpersuaded by Appellant’s contentions. Except as otherwise indicated herein below, we adopt as our own the findings and reasons set forth in the Final Action, and the Examiner’s Answer in response to Appellant’s Appeal Brief. Final Act. 2–14; Ans. 2–9. However, we highlight and address specific arguments and findings for emphasis as follows. 1. Costea and Phillips Appellant argues the Examiner erred in finding that the combination of Costea and Phillips teaches or suggests analyzing a crash report to identify from the contents thereof (1) a memory access pattern indicating an attempted exploit of a security mechanism that protects the integrity of an application during execution, and (2) information indicating a point of attack within the application of the attempted exploit by subverting the security mechanism, as recited in independent claim 1. Appeal Br. 24–29. In particular, Appellant argues Costea discloses storing in a server database incoming crash dumps that are evaluated for detecting “suspicious data characteristic of malware”. Id. at 26 (citing Costea ¶¶ 30, 32). According to 4 We have considered in this Decision only those arguments Appellant actually raised in the Briefs. Any other arguments Appellant could have made but chose not to make in the Briefs are deemed to be waived. See 37 C.F.R. § 41.37(c)(1)(iv) (2014). Appeal 2018-008147 Application 14/261,908 6 Appellant, Costea provides a generic list of exploit types (e.g., computer viruses/worms, Trojan horses, logic bombs), as opposed to specifying the type of analysis applied to the mini dumps. In other words, Appellant contends that Costea’s evaluation of the crash dump to determine the types of malware effecting an application does not teach a memory access pattern indicating an attempted exploit to a security mechanism or a point of attack within the application subverting the security mechanism. Id. Further, Appellant argues that Phillips’ disclosure of applying forms of malware scanning (e.g. computer viruses/worms, denial of service attacks) by interposing security modules at specific points on a network teaches scanning incoming data for identifiable patterns associated with known computer exploits to decode malware according to its identifiable signature, but does not cure the noted deficiencies of Costea. Id. 28, 29 (citing Phillips ¶ 6). Appellant therefore submits that it is unclear how Philips’s techniques for monitoring network communication for exploits can be combined with Costea’s techniques involving a database of crash dumps generated by a computer. Id. Appellant’s arguments are not persuasive of reversible Examiner error. As an initial matter, we note that the disputed limitations require analyzing the crash report to identify therein a memory access pattern and a point of attack indicating an attempted exploit to circumvent a security mechanism. Costea teaches an antivirus software causing a crash dump transferred from a client computer to server, which stores the contents of the mini-dump in a database to identify the state of different system components at the time of a crash or failure. Costea ¶¶ 18, 20. In particular, upon detecting a malware on the client system, the database compares the Appeal 2018-008147 Application 14/261,908 7 received malware information with previously collected malware attack information in memory to identify the type of malware. Id. ¶¶ 30, 32, 35. Phillips discloses an antivirus software scanning incoming data arriving over a network to identify matching patterns with known exploit signatures. Phillips ¶ 6. We agree with the Examiner that Phillips’ teaching would complement Costea’s scanning the crash dump for retrieving memory patterns with similar known exploits to identify within the received crash dump attempted exploits seeking to circumvent the antivirus software. Ans. 5. Because Costea’s antivirus software teaches the claimed security mechanism, which the attempted exploits taught by Phillips would seek to subvert, we agree with the Examiner that the analysis of the received crash dump data to identify the exploits based on known memory access patterns in the database teaches the particular analysis applied to the mini-dump. Id. at 6–7 Additionally, we agree with the Examiner that it would have been obvious to one of ordinary skill in the art to combine the cited teachings of Costea’s and Phillips because the proposed combination would have predictably resulted in a server comparing memory access patterns in a received crash dump with known exploits to identify attempted attacks seeking to circumvent an antivirus software or security mechanism protecting an application. Id. at 5–7. We find the Examiner’s proposed combination of the cited teachings of Costea and Phillips is no more than a simple arrangement of old elements with each performing the same function it had been known to perform, yielding no more than one would expect from such an arrangement. KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 416 (2007). Therefore, the ordinarily skilled artisan, being “a person of ordinary Appeal 2018-008147 Application 14/261,908 8 creativity, not an automaton,” would be able to fit the teachings of the cited references together like pieces of a puzzle to predictably result in a server comparing memory access patterns in a received crash dump with known exploits to identify attempted attacks seeking to circumvent an antivirus software or security mechanism protecting an application. Id. at 420–21. Because Appellant has not demonstrated that the Examiner’s proffered combination would have been “uniquely challenging or difficult for one of ordinary skill in the art,” we agree with the Examiner that the proposed modification would have been within the purview of the ordinarily skilled artisan. Leapfrog Enters., Inc. v. Fisher-Price, Inc., 485 F.3d 1157, 1162 (Fed. Cir. 2007) (citing KSR, 550 U.S. at 418). Consequently, we are satisfied that, on the record before us, the Examiner has established by a preponderance of the evidence that the combination of Costea and Phillips renders claim 1 unpatentable. Accordingly, we are not persuaded of error in the Examiner’s obviousness rejection of claim 1. Regarding the rejections of claims 2–18, 21, and 22, Appellant has not presented separate patentability arguments or reiterated substantially the same arguments as those previously discussed for patentability of claim 1. As such, claims 2–18, 21, and 22 fall therewith. See 37 C.F.R. § 41.37(c)(1)(iv). 2. Costea and Rubin Appellant argues that the Examiner erred in finding that the combination of Costea and Rubin teaches or suggests analyzing a crash report to identify from the contents thereof (1) a memory access pattern indicating an attempted exploit of a security mechanism that protects the integrity of an application during execution, and (2) information indicating a Appeal 2018-008147 Application 14/261,908 9 point of attack within the application of the attempted exploit by subverting the security mechanism, as recited in independent claim 1. Appeal Br. 30– 31. In particular, Appellant argues that, like Phillips, Rubin’s reference to generic viruses and malicious contents, as opposed to a specific or distinct technique for detecting such malicious content does not cure the noted deficiencies of Costea. Id. Appellant’s arguments are not persuasive of reversible Examiner error. Rubin teaches identifying patterns of tokens in an incoming byte stream to identify the presence of potential exploits based on a set of rules for a specific language. Rubin Abstract, ¶ 31. We agree with the Examiner that Rubin’s teaching would complement Costea’s scanning the crash dump for memory patterns that are similar with known exploits to identify within the received crash dump attempted exploits seeking to circumvent the antivirus software. Ans. 9. Because Costea’s antivirus software teaches the claimed security mechanism, which the attempted exploits taught by Rubin would seeks to subvert, we agree with the Examiner that the analysis of the received crash dump data to identify the exploits based on known memory access patterns in the database teaches the particular analysis applied to the mini-dump. Id. Accordingly, we are not persuaded of error in the Examiner’s obviousness rejection of claim 1. Regarding the rejections of claims 2–18, 21, and 22, Appellant has not presented separate patentability arguments or reiterated substantially the same arguments as those previously discussed for patentability of claim 1. As such, claims 2–18, 21, and 22 fall therewith. See 37 C.F.R. § 41.37(c)(1)(iv). Appeal 2018-008147 Application 14/261,908 10 VI. CONCLUSION We affirm the Examiner’s obviousness rejections of claims 1–18, 21, and 22 under 35 U.S.C. § 103(a). DECISION SUMMARY In summary: Claims Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1–6, 8–13, 16–18, 21, 22 103(a) Costea, Phillips 1–6, 8–13, 16–18, 21, 22 7, 14, 15 103 (a) Costea, Phillips, Murotake 7, 14, 15 1–6, 9–13, 16–18, 21, 22 103 (a) Costea, Rubin 1–6, 9–13, 16–18, 21, 22 7, 14, 15 103 (a) Costea, Rubin, Murotake 7, 14, 15 8 103 (a) Costea, Rubin, Phillips, 8 Overall Outcome 1–18, 21, 22 No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1). See 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED Copy with citationCopy as parenthetical citation